orb.yml

version: 2.1

description: |
  Alcide Advisor is an agentless service for Kubernetes audit and compliance 
  that’s built to ensure a frictionless and secured DevSecOps workflow by 
  layering a hygiene scan of Kubernetes cluster & workloads early in the development process 
  and before moving to production.

  With Alcide Advisor, you can cover the following security checks:

  Kubernetes infrastructure vulnerability scanning.
  Hunting misplaced secrets, or excessive priviliges for secret access.
  Workload hardening from Pod Security to network policies.
  Istio security configuration and best practices.
  Ingress Controllers for security best practices.
  Kubernetes API server access privileges.
  Kubernetes operators security best practices.
  Deployment conformance to labeling, annotating, resource limits and much more ...

display:
  source_url: https://github.com/alcideio/circleci-alcide-orb
  home_url: https://www.alcide.io/

# Orb Dependencies
orbs:  
  k8s: circleci/kubernetes@0.11

commands:
  alcide_advisor_scan:
    description: Alcide Advisor Kubernetes Cluster Scan
    parameters:
      # cluster_context:
      #   description: Target Kubernetes cluster context. Use 'kubectl config get-contexts' to list available contexts
      #   type: string
      report_format:
        description: Report format - html or excel
        default: html
        enum:
          - html
          - excel
        type: enum    
      fail_on_critical:
        description: Fail the task if critical findings observed.
        type: boolean
        default: False
      alcide_apikey:
        default: ALCIDE_APIKEY
        type: env_var_name  
        description: Alcide API Key. (use env var $ALCIDE_APIKEY to populate).
      alcide_apiserver:
        description: Alcide API Server.
        type: string
      policy_profile:
        description: Alcide policy profile the cluster will be scanned against. 
        type: string

    steps:
      - k8s/install #install kubectl
      - run:
          name: Alcide Advisor Cluster Scan
          command: |
              REPORT_FORMAT="<< parameters.report_format >>"
              FAIL_ON_CRITICAL="<< parameters.fail_on_critical >>"
              ALCIDE_APIKEY="<< parameters.alcide_apikey >>"
              ALCIDE_APISERVER="<< parameters.alcide_apiserver >>"
              SCAN_POLICY_PROFILE="<< parameters.policy_profile >>"

              OPT=" "

              #
              # Profile based scans requires an API KEY 
              #
              if [ "${SCAN_POLICY_PROFILE}" == "true" ]; then
                  OPT="$OPT --policy-profile=$SCAN_POLICY_PROFILE"
                  OPT="$OPT --alcide-api-key=$ALCIDE_APIKEY --alcide-api-server=$ALCIDE_APISERVER"
              fi

              if [ "${FAIL_ON_CRITICAL}" == "true" ]; then
                  OPT="$OPT --run-mode=pipeline"
              fi

              if [ "${REPORT_FORMAT}" == "excel" ]; then
                  OPT="$OPT --output=excel --outfile advisor-report/kube-advisor-report.xlsx"
              else    
                  OPT="$OPT --output=html --outfile advisor-report/kube-advisor-report.html"
              fi

              curl -o kube-advisor https://alcide.blob.core.windows.net/generic/stable/linux/advisor
              chmod +x kube-advisor
              export CURRENT_CONTEXT=`kubectl config current-context`
              mkdir -p /tmp/advisor-report
              ./kube-advisor --eula-sign validate cluster --cluster-context ${CURRENT_CONTEXT} --namespace-include="*" --outfile /tmp/advisor-report/kube-advisor-report.html
      - store_artifacts:
          path: /tmp/advisor-report  

examples:
  advisor_scan:
    description: A Kubernetes Deployment to GKE with Alcide Kubernetes Scan Job
    usage:
      version: 2.1
      orbs:
        alcide: alcideio/alcide-advisor@1.0.2
        gcp-cli: circleci/gcp-cli@1.0.6
        gcr: circleci/gcp-gcr@0.0.2
        k8s: circleci/kubernetes@0.3.0  



      jobs:
        deploy_and_scan_cluster:
          description: "Deploy resources into a cluster"  
          machine: true
          parameters:
            cluster:
              description: "The Kubernetes cluster name."
              type: string
          steps:
            - checkout
            #
            # make sure you have the following environment variables defined:
            # GCLOUD_SERVICE_KEY, GOOGLE_PROJECT_ID, GOOGLE_COMPUTE_ZONE
            #
            - gcr/gcr-auth
            - gcp-cli/install
            - k8s/install
            - run: |
                gcloud container clusters get-credentials <<parameters.cluster>>
            - run: |
                echo "Deploy resources into the cluster"
                kubectl get pods --all-namespaces  
            - alcide/alcide_advisor_scan:
                #cluster_context: 'myclustercontext'
                report_format: 'html'
                fail_on_critical: false
                alcide_apiserver: ''
                policy_profile: ''                      

      workflows:
        advisor_scan:
          jobs:
            - deploy_and_scan_cluster:
                cluster: demo-cluster