GitHub Actions
How to integrate Kubescape to GitHub CI
Scanning YAML files in your workflow
Basic setup
Create a YAML file in your repository under .github/workflows
and add the following content
name: Kubescape
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
nsa-security-check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Install Kubescape
run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
- name: Scan YAML files
run: kubescape scan framework nsa *.yaml
This will print the results to the result log of the GitHub Action every time it runs
Failing a job with too many security issues
Kubescape can be used not only for logging, but also as a security gate in your delivery process. You can do this by setting a failure threshold.
For example, if you want to ensure that a maximum of 20% of objects are failing the security checks, you can invoke the tool with -t
flag and an appropriate value. Valid values are integers between 0 - 100. A value of 100 will never fail.
kubescape scan framework nsa -t 20 *.yaml
This will return failure if more than 20% of objects are failing security tests.
Scanning your entire Cluster in your workflow
In some cases you would want to scan your entire cluster after you applied the new YAML.
Note that in this case you need the CI/CD worker to have access to the target K8s cluster.
Adding Cluster Scan
Follow the instruction as in scanning a YAML file (#Scanning-YAML-files-in-your-workflow)
Replace the scan step with:
run: kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
Updated about 1 month ago