diff --git a/.deepsource.toml b/.deepsource.toml index 6a7481e..32d7c71 100644 --- a/.deepsource.toml +++ b/.deepsource.toml @@ -1,4 +1,7 @@ version = 1 [[analyzers]] -name = "secrets" \ No newline at end of file +name = "secrets" + +[[analyzers]] +name = "kube-linter" diff --git a/.github/workflows/kube-linter.yaml b/.github/workflows/kube-linter.yaml new file mode 100644 index 0000000..b98f5ce --- /dev/null +++ b/.github/workflows/kube-linter.yaml @@ -0,0 +1,47 @@ +name: Scan with kube-linter + +on: + # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present kube-linter + # SARIF reports. + push: + branches: [ main, master ] + pull_request: + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Scan files with kube-linter + uses: stackrox/kube-linter-action@v1.0.4 + id: kube-linter-action-scan + with: + # Adjust this directory to the location where your kubernetes resources and helm charts are located. + directory: . + # Adjust this to the location of kube-linter config you're using, or remove the setting if you'd like to use + # the default config. + # config: sample/.kube-linter-config.yaml + # The following two settings make kube-linter produce scan analysis in SARIF format + format: sarif + output-file: ./kube-linter.sarif + # The following line prevents aborting the workflow immediately in case your files fail kube-linter checks. + # This allows the following upload-sarif action to still upload the results. + continue-on-error: true + + - name: Upload SARIF report files to DeepSource + run: | + # Install the CLI + curl https://deepsource.io/cli | sh + + # Send the report to DeepSource + ./bin/deepsource report --analyzer kube-linter --value-file ./kube-linter.sarif + + # Ensure the workflow eventually fails if files did not pass kube-linter checks. + - name: Verify kube-linter-action succeeded + shell: bash + run: | + echo "If this step fails, kube-linter found issues. Check the output of the scan step above." + [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]]