anantacloud-actions/conftest-action

GitHub: anantacloud-actions/conftest-action

一款基于Conftest和OPA/Rego的GitHub Action，用于在CI/CD中对Terraform、Kubernetes、Helm和Dockerfile进行策略即代码扫描并生成SARIF报告。

Stars: 2 | Forks: 0

# Conftest Action

# 🚀 概述 Advanced Conftest GitHub Action 是一个功能强大的针对 Infrastructure-as-Code 仓库的 Policy-as-Code 扫描器。它结合了： - ✅ Conftest - ✅ OPA/Rego - ✅ GitHub Security Code Scanning - ✅ SARIF Upload - ✅ Terraform Plan Scanning - ✅ Kubernetes YAML Validation - ✅ Helm Template Evaluation - ✅ Dockerfile Security Policies 微小的 Rego 规则将化身为围绕您云端 ☁️⚡ 的巨型激光防线 # ✨ 功能特性 | 功能特性 | 支持 | |---|---| | Terraform Plan JSON | ✅ | | Kubernetes YAML | ✅ | | Helm Templates | ✅ | | Dockerfiles | ✅ | | SARIF Upload | ✅ | | GitHub Security Tab | ✅ | | PR Inline Annotations | ✅ | | Multi-format IaC Scanning | ✅ | | GitHub Marketplace Ready | ✅ | | Node20 Runtime | ✅ | # 🧠 支持的扫描类型 | 扫描类型 | 描述 | |---|---| | `terraform` | Terraform Plan JSON scanning | | `kubernetes` | Kubernetes manifest validation | | `helm` | Helm rendered template scanning | | `dockerfile` | Dockerfile best practice validation | # 📦 安装 ## GitHub Marketplace ``` uses: your-org/conftest-action@v1 ``` # ⚡ 快速开始 ## Terraform 示例 ``` name: Terraform Security Scan on: pull_request: push: permissions: security-events: write contents: read jobs: conftest: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: hashicorp/setup-terraform@v3 - name: Run Conftest uses: anantacloud-actions/conftest-action@v1 with: scan-type: terraform files: terraform/ policy-path: policy/ - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: conftest-results.sarif ``` # ☸️ Kubernetes 示例 ``` name: Kubernetes Policy Scan on: pull_request: jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Scan Kubernetes YAML uses: anantacloud-actions/conftest-action@v1 with: scan-type: kubernetes files: manifests/ policy-path: policy/ ``` # ⛵ Helm 示例 ``` name: Helm Policy Scan on: pull_request: jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: azure/setup-helm@v4 - name: Scan Helm Chart uses: anantacloud-actions/conftest-action@v1 with: scan-type: helm files: charts/mychart policy-path: policy/ ``` # 🐳 Dockerfile 示例 ``` name: Dockerfile Security Scan on: pull_request: jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Scan Dockerfile uses: anantacloud-actions/conftest-action@v1 with: scan-type: dockerfile files: Dockerfile policy-path: policy/ ``` # ⚙️ 输入参数 | 输入参数 | 必需 | 默认值 | 描述 | |---|---|---|---| | `scan-type` | ✅ | - | terraform/kubernetes/helm/dockerfile | | `files` | ✅ | - | 要扫描的文件或目录 | | `policy-path` | ❌ | `policy` | Rego 策略路径 | | `conftest-version` | ❌ | `0.58.0` | Conftest 版本 | | `upload-sarif` | ❌ | `true` | 生成 SARIF 报告 | # 📂 仓库结构 ``` . ├── action.yml ├── package.json ├── index.js ├── dist/ ├── lib/ │ ├── scanner.js │ ├── sarif.js │ ├── terraform.js │ ├── helm.js │ └── installer.js ├── policy/ └── README.md ``` # 🛡️ 示例策略 ## Kubernetes Non-Root Policy ``` package main deny[msg] { input.kind == "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot msg := "Containers must run as non-root" } ``` ## Dockerfile Latest Tag Policy ``` package main deny[msg] { input[i].Cmd == "from" contains(lower(input[i].Value[0]), "latest") msg := "Avoid latest image tags" } ``` ## Terraform Public S3 Policy ``` package main deny[msg] { input.resource_changes[_].type == "aws_s3_bucket" input.resource_changes[_].change.after.acl == "public-read" msg := "Public S3 buckets are forbidden" } ``` # 🔥 SARIF + GitHub Security 此 Action 会生成： - ✅ SARIF 报告 - ✅ Pull Request 行内注解 - ✅ GitHub Security 告警 - ✅ 集中的代码扫描发现上传后，发现的结果将显示在： ``` GitHub Repository └── Security └── Code Scanning Alerts ``` 您的基础设施策略将转化为清晰可见的安全信号，覆盖整个工程组织 ⚡ # 🧪 本地开发 ## 安装依赖 ``` npm install ``` ## 构建 Dist 文件夹 ``` npm run build ``` ## 本地运行 ``` node index.js ``` # 📦 使用 NCC 构建本项目使用： - `@vercel/ncc` - GitHub Actions Node20 runtime 生成生产环境包： ``` npm run build ``` 生成的输出： ``` dist/ └── index.js ``` # 🧬 未来路线图 | 功能特性 | 状态 | |---|---| | Severity Mapping | 🚧 | | OPA Bundle Support | 🚧 | | OCI Policy Registry | 🚧 | | AI Policy Recommendations | 🚧 | | Drift Detection | 🚧 | | Slack / Teams Notifications | 🚧 | | Parallel Scanning | 🚧 | | Trivy Integration | 🚧 | | Kyverno Compatibility | 🚧 | # 📜 许可证 MIT License # 💥 理念基础设施应在导致生产环境故障之前，因未能通过策略验证而失败。安全左移。自动化防护栏。保护一切。

标签：Chrome Headless, CI/CD安全, Conftest, DevOps工具, DevSecOps, Dockerfile安全, GitHub Action, GitHub Security, Google Chat通知, Groq API, Helm安全, IaC扫描, Kubernetes安全, Llama, MITM代理, OPA, PaC, Rego, SARIF, Slack通知, Teams通知, Terraform安全, Web截图, 上游代理, 代码安全检查, 基础设施即代码扫描, 安全合规, 安全通知, 容器安全, 开源安全工具, 数据可视化, 策略即代码, 结构化提示词, 网络代理, 聊天机器人安全, 自定义脚本, 逆向工程平台, 错误基检测, 静态代码分析, 靶场