anantacloud-actions/kyverno-action

GitHub: anantacloud-actions/kyverno-action

一个基于 Kyverno 的 GitHub Action,用于在 CI/CD 流水线中对 Kubernetes 清单、Helm Chart 和 Kustomize 配置进行自动化策略合规验证,并提供 SARIF、JUnit 报告及多渠道通知等企业级集成能力。

Stars: 3 | Forks: 0

# Kyverno Action image

![GitHub Marketplace](https://img.shields.io/badge/GitHub-Marketplace-blue) ![Kyverno](https://img.shields.io/badge/Kyverno-v1.15-blue) ![Kubernetes](https://img.shields.io/badge/Kubernetes-Security-blue) ![SARIF](https://img.shields.io/badge/SARIF-Supported-success) ![Helm](https://img.shields.io/badge/Helm-Supported-success) ![Kustomize](https://img.shields.io/badge/Kustomize-Supported-success)

由 Kyverno ⚡ 驱动的企业级 Kubernetes 策略验证 Kyverno Guardian Action 可帮助平台工程和 DevSecOps 团队使用 Kyverno 直接在 GitHub Actions 中验证 Kubernetes 清单,并提供 Helm、Kustomize、SARIF、PR 评论、通知、OCI bundles、JUnit 报告和 GitHub Security 集成等企业级集成支持。 # ✨ 特性 ✅ Kyverno 策略验证 ✅ Helm 模板扫描 ✅ Kustomize 扫描 ✅ OCI 策略包 ✅ SARIF 报告 ✅ GitHub Security 集成 ✅ GitHub PR 评论 ✅ GitHub Step Summary ✅ JUnit 报告 ✅ 严重级别过滤 ✅ 策略例外 ✅ Slack 通知 ✅ Microsoft Teams 通知 ✅ Google Chat 通知 ✅ 企业级 CI/CD 工作流 # 🚀 快速开始 ``` name: Kyverno Guardian on: pull_request: jobs: validate: runs-on: ubuntu-latest permissions: contents: read pull-requests: write security-events: write steps: - name: Checkout uses: actions/checkout@v4 - name: Run Kyverno Guardian uses: anantacloud-actions/kyverno-action@v1 with: policies: ./policies resources: ./manifests sarif: true junit: true pr-comment: true fail-on-violation: true notify-on: always ``` # 📦 输入参数 | 输入参数 | 描述 | 必填 | 默认值 | |---|---|---|---| | `policies` | Kyverno 策略的路径或 OCI URI | ✅ | | | `resources` | Kubernetes 清单的路径 | ✅ | | | `helm-chart` | Helm chart 路径 | ❌ | | | `helm-values` | Helm values 文件 | ❌ | | | `kustomize-path` | Kustomize overlay 路径 | ❌ | | | `policy-exceptions` | 策略例外路径 | ❌ | | | `severity` | 严重级别过滤 | ❌ | `low,medium,high,critical` | | `output-format` | 输出格式 | ❌ | `table` | | `sarif` | 启用 SARIF 生成 | ❌ | `true` | | `junit` | 启用 JUnit 生成 | ❌ | `true` | | `pr-comment` | 启用 PR 评论 | ❌ | `true` | | `diff-mode` | 启用策略 diff 模式 | ❌ | `false` | | `kyverno-version` | Kyverno CLI 版本 | ❌ | `v1.15.0` | | `fail-on-violation` | 发生违规时使工作流失败 | ❌ | `true` | | `verbose` | 启用详细日志 | ❌ | `false` | | `slack-webhook` | Slack webhook URL | ❌ | | | `teams-webhook` | Microsoft Teams webhook URL | ❌ | | | `gchat-webhook` | Google Chat webhook URL | ❌ | | | `notify-on` | 通知模式 | ❌ | `failure` | | `github-token` | GitHub token | ❌ | `${{ github.token }}` | # 📤 输出结果 | 输出结果 | 描述 | |---|---| | `violations` | 策略违规总数 | | `status` | 验证状态 | | `sarif-report` | SARIF 报告位置 | | `junit-report` | JUnit 报告位置 | # 🔥 示例策略 ``` apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: require-owner-label spec: validationFailureAction: Enforce rules: - name: check-owner-label match: any: - resources: kinds: - Deployment validate: message: "owner label is required" pattern: metadata: labels: owner: "?*" ``` # 📦 示例 Kubernetes 清单 ``` apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest ``` # ⛵ Helm 示例 ``` - name: Run Kyverno Guardian uses: your-org/kyverno-guardian-action@v1 with: policies: ./policies resources: ./manifests helm-chart: ./chart helm-values: ./chart/values.yaml ``` # 🏗️ Kustomize 示例 ``` - name: Run Kyverno Guardian uses: anantacloud-actions/kyverno-action@v1 with: policies: ./policies resources: ./manifests kustomize-path: ./overlays/dev ``` # 📦 OCI 策略包示例 ``` - name: Run Kyverno Guardian uses: anantacloud-actions/kyverno-action@v1 with: policies: oci://ghcr.io/org/policies resources: ./manifests ``` # 📄 SARIF 上传示例 ``` - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: reports/results.sarif ``` # 💬 通知示例 ``` - name: Run Kyverno Guardian uses: anantacloud-actions/kyverno-action@v1 with: policies: ./policies resources: ./manifests slack-webhook: ${{ secrets.SLACK_WEBHOOK }} teams-webhook: ${{ secrets.TEAMS_WEBHOOK }} gchat-webhook: ${{ secrets.GCHAT_WEBHOOK }} notify-on: always ``` # 📊 精美的 GitHub Step Summary Kyverno Guardian 会自动生成内容丰富的 GitHub Step Summary,包含: - 策略违规 - 验证状态 - 安全发现 - CI/CD 摘要 - Kubernetes 资源详情 # 🧪 JUnit 报告 JUnit 报告会自动生成: ``` reports/junit.xml ``` 非常适合: - Jenkins - GitLab - Azure DevOps - 测试仪表板 - CI 分析 # 📄 SARIF 报告 SARIF 报告会自动生成: ``` reports/results.sarif ``` 可直接集成至: - GitHub Security 选项卡 - 代码扫描 - 安全仪表板 - 企业合规工作流 # 🛡️ 企业安全特性 - 策略即代码 - Kubernetes 准入控制 - 左移安全 - CI/CD 策略执行 - 合规自动化 - 多集群工作流 - GitOps 安全 - 供应链验证 - 平台工程工作流 # 📁 仓库结构 ``` . ├── .github/ │ └── workflows/ │ └── kyverno.yml │ ├── src/ │ ├── index.ts │ ├── inputs.ts │ ├── kyverno.ts │ ├── github.ts │ ├── notifications.ts │ ├── helm.ts │ ├── kustomize.ts │ ├── cache.ts │ ├── diff.ts │ ├── oci.ts │ ├── junit.ts │ ├── sarif.ts │ └── summary.ts │ ├── reports/ │ ├── action.yml ├── package.json ├── tsconfig.json └── README.md ``` # 🚀 构建 ``` npm install npm run build ``` # 🧪 本地测试 ``` npm run build ``` 然后使用以下命令进行测试: ``` uses: ./ ``` 在 GitHub Actions 工作流内部。 # 📜 许可证 MIT License # ⚡ 技术支持 - Kyverno - Kubernetes - GitHub Actions - DevSecOps - 平台工程 # 🌌 标语
标签:CISA项目, DevSecOps, DNS解析, GitHub Action, GitOps, Helm, JUnit, Kustomize, Microsoft Teams, Policy-as-Code, PR评论, SARIF, Slack, Web截图, YAML校验, 上游代理, 企业级, 子域名突变, 安全合规, 安全扫描, 容器安全, 平台工程, 开源框架, 开源项目, 持续部署, 持续集成, 时序注入, 策略即代码, 网络代理, 聊天机器人安全, 通知系统