Run security scans on your Kubernetes manifests and Helm charts as a part of your CI using the Kubescape action. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK®), software vulnerabilities.
You need to make sure that workflows have Read and write permissions.
Add the following step to your workflow configuration:
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
# with:
# # Optional - Add Kubescape cloud account ID.
# account: ${{secrets.KUBESCAPE_ACCOUNT}}
# # Optional - Scan a specific path. Default will scan all
# files: "examples/*.yaml"
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape
path: results.xml
- name: Publish Unit Test Results
uses: mikepenz/action-junit-report@v3
if: always()
with:
report_paths: "*.xml" | Name | Description | Required |
|---|---|---|
| files | The YAML files/Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. | No (default all repository) |
| frameworks | The security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - nsa,devopsbest. Run kubescape list frameworks with the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls. |
No |
| controls | The security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - Configured liveness probe,Pods in default namespace. Run kubescape list controls with the Kubescape CLI to get a list of all controls. The complete control name can be specified or the ID such as C-0001 can be specified. Either controls have to be specified or frameworks. |
No |
| account | Account-id for the kubescape cloud. Used for custom configuration, such as frameworks, control configuration, etc. | No |
| failedThreshold | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) | No (default 0) |
| thresholdCritical | Threshold Critical is the number or more of critical controls that failed and returns exit code 1 | No |
| thresholdHigh | Threshold High is the number or more of high controls that failed and returns exit code 1 | No |
| thresholdMedium | Threshold Medium is the number or more of medium controls that failed and returns exit code 1 | No |
| thresholdLow | Threshold Low is the number or more of low controls that failed and returns exit code 1 | No |
Scan and submit results to the Kubescape cloud
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
with:
account: ${{secrets.ACCOUNT}}
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape-scan-report
path: results.xml
- name: Publish Unit Test Results
uses: mikepenz/action-junit-report@v3
if: always()
with:
report_paths: "*.xml" name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
with:
files: "kubernetes-manifests/*.yaml"
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape-scan-report
path: results.xml
- name: Publish Unit Test Results
uses: mikepenz/action-junit-report@v3
if: always()
with:
report_paths: "*.xml" Scan repository using Kubescape against a list of specific frameworks
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
with:
framework: |
nsa,mitre
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape-scan-report
path: results.xml
- name: Publish Unit Test Results
uses: mikepenz/action-junit-report@v3
if: always()
with:
report_paths: "*.xml" Scan repository with Kubescape and failed action if the percent of failed controls is more than failedThreshold
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: kubescape/github-action@main
with:
failedThreshold: 50
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape
path: results.xml
- name: Publish Unit Test Results
uses: mikepenz/action-junit-report@v3
if: always()
with:
report_paths: "*.xml" Scan repository with Kubescape and failed action if the number of failed resources with severity {X} is more than threshold {X}
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: action/checkout@v3
- uses: kubescape/github-action@main
with:
thresholdCritical: 1
thresholdHigh: 5
thresholdMedium: 10
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape
path: results.xml
- name: Publish Unit Test Results
uses: mikepenz/action-junit-report@v3
if: always()
with:
report_paths: "*.xml"