mirror of
https://github.com/super-linter/super-linter.git
synced 2024-12-22 07:12:11 -05:00
feat: add the kustomize binary for checkov (#5763)
Checkov needs the kustomize binary to enable related checks, otherwise these checks are silently skipped. Ref https://www.checkov.io/7.Scan%20Examples/Kustomize.html
This commit is contained in:
parent
cef17760de
commit
d74351fda7
8 changed files with 133 additions and 1 deletions
|
@ -5,4 +5,18 @@ directory:
|
|||
- test/linters/checkov/good
|
||||
|
||||
quiet: false
|
||||
|
||||
skip-framework:
|
||||
# The Kubernetes framework because it doesn't run Kustomize before running the
|
||||
# scan, as expected. There's the Kustomize framework for that.
|
||||
# If we don't skip the Kubernetes framework, Checkov reports issues against
|
||||
# Kubernetes descriptors that we handle with Kustomize. For example, we set
|
||||
# a non-default Kubernetes Namespace using Kustomize.
|
||||
# Checkov doesn't currently support skipping checks only for a given set of
|
||||
# frameworks, and the Kubernetes framework runs the same checks that the Helm
|
||||
# and the Kustomize frameworks run. So, we skip the Kubernetes framework when
|
||||
# running test cases. In case we need to implement new Kubernetes test cases,
|
||||
# we have to do that as part of the test Helm chart or the test Kustomize
|
||||
# "package".
|
||||
- kubernetes
|
||||
...
|
||||
|
|
4
.github/linters/.checkov.yaml
vendored
4
.github/linters/.checkov.yaml
vendored
|
@ -17,7 +17,9 @@ quiet: true
|
|||
skip-path:
|
||||
- test/linters/ansible
|
||||
- test/linters/arm
|
||||
- test/linters/checkov/bad
|
||||
# We can't exclude just test/linters/checkov/bad because of
|
||||
# https://github.com/bridgecrewio/checkov/issues/6468
|
||||
- test/linters/checkov
|
||||
- test/linters/dockerfile_hadolint
|
||||
- test/linters/jscpd
|
||||
- test/linters/json
|
||||
|
|
|
@ -17,6 +17,7 @@ FROM golang:1.22.3-alpine as golang
|
|||
FROM golangci/golangci-lint:v1.59.0 as golangci-lint
|
||||
FROM goreleaser/goreleaser:v1.26.2 as goreleaser
|
||||
FROM hadolint/hadolint:v2.12.0-alpine as dockerfile-lint
|
||||
FROM registry.k8s.io/kustomize/kustomize:v5.0.1 as kustomize
|
||||
FROM hashicorp/terraform:1.8.4 as terraform
|
||||
FROM koalaman/shellcheck:v0.10.0 as shellcheck
|
||||
FROM mstruebing/editorconfig-checker:v3.0.1 as editorconfig-checker
|
||||
|
@ -265,6 +266,8 @@ RUN --mount=type=secret,id=GITHUB_TOKEN /install-google-java-format.sh \
|
|||
################
|
||||
COPY --from=helm /usr/bin/helm /usr/bin/
|
||||
|
||||
COPY --from=kustomize /app/kustomize /usr/bin/
|
||||
|
||||
# Copy Node tools
|
||||
COPY --from=npm-builder /node_modules /node_modules
|
||||
|
||||
|
|
|
@ -165,6 +165,7 @@ control "super-linter-installed-commands" do
|
|||
{ linter_name: "isort"},
|
||||
{ linter_name: "jscpd"},
|
||||
{ linter_name: "ktlint"},
|
||||
{ linter_name: "kustomize", version_option: "version"}, # not used as linter, needed for checkov's kustomize checks
|
||||
{ linter_name: "kubeconform", version_option: "-v"},
|
||||
{ linter_name: "lua", version_option: "-v"},
|
||||
{ linter_name: "markdownlint"},
|
||||
|
@ -513,6 +514,7 @@ control "super-linter-validate-files" do
|
|||
"/action/lib/.automation/phpstan.neon",
|
||||
"/action/lib/.automation/psalm.xml",
|
||||
"/usr/bin/helm", # needed for checkov's helm framework
|
||||
"/usr/bin/kustomize", # needed for checkov's kustomize checks
|
||||
]
|
||||
|
||||
files.each do |item|
|
||||
|
|
29
test/linters/checkov/bad/bad_kustomize/graph_check.yaml
Normal file
29
test/linters/checkov/bad/bad_kustomize/graph_check.yaml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: internal-proxy-deployment
|
||||
labels:
|
||||
app: internal-proxy
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: internal-proxy
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: internal-proxy
|
||||
spec:
|
||||
containers:
|
||||
- name: internal-api
|
||||
image: test-image
|
||||
resources:
|
||||
limits:
|
||||
cpu: 30m
|
||||
memory: 40Mi
|
||||
requests:
|
||||
cpu: 30m
|
||||
memory: 40Mi
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
...
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- graph_check.yaml
|
||||
...
|
60
test/linters/checkov/good/good_kustomize/graph_check.yaml
Normal file
60
test/linters/checkov/good/good_kustomize/graph_check.yaml
Normal file
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: internal-proxy-deployment
|
||||
labels:
|
||||
app: internal-proxy
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: internal-proxy
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: internal-proxy
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: internal-api
|
||||
image: test-image
|
||||
livenessProbe:
|
||||
path: /testLivenessProbe
|
||||
readinessProbe:
|
||||
path: /testReadinessProbe
|
||||
resources:
|
||||
limits:
|
||||
cpu: 30m
|
||||
memory: 40Mi
|
||||
requests:
|
||||
cpu: 30m
|
||||
memory: 40Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 10001
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
...
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: test-network-policy
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: internal-proxy
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- ipBlock:
|
||||
cidr: 172.17.0.0/16
|
||||
...
|
15
test/linters/checkov/good/good_kustomize/kustomization.yaml
Normal file
15
test/linters/checkov/good/good_kustomize/kustomization.yaml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
images:
|
||||
- name: test-image
|
||||
newName: hello-world
|
||||
newTag: linux
|
||||
digest: sha256:b7d87b72c676fe7b704572ebdfdf080f112f7a4c68fb77055d475e42ebc3686f
|
||||
|
||||
namespace: non-default-namespace
|
||||
|
||||
resources:
|
||||
- graph_check.yaml
|
||||
...
|
Loading…
Reference in a new issue