Run security scans on your Kubernetes manifests and Helm charts as a part of your CI using the Kubescape action. Kubescape scans K8s clusters, YAML files, and HELM charts, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA , MITRE ATT&CK®), software vulnerabilities.
Add the following step to your workflow configuration:
steps:
- uses: actions/checkout@v2
- uses: kubescape/github-action@main
with:
files: kubernetes/*.yaml| Name | Description | Required |
|---|---|---|
| files | The YAML files/Helm charts to scan for misconfigurations. The files need to be provided with the complete path from the root of the repository. | Yes |
| threshold | Failure threshold is the percent above which the command fails and returns exit code 1 (default 0 i.e, action fails if any control fails) | No (default 0) |
| framework | The security framework(s) to scan the files against. Multiple frameworks can be specified separated by a comma with no spaces. Example - nsa,devopsbest. Run kubescape list frameworks with the Kubescape CLI to get a list of all frameworks. Either frameworks have to be specified or controls. |
No |
| control | The security control(s) to scan the files against. Multiple controls can be specified separated by a comma with no spaces. Example - Configured liveness probe,Pods in default namespace. Run kubescape list controls with the Kubescape CLI to get a list of all controls. The complete control name can be specified or the ID such as C-0001 can be specified. Either controls have to be specified or frameworks. |
No |
| args | Additional arguments to the Kubescape CLI. The following arguments are supported -
|
No |
| exceptions | The JSON file containing at least one resource and one policy. Refer exceptions docs for more info. Objects with exceptions will be presented as exclude and not fail. | No |
- Standard
name: Scan YAML files with Kubescape
on: push
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: kubescape/github-action@main
with:
files: "kubernetes-prod/*.yaml"- With arguments
name: Scan YAML files using Kubescape with additional arguments
on: push
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: kubescape/github-action@main
with:
args: "--fail-threshold 90"
files: "kubernetes-prod/*.yaml"- Specifying frameworks
name: Scan YAML files using Kubescape and against specific frameworks
on: push
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: kubescape/github-action@main
with:
files: "kubernetes-prod/*.yaml"
framework: |
nsa,devopsbest- Specific controls
name: Scan YAML files using Kubescape and for specific controls
on: push
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: kubescape/github-action@main
with:
files: "kubernetes-prod/*.yaml"
control: |
Configured liveness probe,Pods in default namespace,Bash/cmd inside container- Store the results in a file as an artifacts
name: Scan YAML files with Kubescape and store results as an artifact
on: push
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: kubescape/github-action@main
with:
args: "--format junit --output results.xml"
files: "kubernetes-prod/*.yaml"
framework: nsa
- name: Archive kubescape scan results
uses: actions/upload-artifact@v2
with:
name: kubescape-scan-report
path: results.xml- Exceptions
name: KubeScape-Exceptions
on: push
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: action/checkout@master
- uses: kubescape/github-action@main
with:
files: "kubernetes-prod/*.yaml"
exceptions: exceptions/exclude-NSA-framework.json