mirror of
https://github.com/kubescape/kubescape.git
synced 2026-04-15 06:58:11 +00:00
5379b9b0a6
* phase-1 Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * factory Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * wip: feat(cli): add an image scanning command Add a CLI command that launches an image scan. Does not scan images yet. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: add image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore: include dependencies Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: adjust image scanning service Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * wip: feat: use scanning service in CLI Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * use iface Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * touches Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * continue Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * add cmd Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> * support single workload scan Signed-off-by: Amir Malka <amirm@armosec.io> * fix conflict Signed-off-by: Amir Malka <amirm@armosec.io> * identifiers * go mod * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * merge * more * integrate img scan * added unit tests Signed-off-by: Amir Malka <amirm@armosec.io> * more refactoring Signed-off-by: Amir Malka <amirm@armosec.io> * add scanned workload reference to opasessionobj Signed-off-by: Amir Malka <amirm@armosec.io> * fix GetWorkloadParentKind Signed-off-by: Amir Malka <amirm@armosec.io> * remove namespace argument from pullSingleResource, using field selector instead Signed-off-by: Amir Malka <amirm@armosec.io> * removed designators (unused) field from PolicyIdentifier, and designators argument from GetResources function Signed-off-by: Amir Malka <amirm@armosec.io> * changes * changes * fixes * changes * feat(imagescan): add an image scanning command This commit adds a CLI command and an associated package that scan images for vulnerabilities. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> feat(imagescan): fail on exceeding the severity threshold Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): include dependencies This commit adds the dependencies necessary for image scanning. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): add dependencies to httphandler Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * chore(imagescan): create vuln db with dedicated function Remove commented out code, too. Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * docs(imagescan): provide package-level docs Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> * finish merge * image scan tests * continue * fixes * refactor * rm duplicate * start fixes * update gh actions Signed-off-by: David Wertenteil <dwertent@armosec.io> * pr fixes * fix test * improvements --------- Signed-off-by: Daniel Grunberger <danielgrunberger@armosec.io> Signed-off-by: Vlad Klokun <vklokun@protonmail.ch> Signed-off-by: Amir Malka <amirm@armosec.io> Signed-off-by: David Wertenteil <dwertent@armosec.io> Co-authored-by: Daniel Grunberger <danielgrunberger@armosec.io> Co-authored-by: Vlad Klokun <vklokun@protonmail.ch> Co-authored-by: Amir Malka <amirm@armosec.io> Co-authored-by: David Wertenteil <dwertent@armosec.io>
345 lines
13 KiB
YAML
345 lines
13 KiB
YAML
name: b-binary-build-and-e2e-tests
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
COMPONENT_NAME:
|
|
required: false
|
|
type: string
|
|
default: "kubescape"
|
|
RELEASE:
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
CLIENT:
|
|
required: false
|
|
type: string
|
|
default: "test"
|
|
GO_VERSION:
|
|
required: false
|
|
type: string
|
|
default: "1.20"
|
|
GO111MODULE:
|
|
required: false
|
|
type: string
|
|
default: ""
|
|
CGO_ENABLED:
|
|
type: number
|
|
default: 1
|
|
required: false
|
|
OS_METRIX:
|
|
type: string
|
|
required: false
|
|
default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
|
|
ARCH_METRIX:
|
|
type: string
|
|
required: false
|
|
default: '[ "", "arm64"]'
|
|
BINARY_TESTS:
|
|
type: string
|
|
required: false
|
|
default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score" ]'
|
|
|
|
workflow_call:
|
|
inputs:
|
|
COMPONENT_NAME:
|
|
required: true
|
|
type: string
|
|
RELEASE:
|
|
required: true
|
|
type: string
|
|
CLIENT:
|
|
required: true
|
|
type: string
|
|
GO_VERSION:
|
|
type: string
|
|
default: "1.20"
|
|
GO111MODULE:
|
|
required: true
|
|
type: string
|
|
CGO_ENABLED:
|
|
type: number
|
|
default: 1
|
|
BINARY_TESTS:
|
|
type: string
|
|
default: '[ "scan_nsa", "scan_mitre", "scan_with_exceptions", "scan_repository", "scan_local_file", "scan_local_glob_files", "scan_local_list_of_files", "scan_nsa_and_submit_to_backend", "scan_mitre_and_submit_to_backend", "scan_local_repository_and_submit_to_backend", "scan_repository_from_url_and_submit_to_backend", "scan_with_exception_to_backend", "scan_with_custom_framework", "scan_customer_configuration", "host_scanner", "scan_compliance_score" ]'
|
|
OS_METRIX:
|
|
type: string
|
|
required: false
|
|
default: '[ "ubuntu-20.04", "macos-latest", "windows-latest"]'
|
|
ARCH_METRIX:
|
|
type: string
|
|
required: false
|
|
default: '[ "", "arm64"]'
|
|
jobs:
|
|
wf-preparation:
|
|
name: secret-validator
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
TEST_NAMES: ${{ steps.export_tests_to_env.outputs.TEST_NAMES }}
|
|
OS_METRIX: ${{ steps.export_os_to_env.outputs.OS_METRIX }}
|
|
ARCH_METRIX: ${{ steps.export_arch_to_env.outputs.ARCH_METRIX }}
|
|
is-secret-set: ${{ steps.check-secret-set.outputs.is-secret-set }}
|
|
steps:
|
|
- name: check if the necessary secrets are set in github secrets
|
|
id: check-secret-set
|
|
env:
|
|
CUSTOMER: ${{ secrets.CUSTOMER }}
|
|
USERNAME: ${{ secrets.USERNAME }}
|
|
PASSWORD: ${{ secrets.PASSWORD }}
|
|
CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
|
|
SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
|
|
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
|
|
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
|
|
run: "echo \"is-secret-set=${{ env.CUSTOMER != '' && \n env.USERNAME != '' &&\n env.PASSWORD != '' &&\n env.CLIENT_ID != '' &&\n env.SECRET_KEY != '' &&\n env.REGISTRY_USERNAME != '' &&\n env.REGISTRY_PASSWORD != ''\n }}\" >> $GITHUB_OUTPUT\n"
|
|
|
|
- id: export_os_to_env
|
|
name: set test name
|
|
run: |
|
|
echo "OS_METRIX=$input" >> $GITHUB_OUTPUT
|
|
env:
|
|
input: ${{ inputs.OS_METRIX }}
|
|
|
|
- id: export_tests_to_env
|
|
name: set test name
|
|
run: |
|
|
echo "TEST_NAMES=$input" >> $GITHUB_OUTPUT
|
|
env:
|
|
input: ${{ inputs.BINARY_TESTS }}
|
|
|
|
- id: export_arch_to_env
|
|
name: set test name
|
|
run: |
|
|
echo "ARCH_METRIX=$input" >> $GITHUB_OUTPUT
|
|
env:
|
|
input: ${{ inputs.ARCH_METRIX }}
|
|
|
|
|
|
binary-build:
|
|
name: Create cross-platform build
|
|
needs: wf-preparation
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
GOARCH: ${{ matrix.arch }}
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: ${{ fromJson(needs.wf-preparation.outputs.OS_METRIX) }}
|
|
arch: ${{ fromJson(needs.wf-preparation.outputs.ARCH_METRIX) }}
|
|
exclude:
|
|
- os: windows-latest
|
|
arch: arm64
|
|
steps:
|
|
|
|
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
submodules: recursive
|
|
|
|
- name: Cache Go modules (Linux)
|
|
if: matrix.os == 'ubuntu-20.04'
|
|
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
|
|
with:
|
|
path: |
|
|
~/.cache/go-build
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Cache Go modules (macOS)
|
|
if: matrix.os == 'macos-latest'
|
|
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
|
|
with:
|
|
path: |
|
|
~/Library/Caches/go-build
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- name: Cache Go modules (Windows)
|
|
if: matrix.os == 'windows-latest'
|
|
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # ratchet:actions/cache@v3
|
|
with:
|
|
path: |
|
|
~\AppData\Local\go-build
|
|
~\go\pkg\mod
|
|
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-
|
|
|
|
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3
|
|
name: Installing go
|
|
with:
|
|
go-version: ${{ inputs.GO_VERSION }}
|
|
cache: true
|
|
|
|
- name: start ${{ matrix.arch }} environment in container
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y binfmt-support qemu-user-static
|
|
sudo docker run --platform linux/${{ matrix.arch }} -e RELEASE=${{ inputs.RELEASE }} \
|
|
-e CLIENT=${{ inputs.CLIENT }} -e CGO_ENABLED=${{ inputs.CGO_ENABLED }} \
|
|
-e KUBESCAPE_SKIP_UPDATE_CHECK=true -e GOARCH=${{ matrix.arch }} -v ${PWD}:/work \
|
|
-w /work -v ~/go/pkg/mod:/root/go/pkg/mod -v ~/.cache/go-build:/root/.cache/go-build \
|
|
-d --name build golang:${{ inputs.GO_VERSION }}-bullseye sleep 21600
|
|
sudo docker ps
|
|
DOCKER_CMD="sudo docker exec build"
|
|
${DOCKER_CMD} apt update
|
|
${DOCKER_CMD} apt install -y cmake python3
|
|
${DOCKER_CMD} git config --global --add safe.directory '*'
|
|
echo "DOCKER_CMD=${DOCKER_CMD}" >> $GITHUB_ENV;
|
|
if: matrix.os == 'ubuntu-20.04' && matrix.arch != ''
|
|
|
|
- name: Install MSYS2 & libgit2 (Windows)
|
|
shell: cmd
|
|
run: .\build.bat all
|
|
if: matrix.os == 'windows-latest'
|
|
|
|
- name: Install pkg-config (macOS)
|
|
run: brew install pkg-config
|
|
if: matrix.os == 'macos-latest'
|
|
|
|
- name: Install libgit2 (Linux/macOS)
|
|
run: ${{ env.DOCKER_CMD }} make libgit2${{ matrix.arch }}
|
|
if: matrix.os != 'windows-latest'
|
|
|
|
- name: Test core pkg
|
|
run: ${{ env.DOCKER_CMD }} go test "-tags=static,gitenabled" -v ./...
|
|
if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
|
|
|
|
- name: Test httphandler pkg
|
|
run: ${{ env.DOCKER_CMD }} sh -c 'cd httphandler && go test "-tags=static,gitenabled" -v ./...'
|
|
if: "!startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch == '' || startsWith(github.ref, 'refs/tags') && (matrix.os != 'macos-latest' || matrix.arch != 'arm64')"
|
|
|
|
- name: Build
|
|
env:
|
|
RELEASE: ${{ inputs.RELEASE }}
|
|
CLIENT: ${{ inputs.CLIENT }}
|
|
CGO_ENABLED: ${{ inputs.CGO_ENABLED }}
|
|
run: ${{ env.DOCKER_CMD }} python3 --version && ${{ env.DOCKER_CMD }} python3 build.py
|
|
|
|
- name: Smoke Testing (Windows / MacOS)
|
|
env:
|
|
RELEASE: ${{ inputs.RELEASE }}
|
|
KUBESCAPE_SKIP_UPDATE_CHECK: "true"
|
|
run: python3 smoke_testing/init.py ${PWD}/build/kubescape-${{ matrix.os }}
|
|
if: startsWith(github.ref, 'refs/tags') && matrix.os != 'ubuntu-20.04' && matrix.arch == ''
|
|
|
|
- name: Smoke Testing (Linux amd64)
|
|
env:
|
|
RELEASE: ${{ inputs.RELEASE }}
|
|
KUBESCAPE_SKIP_UPDATE_CHECK: "true"
|
|
run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ${PWD}/build/kubescape-ubuntu-latest
|
|
if: matrix.os == 'ubuntu-20.04' && matrix.arch == ''
|
|
|
|
- name: Smoke Testing (Linux ${{ matrix.arch }})
|
|
env:
|
|
RELEASE: ${{ inputs.RELEASE }}
|
|
KUBESCAPE_SKIP_UPDATE_CHECK: "true"
|
|
run: ${{ env.DOCKER_CMD }} python3 smoke_testing/init.py ./build/kubescape-${{ matrix.arch }}-ubuntu-latest
|
|
if: startsWith(github.ref, 'refs/tags') && matrix.os == 'ubuntu-20.04' && matrix.arch != ''
|
|
|
|
- name: golangci-lint
|
|
if: matrix.os == 'ubuntu-20.04'
|
|
continue-on-error: true
|
|
uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # ratchet:golangci/golangci-lint-action@v3
|
|
with:
|
|
version: latest
|
|
args: --timeout 10m --build-tags=static
|
|
only-new-issues: true
|
|
|
|
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
|
|
name: Upload artifact (Linux)
|
|
if: matrix.os == 'ubuntu-20.04'
|
|
with:
|
|
name: kubescape${{ matrix.arch }}-ubuntu-latest
|
|
path: build/
|
|
if-no-files-found: error
|
|
|
|
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1
|
|
name: Upload artifact (MacOS, Win)
|
|
if: matrix.os != 'ubuntu-20.04'
|
|
with:
|
|
name: kubescape${{ matrix.arch }}-${{ matrix.os }}
|
|
path: build/
|
|
if-no-files-found: error
|
|
|
|
run-tests:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
TEST: ${{ fromJson(needs.wf-preparation.outputs.TEST_NAMES) }}
|
|
needs: [wf-preparation, binary-build]
|
|
if: ${{ (needs.wf-preparation.outputs.is-secret-set == 'true') && (always() && (contains(needs.*.result, 'success') || contains(needs.*.result, 'skipped')) && !(contains(needs.*.result, 'failure')) && !(contains(needs.*.result, 'cancelled'))) }}
|
|
runs-on: ubuntu-latest # This cannot change
|
|
steps:
|
|
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # ratchet:actions/download-artifact@v3.0.2
|
|
id: download-artifact
|
|
with:
|
|
name: kubescape-ubuntu-latest
|
|
path: "~"
|
|
|
|
- run: ls -laR
|
|
|
|
- name: chmod +x
|
|
run: chmod +x -R ${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
|
|
|
|
- name: Checkout systests repo
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
|
|
with:
|
|
repository: armosec/system-tests
|
|
path: .
|
|
|
|
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
|
|
with:
|
|
python-version: '3.8.13'
|
|
cache: 'pip'
|
|
|
|
- name: create env
|
|
run: ./create_env.sh
|
|
|
|
- name: Generate uuid
|
|
id: uuid
|
|
run: |
|
|
echo "RANDOM_UUID=$(uuidgen)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Create k8s Kind Cluster
|
|
id: kind-cluster-install
|
|
uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
|
|
with:
|
|
cluster_name: ${{ steps.uuid.outputs.RANDOM_UUID }}
|
|
|
|
- name: run-tests-on-local-built-kubescape
|
|
env:
|
|
CUSTOMER: ${{ secrets.CUSTOMER }}
|
|
USERNAME: ${{ secrets.USERNAME }}
|
|
PASSWORD: ${{ secrets.PASSWORD }}
|
|
CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
|
|
SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
|
|
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
|
|
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
|
|
run: |
|
|
echo "Test history:"
|
|
echo " ${{ matrix.TEST }} " >/tmp/testhistory
|
|
cat /tmp/testhistory
|
|
source systests_python_env/bin/activate
|
|
|
|
python3 systest-cli.py \
|
|
-t ${{ matrix.TEST }} \
|
|
-b production \
|
|
-c CyberArmorTests \
|
|
--duration 3 \
|
|
--logger DEBUG \
|
|
--kwargs kubescape=${{steps.download-artifact.outputs.download-path}}/kubescape-ubuntu-latest
|
|
|
|
deactivate
|
|
|
|
- name: Test Report
|
|
uses: mikepenz/action-junit-report@6e9933f4a97f4d2b99acef4d7b97924466037882 # ratchet:mikepenz/action-junit-report@v3.6.1
|
|
if: always() # always run even if the previous step fails
|
|
with:
|
|
report_paths: '**/results_xml_format/**.xml'
|
|
commit: ${{github.event.workflow_run.head_sha}}
|