kubescape/github-action

# Kubescape 操作 通过 Kubescape Action 在您的 CI 流程中对 Kubernetes 清单和 Helm 图表运行安全扫描。Kubescape 可扫描 Kubernetes 集群、YAML 文件和 HELM 图表，依据多个框架（如 [NSA-CISA](https://www.armosec.io/blog/kubernetes-hardening-guidance-summary-by-armo/?utm_source=github&utm_medium=repository)、[MITRE ATT&CK®](https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) 和 [CIS Benchmark](https://www.armosec.io/blog/kubescape-adds-cis-benchmark/?utm_source=github&utm_medium=repository)）检测配置错误及软件漏洞。 ## 使用说明 ### 使用 Kubescape 进行扫描 要在您的 [Github 工作流中使用 Kubescape](https://www.armosec.io/blog/kubescape-now-integrates-with-github-actions/?utm_source=github&utm_medium=repository) 扫描您的仓库，请将以下步骤添加到工作流配置中： ``` name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main continue-on-error: true with: format: sarif outputFile: results # # Optional: Specify the Kubescape Portal credentials # account: ${{secrets.KUBESCAPE_ACCOUNT}} # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} # # Optional: Scan a specific path. Default will scan the whole repository # files: "examples/*.yaml" - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` 此工作流定义使用 Kubescape 扫描您的仓库，并将结果发布到 Github。 随后，您可以在触发扫描的 Pull Request 以及 _Security → Code scanning_ 标签页中查看结果。 ### 自动建议修复 要使 Kubescape 通过代码审查自动为您的 Pull Request 建议修复，请使用以下工作流： ``` name: Suggest autofixes with Kubescape for PR by reviews on: pull_request_target: jobs: kubescape-fix-pr-reviews: runs-on: ubuntu-latest permissions: pull-requests: write steps: - uses: actions/checkout@v3 with: fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} - name: Get changed files id: changed-files uses: tj-actions/changed-files@v35 - uses: kubescape/github-action@main with: account: ${{secrets.KUBESCAPE_ACCOUNT}} accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} server: ${{ vars.KUBESCAPE_SERVER }} files: ${{ steps.changed-files.outputs.all_changed_files }} fixFiles: true format: "sarif" - name: PR Suggester according to SARIF file if: github.event_name == 'pull_request_target' uses: HollowMan6/sarif4reviewdog@v1.0.0 with: file: 'results.sarif' level: warning ``` 上述工作流通过收集 Kubescape 生成的 [SARIF (静态分析结果交换格式)](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif) 文件来运作。然后，借助 [HollowMan6/sarif4reviewdog](https://github.com/marketplace/actions/sarif-support-for-reviewdog)，将 SARIF 文件转换为 [RDFormat (Reviewdog 诊断格式)](https://github.com/reviewdog/reviewdog/tree/master/proto/rdf)，并使用 [Reviewdog](https://github.com/reviewdog/reviewdog) 生成审查意见。 您也可以让 Kubescape 自动为主分支的推送建议修复，通过新建 PR 来实现，使用以下工作流： ``` name: Suggest autofixes with Kubescape for direct commits by PR on: push: branches: [ main ] jobs: kubescape-fix-commit: runs-on: ubuntu-latest permissions: contents: write pull-requests: write steps: - uses: actions/checkout@v3 with: fetch-depth: 0 - name: Get changed files id: changed-files uses: tj-actions/changed-files@v35 - uses: kubescape/github-action@main with: account: ${{secrets.KUBESCAPE_ACCOUNT}} accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} server: ${{ vars.KUBESCAPE_SERVER }} files: ${{ steps.changed-files.outputs.all_changed_files }} fixFiles: true format: "sarif" - uses: peter-evans/create-pull-request@v4 # Remember to allow GitHub Actions to create and approve pull requests # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests if: github.event_name != 'pull_request_target' with: add-paths: | *.yaml commit-message: "chore: fix K8s misconfigurations" title: "[Kubescape] chore: fix K8s misconfigurations" body: | # What this PR changes [Kubescape](https://github.com/kubescape/kubescape) has found misconfigurations in the targeted branch. This PR fixes the misconfigurations that have automatic fixes available. You may still need to fix misconfigurations that do not have automatic fixes. base: ${{ github.head_ref }} branch: kubescape-auto-fix-${{ github.head_ref || github.ref_name }} delete-branch: true ``` 上述工作流通过收集直接对原文件进行的更改来运作。在上面的示例中，一个运行不同 Action 的单独步骤会打开相应的 Pull Request。由于 Github 的运作方式，在分支上运行和打开 Pull Request 存在[限制](https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs)。此步骤中运行的 Action 由其各自维护者维护，而非 Kubescape 团队，因此在排查工作流运行和打开 Pull Request 的过程时，您应查阅其文档。 请注意，由于 Kubescape 仅对渲染后的 YAML 清单提供自动修复，因此上述工作流无法为 Helm 图表生成正确的修复。 下一个需要注意的重要事项是，Kubescape 仅修复文件本身。它不会自行打开 Pull Request 或生成代码审查。 ### 扫描镜像 Kubescape Github Action 也能够扫描镜像。但您需要了解，镜像扫描目前无法与配置扫描和文件修复并行运行。如果您希望同时运行镜像和配置扫描，应定义至少两个使用相同 Action 但参数不同的独立步骤：一个用于镜像扫描，另一个用于配置扫描。 要使用 Kubescape Github Action 扫描容器镜像，请使用以下工作流定义，同时请记住需要将 `image: "quay.io/kubescape/kubescape"` 替换为适当的镜像名称： ``` name: Kubescape scanning for image vulnerabilities on: [push, pull_request] jobs: kubescape-scan-image: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main continue-on-error: true with: image: nginx format: sarif outputFile: results.sarif # severityThreshold: "critical" # # Username for a private registry with the image # registryUsername: ${{secrets.REGISTRY_USERNAME}} # # Password for a private registry with the image # registryPassword: ${{secrets.REGISTRY_PASSWORD}} # # Fail at or above the specified vulnerability severity threshold # Kubescape Portal credentials # account: ${{secrets.KUBESCAPE_ACCOUNT}} # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` ## 输入参数 | 名称 | 描述 | 是否必填 | | --- | --- | ---| | files | 要扫描配置错误的 YAML 文件或 Helm 图表。这些文件需从仓库根目录提供完整路径。 | 否（默认为 `.`，即扫描整个仓库） | | outputFile | 存储扫描结果的输出文件名（不含扩展名）。 | 否（默认为 `results`） | | frameworks | 用于扫描文件的安全框架。可以指定多个框架，用逗号分隔（无空格）。示例 - `nsa,devopsbest`。在 [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) 中运行 `kubescape list frameworks` 可获取所有框架列表。必须指定 frameworks 或 controls 之一。 | 否 | | controls | 用于扫描文件的安全控制项。可以指定多个控制项，用逗号分隔（无空格）。示例 - `Configured liveness probe,Pods in default namespace`。在 [Kubescape CLI](https://hub.armo.cloud/docs/installing-kubescape) 中运行 `kubescape list controls` 可获取所有控制项列表。您可以使用完整的控制项名称或控制项 ID（如 `C-0001`）来指定要使用的控制项。必须指定控制项或框架之一用于扫描。 | 否 | | account | 用于集成第三方服务器的账户 ID | 否 | | accessKey | 用于集成第三方服务器的访问密钥 | 否 | | server | 用于集成第三方服务器的 URL | 否 | | failedThreshold | 失败阈值是指百分比，超过此百分比命令将失败并返回退出码 1（默认为 0，即任何控制项失败则操作失败） | 否（默认为 0） | | severityThreshold | 严重性阈值是指失败控制项的严重等级达到或高于此阈值时，命令将以退出码 1 终止（默认为 `high`，即任何高严重性控制项失败则操作失败） | 否 | | verbose | 显示所有输入资源，而不仅仅是失败的资源。默认为关闭 | 否 | | exceptions | 包含至少一个资源和一个策略的 JSON 文件。更多信息请参阅 [exceptions](https://hub.armo.cloud/docs/exceptions) 文档。具有例外的对象将显示为排除，而非失败。 | 否 | | controlsConfig | 包含控制项配置的文件。使用 `kubescape download controls-inputs` 下载已配置的控制项输入。 | 否 | | image | 您希望扫描的镜像。启动镜像扫描，无法与配置扫描同时运行。 | 否 | | registryUsername | 托管被扫描镜像的私有仓库的用户名。 | 否 | | registryPassword | 托管被扫描镜像的私有仓库的密码。 | 否 | | version | 要使用的 Kubescape 版本。可以是特定版本（例如 "v3.0.21"）或 "latest"。 | 否（默认为 `latest`） | ## 示例 #### 扫描并将结果提交至 [Kubescape Cloud](https://cloud.armosec.io/) ``` name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main continue-on-error: true with: format: sarif outputFile: results # Specify the Kubescape cloud account ID account: ${{secrets.KUBESCAPE_ACCOUNT}} accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} server: ${{ vars.KUBESCAPE_SERVER }} - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` #### 扫描特定文件路径 扫描特定的路径规格，例如 `examples/kubernetes-manifests/*.yaml`： ``` name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main continue-on-error: true with: format: sarif outputFile: results # Scan a specific path. Default will scan the whole repository files: "examples/kubernetes-manifests/*.yaml" - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` #### 针对特定框架进行扫描 对特定框架列表执行 Kubescape 扫描（此示例中为 NSA 和 MITRE）： ``` name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main continue-on-error: true with: format: sarif outputFile: results frameworks: | nsa,mitre - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` #### 根据失败控制项的百分比使 Kubescape 扫描失败 使用 Kubescape 扫描仓库，如果失败控制项的百分比超过指定的 `failedThreshold`，则扫描步骤失败： ``` name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main continue-on-error: false with: format: sarif outputFile: results failedThreshold: 50 - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` #### 根据失败控制项的最大严重性使 Kubescape 扫描失败 使用 Kubescape 扫描仓库，如果扫描发现存在中等或更高严重性的失败控制项，则扫描步骤失败： ``` name: Kubescape scanning for misconfigurations on: [push, pull_request] jobs: kubescape: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - uses: action/checkout@v3 - uses: kubescape/github-action@main continue-on-error: false with: format: sarif outputFile: results severityThreshold: medium - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ```

标签：AI应用开发, Anthropic, Chrome Headless, CIS基准, DevSecOps, GitHub Actions, Helm图表扫描, Kubernetes安全, LNA, MITRE ATT&CK框架, NSA-CISA框架, SARIF报告, YAML配置检查, 上游代理, 合规性评估, 安全扫描, 日志审计, 时序注入, 自动化安全扫描, 自动笔记, 请求拦截, 软件漏洞检测