mirror of
https://github.com/super-linter/super-linter.git
synced 2024-11-21 21:50:59 -05:00
feat: add the kustomize binary for checkov (#5763)
Checkov needs the kustomize binary to enable related checks, otherwise these checks are silently skipped. Ref https://www.checkov.io/7.Scan%20Examples/Kustomize.html
This commit is contained in:
parent
cef17760de
commit
d74351fda7
8 changed files with 133 additions and 1 deletions
|
@ -5,4 +5,18 @@ directory:
|
||||||
- test/linters/checkov/good
|
- test/linters/checkov/good
|
||||||
|
|
||||||
quiet: false
|
quiet: false
|
||||||
|
|
||||||
|
skip-framework:
|
||||||
|
# The Kubernetes framework because it doesn't run Kustomize before running the
|
||||||
|
# scan, as expected. There's the Kustomize framework for that.
|
||||||
|
# If we don't skip the Kubernetes framework, Checkov reports issues against
|
||||||
|
# Kubernetes descriptors that we handle with Kustomize. For example, we set
|
||||||
|
# a non-default Kubernetes Namespace using Kustomize.
|
||||||
|
# Checkov doesn't currently support skipping checks only for a given set of
|
||||||
|
# frameworks, and the Kubernetes framework runs the same checks that the Helm
|
||||||
|
# and the Kustomize frameworks run. So, we skip the Kubernetes framework when
|
||||||
|
# running test cases. In case we need to implement new Kubernetes test cases,
|
||||||
|
# we have to do that as part of the test Helm chart or the test Kustomize
|
||||||
|
# "package".
|
||||||
|
- kubernetes
|
||||||
...
|
...
|
||||||
|
|
4
.github/linters/.checkov.yaml
vendored
4
.github/linters/.checkov.yaml
vendored
|
@ -17,7 +17,9 @@ quiet: true
|
||||||
skip-path:
|
skip-path:
|
||||||
- test/linters/ansible
|
- test/linters/ansible
|
||||||
- test/linters/arm
|
- test/linters/arm
|
||||||
- test/linters/checkov/bad
|
# We can't exclude just test/linters/checkov/bad because of
|
||||||
|
# https://github.com/bridgecrewio/checkov/issues/6468
|
||||||
|
- test/linters/checkov
|
||||||
- test/linters/dockerfile_hadolint
|
- test/linters/dockerfile_hadolint
|
||||||
- test/linters/jscpd
|
- test/linters/jscpd
|
||||||
- test/linters/json
|
- test/linters/json
|
||||||
|
|
|
@ -17,6 +17,7 @@ FROM golang:1.22.3-alpine as golang
|
||||||
FROM golangci/golangci-lint:v1.59.0 as golangci-lint
|
FROM golangci/golangci-lint:v1.59.0 as golangci-lint
|
||||||
FROM goreleaser/goreleaser:v1.26.2 as goreleaser
|
FROM goreleaser/goreleaser:v1.26.2 as goreleaser
|
||||||
FROM hadolint/hadolint:v2.12.0-alpine as dockerfile-lint
|
FROM hadolint/hadolint:v2.12.0-alpine as dockerfile-lint
|
||||||
|
FROM registry.k8s.io/kustomize/kustomize:v5.0.1 as kustomize
|
||||||
FROM hashicorp/terraform:1.8.4 as terraform
|
FROM hashicorp/terraform:1.8.4 as terraform
|
||||||
FROM koalaman/shellcheck:v0.10.0 as shellcheck
|
FROM koalaman/shellcheck:v0.10.0 as shellcheck
|
||||||
FROM mstruebing/editorconfig-checker:v3.0.1 as editorconfig-checker
|
FROM mstruebing/editorconfig-checker:v3.0.1 as editorconfig-checker
|
||||||
|
@ -265,6 +266,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \
|
||||||
################
|
################
|
||||||
COPY --from=helm /usr/bin/helm /usr/bin/
|
COPY --from=helm /usr/bin/helm /usr/bin/
|
||||||
|
|
||||||
|
COPY --from=kustomize /app/kustomize /usr/bin/
|
||||||
|
|
||||||
# Copy Node tools
|
# Copy Node tools
|
||||||
COPY --from=npm-builder /node_modules /node_modules
|
COPY --from=npm-builder /node_modules /node_modules
|
||||||
|
|
||||||
|
|
|
@ -165,6 +165,7 @@ control "super-linter-installed-commands" do
|
||||||
{ linter_name: "isort"},
|
{ linter_name: "isort"},
|
||||||
{ linter_name: "jscpd"},
|
{ linter_name: "jscpd"},
|
||||||
{ linter_name: "ktlint"},
|
{ linter_name: "ktlint"},
|
||||||
|
{ linter_name: "kustomize", version_option: "version"}, # not used as linter, needed for checkov's kustomize checks
|
||||||
{ linter_name: "kubeconform", version_option: "-v"},
|
{ linter_name: "kubeconform", version_option: "-v"},
|
||||||
{ linter_name: "lua", version_option: "-v"},
|
{ linter_name: "lua", version_option: "-v"},
|
||||||
{ linter_name: "markdownlint"},
|
{ linter_name: "markdownlint"},
|
||||||
|
@ -513,6 +514,7 @@ control "super-linter-validate-files" do
|
||||||
"/action/lib/.automation/phpstan.neon",
|
"/action/lib/.automation/phpstan.neon",
|
||||||
"/action/lib/.automation/psalm.xml",
|
"/action/lib/.automation/psalm.xml",
|
||||||
"/usr/bin/helm", # needed for checkov's helm framework
|
"/usr/bin/helm", # needed for checkov's helm framework
|
||||||
|
"/usr/bin/kustomize", # needed for checkov's kustomize checks
|
||||||
]
|
]
|
||||||
|
|
||||||
files.each do |item|
|
files.each do |item|
|
||||||
|
|
29
test/linters/checkov/bad/bad_kustomize/graph_check.yaml
Normal file
29
test/linters/checkov/bad/bad_kustomize/graph_check.yaml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: internal-proxy-deployment
|
||||||
|
labels:
|
||||||
|
app: internal-proxy
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: internal-proxy
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: internal-proxy
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: internal-api
|
||||||
|
image: test-image
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 30m
|
||||||
|
memory: 40Mi
|
||||||
|
requests:
|
||||||
|
cpu: 30m
|
||||||
|
memory: 40Mi
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
...
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- graph_check.yaml
|
||||||
|
...
|
60
test/linters/checkov/good/good_kustomize/graph_check.yaml
Normal file
60
test/linters/checkov/good/good_kustomize/graph_check.yaml
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: internal-proxy-deployment
|
||||||
|
labels:
|
||||||
|
app: internal-proxy
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: internal-proxy
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: internal-proxy
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
containers:
|
||||||
|
- name: internal-api
|
||||||
|
image: test-image
|
||||||
|
livenessProbe:
|
||||||
|
path: /testLivenessProbe
|
||||||
|
readinessProbe:
|
||||||
|
path: /testReadinessProbe
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 30m
|
||||||
|
memory: 40Mi
|
||||||
|
requests:
|
||||||
|
cpu: 30m
|
||||||
|
memory: 40Mi
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsUser: 10001
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
securityContext:
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
...
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: test-network-policy
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: internal-proxy
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: 172.17.0.0/16
|
||||||
|
...
|
15
test/linters/checkov/good/good_kustomize/kustomization.yaml
Normal file
15
test/linters/checkov/good/good_kustomize/kustomization.yaml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
images:
|
||||||
|
- name: test-image
|
||||||
|
newName: hello-world
|
||||||
|
newTag: linux
|
||||||
|
digest: sha256:b7d87b72c676fe7b704572ebdfdf080f112f7a4c68fb77055d475e42ebc3686f
|
||||||
|
|
||||||
|
namespace: non-default-namespace
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- graph_check.yaml
|
||||||
|
...
|
Loading…
Reference in a new issue