GitHub Action
Kubescape
Run security scans on your Kubernetes manifests and Helm charts as a part of your CI using the Kubescape action. Kubescape scans Kubernetes clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK® and CIS Benchmark), software vulnerabilities.
You need to make sure that workflows have Read and write permissions.
To scan your repository with Kubescape in your Github workflow, add the following steps to your workflow configuration:
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: true
with:
format: sarif
outputFile: results
# # Optional: Specify the Kubescape cloud account ID
# account: ${{secrets.KUBESCAPE_ACCOUNT}}
# # Optional: Scan a specific path. Default will scan the whole repository
# files: "examples/*.yaml"
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifThis workflow definition scans your repository with Kubescape and publishes the results to Github. You can then see the results in the Pull Request that triggered the scan and the Security → Code scanning tab.
To make Kubescape automatically suggest fixes to your pushes and pull requests, use the following workflow:
name: Suggest autofixes with Kubescape
on: [pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
uses: tj-actions/[email protected]
- uses: kubescape/github-action@main
with:
account: ${{secrets.KUBESCAPE_ACCOUNT}}
files: ${{ steps.changed-files.outputs.all_changed_files }}
fixFiles: true
format: "sarif"
- uses: peter-evans/create-pull-request@v4
with:
add-paths: |
*.yaml
commit-message: "chore: fix K8s misconfigurations"
title: "[Kubescape] chore: fix K8s misconfigurations"
body: |
# What this PR changes
[Kubescape](https://github.com/kubescape/kubescape) has found misconfigurations in the targeted branch. This PR fixes the misconfigurations that have automatic fixes available.
You may still need to fix misconfigurations that do not have automatic fixes.
base: ${{ github.head_ref }}
branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }}
delete-branch: truePlease note that since Kubescape provides automatic fixes only to the rendered YAML manifests, the workflow above will not produce correct fixes for Helm charts.
The next important thing to note is that Kubescape only fixes the files. It does not open pull requests on its own. In the example above, a separate step that runs a different action opens the appropriate pull request. Due to how Github works, there are limitations on running and opening pull requests to forks. The action running in this step is maintained by its respective maintainers, and not the Kubescape team, so you should review its documentation when troubleshooting the process of triggering the workflow run and opening pull requests.
| Name | Description | Required |
|---|---|---|
| files | YAML files or Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. | No (default is . which scans the whole repository) |
| outputFile | Name of the output file where the scan result will be stored without the extension. | No (default is results) |
| frameworks | Security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - nsa,devopsbest. Run kubescape list frameworks in the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls. |
No |
| controls | Security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - Configured liveness probe,Pods in default namespace. Run kubescape list controls in the Kubescape CLI to get a list of all controls. You can use either the complete control name or the control ID such as C-0001 to specify the control you want use. You must specify either the control(s) or the framework(s) you want used in the scan. |
No |
| account | Account ID for Kubescape cloud. Used for custom configuration, such as frameworks, control configuration, etc. | No |
| failedThreshold | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) | No (default 0) |
| severityThreshold | Severity threshold is the severity of a failed control at or above which the command terminates with an exit code 1 (default is high, i.e. the action fails if any High severity control fails) |
No |
Scan and submit results to the Kubescape Cloud
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: true
with:
format: sarif
outputFile: results
# Specify the Kubescape cloud account ID
account: ${{secrets.KUBESCAPE_ACCOUNT}}
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifScan a spefic pathspec, for example examples/kubernetes-manifests/*.yaml:
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: true
with:
format: sarif
outputFile: results
# Scan a specific path. Default will scan the whole repository
files: "examples/kubernetes-manifests/*.yaml"
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifPerform a Kubescape scan against a list of specific frameworks (NSA and MITRE in this example):
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: true
with:
format: sarif
outputFile: results
frameworks: |
nsa,mitre
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifScan a repository with Kubescape and fail the scanning step if the percent of failed controls is more than the specified failedThreshold:
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: false
with:
format: sarif
outputFile: results
failedThreshold: 50
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifScan a repository with Kubescape and fail the scanning step if the scan has found failed controls with severity of Medium and above:
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: action/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: false
with:
format: sarif
outputFile: results
severityThreshold: medium
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif