-
Notifications
You must be signed in to change notification settings - Fork 25
162 lines (144 loc) Β· 4.11 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
---
name: main
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
jobs:
env:
uses: devxp-tech/.github/.github/workflows/env.yaml@main
yaml-linter:
name: Yaml Linter π§Ή
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout ποΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Yaml Lint
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3
with:
no_warnings: true
kube-linter:
name: Kube Linter π§Ή
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout ποΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Scan repo
id: kube-lint-repo
uses: stackrox/kube-linter-action@5792edc6a03735d592b13c08201711327a935735 # v1.0.5
with:
directory: apps
format: sarif
output-file: kube-linter.sarif
continue-on-error: true
secret-find:
name: Secrets Find π
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout ποΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Find Secrets π
shell: bash
run: |
if find apps/ -name '*.yaml' | xargs grep -q "kind: Secret"; then
echo "Fail, secret found! :("
exit 1
else
echo "Success, secret not found! :)"
exit 0
fi
# datree-check:
# name: Datree Check π
# runs-on: ubuntu-latest
# needs:
# - env
# steps:
# - name: Checkout ποΈ
# uses: actions/checkout@v3
# - name: Run Datree Policy Check
# uses: datreeio/action-datree@main
# with:
# path: 'apps/*/base/*.yaml'
# cliArguments: '--only-k8s-files --ignore-missing-schemas'
trivy-scan:
name: Trivy Vulnerability Scanner π
needs:
- env
runs-on: ubuntu-22.04
steps:
- name: Checkout code ποΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Run Trivy vulnerability scanner in IaC mode π
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
# quality-gate:
# uses: devxp-tech/.github/.github/workflows/sonarqube.yaml@main
# secrets: inherit
# needs:
# - env
# - yaml-linter
# - kube-linter
# - secret-find
# # - datree-check
# - trivy-scan
tools-version:
name: Update TOOLING.md π
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Install yq
run: |
sudo add-apt-repository -y ppa:rmescandon/yq
sudo apt-get update
sudo apt-get install -y yq
- name: Find and Process kustomization.yaml Files
run: bash .github/version.sh
- name: Commit and Push Changes π
run: |
if [[ $(git diff) ]];
then
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
git add docs/tooling/versions.md
git commit -m "[ci skip] :robot: [github actions actor] - update versions.md"
git push
else
echo "nothing to do!!!"
fi
notify:
uses: devxp-tech/.github/.github/workflows/notify.yaml@main
if: always()
secrets: inherit
needs:
- env
- yaml-linter
- kube-linter
- secret-find
# - datree-check
# - quality-gate
- tools-version
- trivy-scan