WAF>> advisor-action>> 返回
项目作者: alcideio

项目描述 :
Alcide Advisor GitHub Action
高级语言: Shell
项目地址: git://github.com/alcideio/advisor-action.git
创建时间: 2020-03-01T22:43:16Z
项目社区:https://github.com/alcideio/advisor-action
开源协议:Apache License 2.0
下载


Alcide Advisor Action

Alcide Advisor

A GitHub Action to add security scanning of your Kubernetes cluster as part of your pipeline workflow.
To customize the scan Create Alcide Advisor Account.

About Alcide Advisor

Alcide Advisor is an agentless service for Kubernetes audit and compliance that’s built to ensure a frictionless and secured DevSecOps workflow by layering a hygiene scan of Kubernetes cluster & workloads early in the development process and before moving to production. With Alcide Advisor, you can cover the following security checks:

  • Kubernetes infrastructure vulnerability scanning.
  • Hunting misplaced secrets, or excessive priviliges for secret access.
  • Workload hardening from Pod Security to network policies.
  • Istio security configuration and best practices.
  • Ingress Controllers for security best practices.
  • Kubernetes API server access privileges.
  • Kubernetes operators security best practices.
  • Deployment conformance to labeling, annotating, resource limits and much more …

Usage

Pre-requisites

Create a workflow YAML file in your .github/workflows directory. An example workflow is available below.
For more information, reference the GitHub Help Documentation for Creating a workflow file.

Inputs

For more information on inputs, see the API Documentation

  • include_namespaces: Namespaces to include in the scan - defaults to all
  • exclude_namespaces: Namespaces to exclude in the scan - defaults to kube-system,istio-system
  • output_file: Scan result file name. You can publish this artifact in a later step.
  • fail_on_critical: Fail the task if critical findings observed.
  • policy_profile:Alcide policy profile the cluster will be scanned against.
  • policy_profile_id: The profile id with which cluster should be scanned. Note - Alcide Api Key is required to run a scan with customized profile
  • alcide_apikey: Alcide API Key - to run advisor scan with customized profile an api-key is needed - login to your account to obtain one
  • alcide_apiserver: Alcide API Server - The api server provisioned to your account

Alcide Kubernetes Advisor

Example Workflow

Create a workflow (eg: .github/workflows/advisor-scan.yml):

  1. name: Alcide Advisor Workflow Example
  3. on:
  4.   pull_request:
  5.   push:
  6.     branches:
  7.       - '*'
  8.       - '!master'
  10. jobs:
  11.   advisor-test:
  12.     runs-on: ubuntu-latest
  13.     steps:
  14.       - name: Checkout
  15.         uses: actions/checkout@v1
  17.       - name: Launch Cluster
  18.         uses: helm/kind-action@v1.0.0-alpha.3
  19.         with:
  20.           version: v0.7.0
  21.           name: kruzer
  22.           node_image: kindest/node:v1.16.4
  23.           wait: 5m
  24.           install_local_path_provisioner: true
  26.       - name: Test
  27.         run: |
  28.           kubectl cluster-info
  29.           kubectl get storageclass standard
  31.       - name: Scan Local Cluster
  32.         uses: alcideio/advisor-action@v1.1.0   
  33.         with:
  34.           exclude_namespaces: '-'
  35.           include_namespaces: '*'
  36.           output_file: 'advisor-scan.html'
  38.       - name: Upload Alcide Advisor Scan Report
  39.         uses: actions/upload-artifact@v1
  40.         with:
  41.           name: advisor-scan.html 
  42.           path: advisor-scan.html

This uses @alcideio/advisor-action GitHub Action to security scan your Kubernetes cluster configuration.

Additional References

Code of conduct

Participation in the Helm community is governed by the Code of Conduct.