How to integrate Kubescape to GitLab CI
Scanning YAML files in your pipeline
Create a YAML file in your repository under
.gitlab-ci.yml and add the following content
image: bash:latest stages: - scan scan: stage: scan script: - apk add curl gcompat - curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | bash - kubescape scan .
This will print the results to the result log of pipeline
Failing the job with too many security issues
In case you not only want to use Kubescape for logging but also as a security gate in your delivery process, you can set up a failure threshold.
For example, if you want to make sure that at least 80% of your objects are passing the security checks, you can invoke the tool with
-t option with the appropriate parameter:
kubescape scan -t 80 .
This will return failure in case the results are getting below 80%.
Scanning your entire Cluster in your workflow
In some cases, you would want to scan your entire cluster after you applied the new YAML.
Note that in this case, you need the CI/CD worker to have access to the target K8s cluster.
Adding Cluster Scan
Follow the instruction for scanning a YAML file (#Scanning-YAML-files-in-your-workflow)
Replace the scan step with:
kubescape scan --exclude-namespaces kube-system,kube-public
Updated 3 months ago