From b532ef2649497d73b1a7f6e3f0e1cb9644ec4c93 Mon Sep 17 00:00:00 2001 From: Srijan Saurav Date: Tue, 3 Oct 2023 09:48:30 +0530 Subject: [PATCH 1/3] Enable kube-linter scan on DeepSource --- .deepsource.toml | 5 +++- .github/workflows/kube-linter.yaml | 47 ++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/kube-linter.yaml diff --git a/.deepsource.toml b/.deepsource.toml index 6a7481e..32d7c71 100644 --- a/.deepsource.toml +++ b/.deepsource.toml @@ -1,4 +1,7 @@ version = 1 [[analyzers]] -name = "secrets" \ No newline at end of file +name = "secrets" + +[[analyzers]] +name = "kube-linter" diff --git a/.github/workflows/kube-linter.yaml b/.github/workflows/kube-linter.yaml new file mode 100644 index 0000000..b98f5ce --- /dev/null +++ b/.github/workflows/kube-linter.yaml @@ -0,0 +1,47 @@ +name: Scan with kube-linter + +on: + # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present kube-linter + # SARIF reports. + push: + branches: [ main, master ] + pull_request: + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Scan files with kube-linter + uses: stackrox/kube-linter-action@v1.0.4 + id: kube-linter-action-scan + with: + # Adjust this directory to the location where your kubernetes resources and helm charts are located. + directory: . + # Adjust this to the location of kube-linter config you're using, or remove the setting if you'd like to use + # the default config. + # config: sample/.kube-linter-config.yaml + # The following two settings make kube-linter produce scan analysis in SARIF format + format: sarif + output-file: ./kube-linter.sarif + # The following line prevents aborting the workflow immediately in case your files fail kube-linter checks. + # This allows the following upload-sarif action to still upload the results. + continue-on-error: true + + - name: Upload SARIF report files to DeepSource + run: | + # Install the CLI + curl https://deepsource.io/cli | sh + + # Send the report to DeepSource + ./bin/deepsource report --analyzer kube-linter --value-file ./kube-linter.sarif + + # Ensure the workflow eventually fails if files did not pass kube-linter checks. + - name: Verify kube-linter-action succeeded + shell: bash + run: | + echo "If this step fails, kube-linter found issues. Check the output of the scan step above." + [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]] From 5124f51f64418f0c21bd306b6d2da27bb2e85d54 Mon Sep 17 00:00:00 2001 From: Srijan Saurav <68371686+srijan-deepsource@users.noreply.github.com> Date: Tue, 3 Oct 2023 20:04:32 +0530 Subject: [PATCH 2/3] Update .github/workflows/kube-linter.yaml Signed-off-by: Srijan Saurav <68371686+srijan-deepsource@users.noreply.github.com> --- .github/workflows/kube-linter.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/kube-linter.yaml b/.github/workflows/kube-linter.yaml index b98f5ce..474ea41 100644 --- a/.github/workflows/kube-linter.yaml +++ b/.github/workflows/kube-linter.yaml @@ -10,6 +10,8 @@ on: jobs: scan: runs-on: ubuntu-latest + env: + DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }} steps: - uses: actions/checkout@v3 with: From dd659cb8426a7d14753dd737fcc364330fcfd765 Mon Sep 17 00:00:00 2001 From: Srijan Saurav Date: Fri, 10 Nov 2023 12:48:03 +0530 Subject: [PATCH 3/3] update config --- .deepsource.toml | 1 + .github/workflows/kube-linter.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.deepsource.toml b/.deepsource.toml index 32d7c71..0f2c2d5 100644 --- a/.deepsource.toml +++ b/.deepsource.toml @@ -5,3 +5,4 @@ name = "secrets" [[analyzers]] name = "kube-linter" +type = "community" diff --git a/.github/workflows/kube-linter.yaml b/.github/workflows/kube-linter.yaml index 474ea41..4ef69cd 100644 --- a/.github/workflows/kube-linter.yaml +++ b/.github/workflows/kube-linter.yaml @@ -39,7 +39,7 @@ jobs: curl https://deepsource.io/cli | sh # Send the report to DeepSource - ./bin/deepsource report --analyzer kube-linter --value-file ./kube-linter.sarif + ./bin/deepsource report --analyzer kube-linter --analyzer-type community --value-file ./kube-linter.sarif # Ensure the workflow eventually fails if files did not pass kube-linter checks. - name: Verify kube-linter-action succeeded