Integrating with GitHub Actions
How to integrate Kubescape to GitHub CI
Use GitHub actions to scan your Git repository for Compliance misconfigurations and Image vulnerabilities with Kubescape. Scan results are included in the pull request.
Before you begin
You must ensure that workflows have Read and write permissions.
Add a repository scan to your workflow
Update your workflow definition to scan your repository with Kubescape in your Github workflow.
- Open your workflow configuration for GitHub Actions.
- Add the following to scan the repository, send the results to ARMO Platform, and print an informational message with the scan results:
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: true
with:
format: sarif
outputFile: results.sarif
# # Optional: Specify the Kubescape cloud account ID
# account: ${{secrets.KUBESCAPE_ACCOUNT}}
# # Optional: Scan a specific path. Default will scan the whole repository
# files: "examples/*.yaml"
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
This workflow definition scans your repository with Kubescape and publishes the results to Github.
You can view the results in the Pull Request that triggered the scan and the Security → Code scanning tab.
For more information about GitHub Actions, refer to the GitHub Actions documentation.
Failing the job if there are too many security misconfigurations
If you want to use Kubescape as a security gate in your delivery process, you can set up a failure threshold.
For example, if you want to make sure that at least 80% of your objects pass the security checks, add failedThreshold: 80 to the action.
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
continue-on-error: false
with:
format: sarif
outputFile: results.sarif
failedThreshold: 80
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
Supported Kubescape options in GitHub Actions workflow definitions
| Name | Description | Default |
|---|---|---|
| files | YAML files or Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. | The default is . This scans the whole repository. |
| outputFile | Name of the output file where the scan result will be stored. | The default is results.out |
| frameworks | Security frameworks to scan the files against. Multiple frameworks can be specified. Separate each framework by a comma with no spaces. For example - nsa,devopsbest. Run kubescape list frameworks with the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls. | N/A |
| controls | Security controls to scan the files against. Multiple controls can be specified. Separated each control by a comma with no spaces. For example:Configured liveness probe,Pods in default namespace. Run kubescape list controls with the Kubescape CLI to get a list of all controls. The complete control name can be specified or the ID, such as C-0001, can be specified. Either controls have to be specified or frameworks. | N/A |
| account | Account ID for ARMO Platform. This sends scan data to the specified account in ARMO Platform. | N/A |
| failedThreshold | Failure threshold is the percent above which the command fails and returns exit code 1. By default the action fails if any control fails. | The default is 0 |
| severityThreshold | The severity threshold is the severity of a failed control at or above which the command terminates with an exit code 1. By default the action fails if any high severity control fails. | The default is 'high' |
Additional Use Cases
Use case 1: Compliance scan (NSA Framework)
name: NSA Compliance Scan
on: [push, pull_request]
jobs:
nsa-scan:
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Install Kubescape
run: |
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- name: Run NSA Compliance scan
run: |
$HOME/.kubescape/bin/kubescape scan framework nsa \
./your/manifest.yaml \
--severity-threshold high \
--format sarif \
--output results-nsa.sarif
- name: Upload NSA Compliance scan results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
Use case 2: Docker image build, scan, and push
name: Build, push and scan Docker image
on: [push, pull_request]
jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
# 1) Build a local image for scanning
- name: Check out repository
uses: actions/checkout@v3
- name: Build local image for scanning
run: |
docker build -t local/your-image:latest .
# 2) Run Kubescape scan on local image
- name: Install Kubescape
run: |
curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
- name: Run Kubescape to scan local image
run: |
$HOME/.kubescape/bin/kubescape scan image local/your-image:latest \
--severity-threshold high \
--format sarif \
--output results-image.sarif
# 3) Build and push multi-platform images
- name: Set up QEMU (for multi-platform support)
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Log in to Quay.io
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.YOUR_ACCOUNT_NAME }}
password: ${{ secrets.YOUR_ACCOUNT_PASSWORD }}
- name: Build and push multi-platform Docker image
run: |
# ...
# 4) Upload results to GitHub Code Scanning
- name: Upload image scan results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
Updated 4 months ago