-
Notifications
You must be signed in to change notification settings - Fork 18
139 lines (127 loc) · 8.19 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
---
name: "CI"
on: # yamllint disable-line rule:truthy
workflow_dispatch: # yamllint disable-line rule:empty-values
pull_request: # yamllint disable-line rule:empty-values
concurrency:
group: "${{ github.head_ref }}-ci"
cancel-in-progress: true
jobs:
pre-commit-check:
name: "Run pre-commit checks"
runs-on: "ubuntu-22.04"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
with:
fetch-depth: 0
- name: "Setup Go"
uses: "actions/setup-go@v4"
- run: "echo $HOME/go/bin >> $GITHUB_PATH"
- name: "Setup Helm"
uses: "azure/setup-helm@v3"
- run: "mkdir template_output"
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami"
- run: "helm dependency update charts/nautobot"
- name: "Install helm-docs"
run: "go install github.com/norwoodj/helm-docs/cmd/[email protected]"
env:
GO111MODULE: "on"
- uses: "dorny/paths-filter@v2"
id: "filter"
with:
list-files: "shell"
filters: |
addedOrModified:
- added|modified: '**'
# run only if changed files were detected
- name: "Run against changes"
uses: "pre-commit/[email protected]"
if: "steps.filter.outputs.addedOrModified == 'true'"
with:
extra_args: "--files ${{ steps.filter.outputs.addedOrModified_files }}"
# run if no changed files were detected (e.g. workflow_dispatch on main branch)
- name: "Run against all files"
uses: "pre-commit/[email protected]"
if: "steps.filter.outputs.addedOrModified != 'true'"
with:
extra_args: "--all-files"
# - name: "Upload result to GitHub Code Scanning"
# uses: "github/codeql-action/upload-sarif@v2"
# with:
# sarif_file: "checkov.sarif"
snyk-security-check:
name: "Snyk Security Scanning"
runs-on: "ubuntu-22.04"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
- uses: "azure/setup-helm@v3"
- run: "mkdir template_output"
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami"
- run: "helm dependency update charts/nautobot"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot --output-dir=./template_output/test-postgresql"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot --output-dir=./template_output/test-mysql"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot --output-dir=./template_output/test-postgresql-ha"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot --output-dir=./template_output/test-defaults"
- name: "Run Snyk to check template files for security issues"
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: "snyk/actions/iac@master"
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}"
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: "./template_output"
- name: "Upload result to GitHub Code Scanning"
uses: "github/codeql-action/upload-sarif@v2"
with:
sarif_file: "snyk.sarif"
kubescape-security-check:
name: "Kubescape Security Scanning"
runs-on: "ubuntu-22.04"
env:
GITHUB_PATH: "/home/runner/.kubescape/bin"
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
- uses: "azure/setup-helm@v3"
- name: "Install Kubescape"
run: "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash"
- run: 'echo "${HOME}/.kubescape/bin" >> $GITHUB_PATH' # yamllint disable-line rule:quoted-strings
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami"
- run: "helm dependency update charts/nautobot"
- name: "Kubescape NSA Scan - Defaults"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape NSA Scan - PostgreSQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape NSA Scan - MySQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape NSA Scan - PostgreSQL HA"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework nsa - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - Defaults"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - PostgreSQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - MySQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - PostgreSQL HA"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework mitre - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - Defaults"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - PostgreSQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - MySQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - PostgreSQL HA"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework armobest - --fail-threshold 0 --exceptions ./kubescape-exceptions.json"