Create a YAML file in your repository under
.gitlab-ci.yml and add the following content
image: bash:latest stages: - scan scan: stage: scan script: - apk add curl - curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | bash - kubescape scan framework nsa release/*.yaml
This will print the results to the result log of pipeline
In case if you are not only want to use Kubescape for logging, but also as a security gate in your delivery process, you can set up a failure threshold.
For example, you want to make sure that at least 80% of your objects are passing the security checks, you can invoke the tool with
-t option with the appropriate parameter:
kubescape scan framework nsa -t 80 *.yaml
This will return failure in case that the results are getting bellow 80%.
In some cases you would want to scan your entire cluster after you applied the new YAML.
Note that in this case you need the CI/CD worker to have access to the target K8s cluster.
Follow the instruction as in scanning a YAML file (#Scanning-YAML-files-in-your-workflow)
Replace the scan step with:
kubescape scan framework nsa --exclude-namespaces kube-system,kube-public
Updated 8 months ago