diff --git a/.github/workflows/kube-linter-sample.yml b/.github/workflows/kube-linter-sample.yml index 78451dc..c010e98 100755 --- a/.github/workflows/kube-linter-sample.yml +++ b/.github/workflows/kube-linter-sample.yml @@ -1,10 +1,11 @@ -name: Check Kubernetes YAMLs +name: Check Kubernetes YAMLs with kube-linter on: + # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present kube-linter + # SARIF reports. push: - branches: [ main ] + branches: [ main, master ] pull_request: - branches: [ main ] jobs: scan: @@ -12,8 +13,34 @@ jobs: steps: - uses: actions/checkout@v2 - - name: Scan valid yaml with kube-linter - uses: stackrox/kube-linter-action@v1.0.2 + # This prepares directory where github/codeql-action/upload-sarif@v1 looks up report files by default. + - name: Create ../results directory for SARIF report files + shell: bash + run: mkdir -p ../results + + - name: Scan yaml files with kube-linter + uses: stackrox/kube-linter-action@v1.0.4 + id: kube-linter-action-scan with: + # Adjust this directory to the location where your kubernetes resources and helm charts are located. directory: sample/valid-yaml + # Adjust this to the location of kube-linter config you're using, or remove the setting if you'd like to use + # the default config. config: sample/.kube-linter-config.yaml + # The following two settings make kube-linter produce scan analysis in SARIF format which would then be + # made available in GitHub UI via upload-sarif action below. + format: sarif + output-file: ../results/kube-linter.sarif + # The following line prevents aborting the workflow immediately in case your files fail kube-linter checks. + # This allows the following upload-sarif action to still upload the results to your GitHub repo. + continue-on-error: true + + - name: Upload SARIF report files to GitHub + uses: github/codeql-action/upload-sarif@v1 + + # Ensure the workflow eventually fails if files did not pass kube-linter checks. + - name: Verify kube-linter-action succeeded + shell: bash + run: | + echo "If this step fails, kube-linter found issues. Check the output of the scan step above." + [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]] diff --git a/README.md b/README.md index 35dbc2d..4222ebd 100755 --- a/README.md +++ b/README.md @@ -8,18 +8,22 @@ This is a GitHub action for scanning Kubernetes YAML files and Helm charts in yo 1. Copy [.github/workflows/kube-linter-sample.yml](https://github.com/stackrox/kube-linter-action/tree/main/.github/workflows/kube-linter-sample.yml) file to `.github/workflows` directory in your repo. 2. Adjust scan `directory` to the location where your Kubernetes or Helm files are. See Parameters below. +3. Adjust or remove `config` parameter. -The new workflow will run every time there's a new push to the repo. -Workflow will fail if kube-linter detects issues. You'll find issues in the output of `kube-linter-action`. +The new workflow will run every time there's a new push to the repo master branch and for pull requests. + +The workflow will fail if kube-linter detects issues. You'll find issues in the output of `kube-linter-action` and in [Security | Code scanning alerts](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository) view of your GitHub repo (if you used provided sample workflow). ### Example ```yaml - name: Scan repo with kube-linter - uses: stackrox/kube-linter-action@v1.0.2 + uses: stackrox/kube-linter-action@v1.0.4 with: directory: yamls config: .kube-linter/config.yaml + format: sarif + output-file: kube-linter.sarif ``` ### Parameters