search

kubescape / github-action

GitHub action to run Kubescape scans
Apache License 2.0
18 stars 20 forks source link

Empty sarif #50

Closed pburgisser closed 5 months ago

pburgisser commented 10 months ago

I'm running the GH action against some helm charts where I get critical to low results as expected. The whole pipeline works but I don't see any result in CodeScan on that branch and if I try to print the sarif, it looks empty.

Please find below my pipeline as well as an extract of the logs

name: Lint and Test Charts

on:
  push:
    branches:
      - mystuff
jobs:
  lint-test:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Helm
        uses: azure/setup-helm@v3.5
        with:
          version: v3.12.0
      - uses: actions/setup-python@v4
        with:
          python-version: 3.7
      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.4.0
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --config .github/linters/ct.yaml)
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> $GITHUB_OUTPUT
          fi
      - name: Run chart-testing (lint)
        run: ct lint --config .github/linters/ct.yaml --validate-maintainers=false
      - uses: kubescape/github-action@main
        #continue-on-error: true
        with:
          format: sarif
          outputFile: results
          files: "helm/mychart"
          verbose: true
          severityThreshold: critical   
      - name: print results
        run: |
          cat results.sarif
      - name: Upload Kubescape scan results to Github Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif
image is <>
kubescape scan    helm/feltboard-ghostbuster   --severity-threshold critical --format sarif --output results --verbose  
{"level":"info","ts":"[20](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:21)23-10-23T14:46:45Z","msg":"Kubescape scanner initializing"}
{"level":"warn","ts":"2023-10-23T14:46:46Z","msg":"current version 'v2.9.2' is not updated to the latest release: 'v3.0.0'"}
{"level":"info","ts":"20[23](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:24)-10-23T14:46:47Z","msg":"Initialized scanner"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loading policies"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loaded policies"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loading exceptions"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loaded exceptions"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loading account configurations"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Loaded account configurations"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Accessing local objects"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Done accessing local objects"}
{"level":"info","ts":"2023-10-23T14:46:47Z","msg":"Scanning GitLocal"}
{"level":"info","ts":"2023-10-23T14:46:48Z","msg":"Done scanning GitLocal"}
{"level":"info","ts":"2023-10-23T14:46:48Z","msg":"Done aggregating results"}

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

################################################################################
Source: helm/feltboard-ghostbuster/templates/cronjob.yaml
ApiVersion: batch/v1
Kind: CronJob
Name: -feltboard-ghostbuster

Controls: [29](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:30) (Failed: 13, action required: 2)

┌──────────┬────────────────────────────────┬────────────────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Severity │ Control Name                   │ Docs                               │ Assisted Remediation                                                                              │
├──────────┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ High     │ Resource limits                │ https://hub.armosec.io/docs/c-0009 │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE                 │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE              │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Resources CPU limit and        │ https://hub.armosec.io/docs/c-0050 │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.cpu=YOUR_VALUE                 │
│          │ request                        │                                    │ spec.jobTemplate.spec.template.spec.containers[0].resources.requests.cpu=YOUR_VALUE               │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Resources memory limit and     │ https://hub.armosec.io/docs/c-0004 │ spec.jobTemplate.spec.template.spec.containers[0].resources.limits.memory=YOUR_VALUE              │
│          │ request                        │                                    │ spec.jobTemplate.spec.template.spec.containers[0].resources.requests.memory=YOUR_VALUE            │
├──────────┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Low      │ Configured readiness probe     │ https://hub.armosec.io/docs/c-0018 │ spec.jobTemplate.spec.template.spec.containers[0].readinessProbe=YOUR_VALUE                       │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Immutable container filesystem │ https://hub.armosec.io/docs/c-0017 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem=true     │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ K8s common labels usage        │ https://hub.armosec.io/docs/c-0077 │ metadata.labels[app.kubernetes.io/name]=YOUR_VALUE                                                │
│          │                                │                                    │ spec.jobTemplate.spec.template.metadata.labels[app.kubernetes.io/name]=YOUR_VALUE                 │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Label usage for resources      │ https://hub.armosec.io/docs/c-0076 │ metadata.labels[app]=YOUR_VALUE                                                                   │
│          │                                │                                    │ spec.jobTemplate.spec.template.metadata.labels[app]=YOUR_VALUE                                    │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Pods in default namespace      │ https://hub.armosec.io/docs/c-0061 │ metadata.namespace=YOUR_NAMESPACE                                                                 │
├──────────┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Medium   │ Allow privilege escalation     │ https://hub.armosec.io/docs/c-0016 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false  │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Configured liveness probe      │ https://hub.armosec.io/docs/c-0056 │ spec.jobTemplate.spec.template.spec.containers[0].livenessProbe=YOUR_VALUE                        │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Ingress and Egress blocked     │ https://hub.armosec.io/docs/c-00[30](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:31) │                                                                                                   │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Linux hardening                │ https://hub.armosec.io/docs/c-0055 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.seccompProfile=YOUR_VALUE       │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.seLinuxOptions=YOUR_VALUE       │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.capabilities.drop[0]=YOUR_VALUE │
├          ┼────────────────────────────────┼────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│          │ Non-root containers            │ https://hub.armosec.io/docs/c-0013 │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.runAsNonRoot=true               │
│          │                                │                                    │ spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation=false  │
└──────────┴────────────────────────────────┴────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────┘
{"level":"info","ts":"2023-10-23T14:46:48Z","msg":"Scan results saved","filename":"results.sarif"}

Controls: 48 (Failed: 13, Passed: [33](https://github.com/taittowers/Navigator-Feltboard/actions/runs/6614944344/job/17966013653#step:10:34), Action Required: 2)
Failed Resources by Severity: Critical — 0, High — 3, Medium — 5, Low — 5

Run cat results.sarif
{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "informationUri": "https://armosec.io/",
          "name": "kubescape",
          "rules": []
        }
      },
      "results": []
    }
  ]
}

Run github/codeql-action/upload-sarif@v2

Uploading results
  Processing sarif files: ["results.sarif"]
  Uploading results
  Successfully uploaded results
Waiting for processing to finish
  Analysis upload status is pending.
  Analysis upload status is complete.
dwertent commented 6 months ago

Yes, the issue with the helm is that we currently don't know how to track the origin of the file, we have this PR for solving the issue.

dwertent commented 6 months ago

Can you please confirm it works with the latest release?