feat: add the kustomize binary for checkov (#5763)

Checkov needs the kustomize binary to enable related checks, otherwise
these checks are silently skipped.

Ref https://www.checkov.io/7.Scan%20Examples/Kustomize.html

.github/linters/.checkov-test-linters-success.yaml

@@ -5,4 +5,18 @@ directory:
   - test/linters/checkov/good
 
 quiet: false
+
+skip-framework:
+  # The Kubernetes framework because it doesn't run Kustomize before running the
+  # scan, as expected. There's the Kustomize framework for that.
+  # If we don't skip the Kubernetes framework, Checkov reports issues against
+  # Kubernetes descriptors that we handle with Kustomize. For example, we set
+  # a non-default Kubernetes Namespace using Kustomize.
+  # Checkov doesn't currently support skipping checks only for a given set of
+  # frameworks, and the Kubernetes framework runs the same checks that the Helm
+  # and the Kustomize frameworks run. So, we skip the Kubernetes framework when
+  # running test cases. In case we need to implement new Kubernetes test cases,
+  # we have to do that as part of the test Helm chart or the test Kustomize
+  # "package".
+  - kubernetes
 ...

.github/linters/.checkov.yaml

@@ -17,7 +17,9 @@ quiet: true
 skip-path:
   - test/linters/ansible
   - test/linters/arm
-  - test/linters/checkov/bad
+  # We can't exclude just test/linters/checkov/bad because of
+  # https://github.com/bridgecrewio/checkov/issues/6468
+  - test/linters/checkov
   - test/linters/dockerfile_hadolint
   - test/linters/jscpd
   - test/linters/json

Dockerfile

@@ -17,6 +17,7 @@ FROM golang:1.22.3-alpine as golang
 FROM golangci/golangci-lint:v1.59.0 as golangci-lint
 FROM goreleaser/goreleaser:v1.26.2 as goreleaser
 FROM hadolint/hadolint:v2.12.0-alpine as dockerfile-lint
+FROM registry.k8s.io/kustomize/kustomize:v5.0.1 as kustomize
 FROM hashicorp/terraform:1.8.4 as terraform
 FROM koalaman/shellcheck:v0.10.0 as shellcheck
 FROM mstruebing/editorconfig-checker:v3.0.1 as editorconfig-checker
@@ -265,6 +266,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \
 ################
 COPY --from=helm /usr/bin/helm /usr/bin/
 
+COPY --from=kustomize /app/kustomize /usr/bin/
+
 # Copy Node tools
 COPY --from=npm-builder /node_modules /node_modules
 

test/inspec/super-linter/controls/super_linter.rb

@@ -165,6 +165,7 @@ control "super-linter-installed-commands" do
     { linter_name: "isort"},
     { linter_name: "jscpd"},
     { linter_name: "ktlint"},
+    { linter_name: "kustomize", version_option: "version"}, # not used as linter, needed for checkov's kustomize checks
     { linter_name: "kubeconform", version_option: "-v"},
     { linter_name: "lua", version_option: "-v"},
     { linter_name: "markdownlint"},
@@ -513,6 +514,7 @@ control "super-linter-validate-files" do
     "/action/lib/.automation/phpstan.neon",
     "/action/lib/.automation/psalm.xml",
     "/usr/bin/helm", # needed for checkov's helm framework
+    "/usr/bin/kustomize", # needed for checkov's kustomize checks
   ]
 
   files.each do |item|

test/linters/checkov/bad/bad_kustomize/graph_check.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy-deployment
+  labels:
+    app: internal-proxy
+spec:
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      containers:
+        - name: internal-api
+          image: test-image
+          resources:
+            limits:
+              cpu: 30m
+              memory: 40Mi
+            requests:
+              cpu: 30m
+              memory: 40Mi
+          ports:
+            - containerPort: 3000
+...

test/linters/checkov/bad/bad_kustomize/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - graph_check.yaml
+...

test/linters/checkov/good/good_kustomize/graph_check.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: internal-proxy-deployment
+  labels:
+    app: internal-proxy
+spec:
+  selector:
+    matchLabels:
+      app: internal-proxy
+  template:
+    metadata:
+      labels:
+        app: internal-proxy
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - name: internal-api
+          image: test-image
+          livenessProbe:
+            path: /testLivenessProbe
+          readinessProbe:
+            path: /testReadinessProbe
+          resources:
+            limits:
+              cpu: 30m
+              memory: 40Mi
+            requests:
+              cpu: 30m
+              memory: 40Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 10001
+          ports:
+            - containerPort: 3000
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+...
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app: internal-proxy
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - ipBlock:
+          cidr: 172.17.0.0/16
+...

test/linters/checkov/good/good_kustomize/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+images:
+  - name: test-image
+    newName: hello-world
+    newTag: linux
+    digest: sha256:b7d87b72c676fe7b704572ebdfdf080f112f7a4c68fb77055d475e42ebc3686f
+
+namespace: non-default-namespace
+
+resources:
+  - graph_check.yaml
+...