diff --git a/.github/linters/.checkov-test-linters-success.yaml b/.github/linters/.checkov-test-linters-success.yaml index f7d19b6e..926a015f 100644 --- a/.github/linters/.checkov-test-linters-success.yaml +++ b/.github/linters/.checkov-test-linters-success.yaml @@ -5,4 +5,18 @@ directory: - test/linters/checkov/good quiet: false + +skip-framework: + # The Kubernetes framework because it doesn't run Kustomize before running the + # scan, as expected. There's the Kustomize framework for that. + # If we don't skip the Kubernetes framework, Checkov reports issues against + # Kubernetes descriptors that we handle with Kustomize. For example, we set + # a non-default Kubernetes Namespace using Kustomize. + # Checkov doesn't currently support skipping checks only for a given set of + # frameworks, and the Kubernetes framework runs the same checks that the Helm + # and the Kustomize frameworks run. So, we skip the Kubernetes framework when + # running test cases. In case we need to implement new Kubernetes test cases, + # we have to do that as part of the test Helm chart or the test Kustomize + # "package". + - kubernetes ... diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml index 38d3b78c..5e107ccc 100644 --- a/.github/linters/.checkov.yaml +++ b/.github/linters/.checkov.yaml @@ -17,7 +17,9 @@ quiet: true skip-path: - test/linters/ansible - test/linters/arm - - test/linters/checkov/bad + # We can't exclude just test/linters/checkov/bad because of + # https://github.com/bridgecrewio/checkov/issues/6468 + - test/linters/checkov - test/linters/dockerfile_hadolint - test/linters/jscpd - test/linters/json diff --git a/Dockerfile b/Dockerfile index 9fe4b569..cc05e3d3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,7 @@ FROM golang:1.22.3-alpine as golang FROM golangci/golangci-lint:v1.59.0 as golangci-lint FROM goreleaser/goreleaser:v1.26.2 as goreleaser FROM hadolint/hadolint:v2.12.0-alpine as dockerfile-lint +FROM registry.k8s.io/kustomize/kustomize:v5.0.1 as kustomize FROM hashicorp/terraform:1.8.4 as terraform FROM koalaman/shellcheck:v0.10.0 as shellcheck FROM mstruebing/editorconfig-checker:v3.0.1 as editorconfig-checker @@ -265,6 +266,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \ ################ COPY --from=helm /usr/bin/helm /usr/bin/ +COPY --from=kustomize /app/kustomize /usr/bin/ + # Copy Node tools COPY --from=npm-builder /node_modules /node_modules diff --git a/test/inspec/super-linter/controls/super_linter.rb b/test/inspec/super-linter/controls/super_linter.rb index 585422d9..9e0063d8 100644 --- a/test/inspec/super-linter/controls/super_linter.rb +++ b/test/inspec/super-linter/controls/super_linter.rb @@ -165,6 +165,7 @@ control "super-linter-installed-commands" do { linter_name: "isort"}, { linter_name: "jscpd"}, { linter_name: "ktlint"}, + { linter_name: "kustomize", version_option: "version"}, # not used as linter, needed for checkov's kustomize checks { linter_name: "kubeconform", version_option: "-v"}, { linter_name: "lua", version_option: "-v"}, { linter_name: "markdownlint"}, @@ -513,6 +514,7 @@ control "super-linter-validate-files" do "/action/lib/.automation/phpstan.neon", "/action/lib/.automation/psalm.xml", "/usr/bin/helm", # needed for checkov's helm framework + "/usr/bin/kustomize", # needed for checkov's kustomize checks ] files.each do |item| diff --git a/test/linters/checkov/bad/bad_kustomize/graph_check.yaml b/test/linters/checkov/bad/bad_kustomize/graph_check.yaml new file mode 100644 index 00000000..7c72db00 --- /dev/null +++ b/test/linters/checkov/bad/bad_kustomize/graph_check.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: internal-proxy-deployment + labels: + app: internal-proxy +spec: + selector: + matchLabels: + app: internal-proxy + template: + metadata: + labels: + app: internal-proxy + spec: + containers: + - name: internal-api + image: test-image + resources: + limits: + cpu: 30m + memory: 40Mi + requests: + cpu: 30m + memory: 40Mi + ports: + - containerPort: 3000 +... diff --git a/test/linters/checkov/bad/bad_kustomize/kustomization.yaml b/test/linters/checkov/bad/bad_kustomize/kustomization.yaml new file mode 100644 index 00000000..3f303c40 --- /dev/null +++ b/test/linters/checkov/bad/bad_kustomize/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - graph_check.yaml +... diff --git a/test/linters/checkov/good/good_kustomize/graph_check.yaml b/test/linters/checkov/good/good_kustomize/graph_check.yaml new file mode 100644 index 00000000..9764a216 --- /dev/null +++ b/test/linters/checkov/good/good_kustomize/graph_check.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: internal-proxy-deployment + labels: + app: internal-proxy +spec: + selector: + matchLabels: + app: internal-proxy + template: + metadata: + labels: + app: internal-proxy + spec: + automountServiceAccountToken: false + containers: + - name: internal-api + image: test-image + livenessProbe: + path: /testLivenessProbe + readinessProbe: + path: /testReadinessProbe + resources: + limits: + cpu: 30m + memory: 40Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 10001 + ports: + - containerPort: 3000 + securityContext: + seccompProfile: + type: RuntimeDefault +... +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-network-policy +spec: + podSelector: + matchLabels: + app: internal-proxy + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 172.17.0.0/16 +... diff --git a/test/linters/checkov/good/good_kustomize/kustomization.yaml b/test/linters/checkov/good/good_kustomize/kustomization.yaml new file mode 100644 index 00000000..39033429 --- /dev/null +++ b/test/linters/checkov/good/good_kustomize/kustomization.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +images: + - name: test-image + newName: hello-world + newTag: linux + digest: sha256:b7d87b72c676fe7b704572ebdfdf080f112f7a4c68fb77055d475e42ebc3686f + +namespace: non-default-namespace + +resources: + - graph_check.yaml +...