Left some comments/questions for reviewers as part of self-review
go run cmd/main.go -f internal/sarif/fixtures/apparmor-invalid.yaml all --format="sarif" > kubeaudit.sarif will yield a new sarif report (kubeaudit.sarif):
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
"runs": [
{
"tool": {
"driver": {
"informationUri": "https://github.com/Shopify/kubeaudit",
"name": "kubeaudit",
"rules": [
{
"id": "AppArmorInvalidAnnotation",
"name": "apparmor",
"shortDescription": {
"text": "AppArmorInvalidAnnotation"
},
"help": {
"text": "**Type**: kubernetes\n**Auditor Docs**: To find out more about the issue and how to fix it, follow [this link](https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/apparmor.md)\n**Description:** Finds containers that do not have AppArmor enabled\n\n *Note*: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit "
},
"properties": {
"tags": [
"security",
"kubernetes",
"infrastructure"
]
}
},
{
"id": "AutomountServiceAccountTokenTrueAndDefaultSA",
"name": "asat",
"shortDescription": {
"text": "AutomountServiceAccountTokenTrueAndDefaultSA"
},
"help": {
"text": "**Type**: kubernetes\n**Auditor Docs**: To find out more about the issue and how to fix it, follow [this link](https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/asat.md)\n**Description:** Finds containers where the deprecated SA field is used or with a mounted default SA\n\n *Note*: These audit results are generated with `kubeaudit`, a command line tool and a Go package that checks for potential security concerns in kubernetes manifest specs. You can read more about it at https://github.com/Shopify/kubeaudit "
},
"properties": {
"tags": [
"security",
"kubernetes",
"infrastructure"
]
}
}
]
}
},
"results": [
{
"ruleId": "AppArmorInvalidAnnotation",
"ruleIndex": 0,
"level": "error",
"message": {
"text": "Details: AppArmor annotation key refers to a container that doesn't exist. Remove the annotation 'container.apparmor.security.beta.kubernetes.io/container: badval'.\n Auditor: apparmor\nDescription: Finds containers that do not have AppArmor enabled\nAuditor docs: https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/apparmor.md "
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "internal/sarif/fixtures/apparmor-invalid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
},
{
"ruleId": "AutomountServiceAccountTokenTrueAndDefaultSA",
"ruleIndex": 1,
"level": "error",
"message": {
"text": "Details: Default service account with token mounted. automountServiceAccountToken should be set to 'false' on either the ServiceAccount or on the PodSpec or a non-default service account should be used.\n Auditor: asat\nDescription: Finds containers where the deprecated SA field is used or with a mounted default SA\nAuditor docs: https://github.com/Shopify/kubeaudit/blob/main/docs/auditors/asat.md "
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "internal/sarif/fixtures/apparmor-invalid.yaml",
"uriBaseId": "ROOTPATH"
},
"region": {
"startLine": 1
}
}
}
]
}
]
}
]
}
Examples of the sarif output being used with Github Code Scanning. SARIF uploaded with a Github action that _thepwagner set up in a private repo:
Type of change
[ ] Bug fix :bug:
[x] New feature :sparkles:
[x] This change requires a documentation update :book:
[x] Breaking changes :warning: => if we rename Name to Rule, users of the library will need to update the code when they bump the version
How Has This Been Tested?
[x] Running the following go run cmd/main.go -f internal/sarif/fixtures/apparmor-invalid.yaml all -s kubeaudit.sarif will yield a new sarif report (kubeaudit.sarif) as well as print the results on the terminal
Checklist:
[x] I have :tophat: my changes (A 🎩 specifically includes pulling down changes, setting them up, and manually testing the changed features and potential side effects to make sure nothing is broken)
[x] I have performed a self-review of my own code
[x] I have made corresponding changes to the documentation
[x] I have added tests that prove my fix is effective or that my feature works
[x] New and existing unit tests pass locally with my changes
Closes #436
Left some comments/questions for reviewers as part of self-review
go run cmd/main.go -f internal/sarif/fixtures/apparmor-invalid.yaml all --format="sarif" > kubeaudit.sarif
will yield a new sarif report (kubeaudit.sarif):Examples of the sarif output being used with Github Code Scanning. SARIF uploaded with a Github action that _thepwagner set up in a private repo:
Type of change
Name
toRule
, users of the library will need to update the code when they bump the versionHow Has This Been Tested?
go run cmd/main.go -f internal/sarif/fixtures/apparmor-invalid.yaml all -s kubeaudit.sarif
will yield a new sarif report (kubeaudit.sarif
) as well as print the results on the terminalChecklist: