Bump azure/webapps-deploy from 8db8b8d14f21b245e6706fd0607244e354884697 to 45c7df8f6a4fe841b67ff88920b33f4f8328f8d9 #278
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://kubesec.io/ | |
| # https://github.com/controlplaneio/kubesec | |
| # https://github.com/controlplaneio/kubesec-action | |
| name: SAST Kubesec Scanner | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '18 8 * * 6' | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
| jobs: | |
| kubesec-scan-1: | |
| name: Kubesec Scan 1 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run kubesec scanner (critical-double.yaml) | |
| uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 # v0.0.2 | |
| with: | |
| input: manifests/critical-double.yaml # specify configuration file to scan here | |
| format: template | |
| template: manifests/sarif.tpl | |
| output: kubesec-results.sarif | |
| exit-code: "0" | |
| - name: Validate SARIF file | |
| id: validate | |
| run: | | |
| if [ -f kubesec-results.sarif ] && [ -s kubesec-results.sarif ]; then | |
| # Check if the SARIF has valid runs array with at least one result | |
| if jq -e '.runs | length > 0' kubesec-results.sarif > /dev/null 2>&1; then | |
| echo "valid=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "SARIF file has no runs, skipping upload" | |
| echo "valid=false" >> $GITHUB_OUTPUT | |
| fi | |
| else | |
| echo "SARIF file is empty or missing, skipping upload" | |
| echo "valid=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Upload Kubesec scan results to GitHub Security tab | |
| if: steps.validate.outputs.valid == 'true' | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: kubesec-results.sarif | |
| kubesec-scan-2: | |
| name: Kubesec Scan 2 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run kubesec scanner (score-5-pod-serviceaccount.yaml) | |
| uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 # v0.0.2 | |
| with: | |
| input: manifests/score-5-pod-serviceaccount.yaml # specify configuration file to scan here | |
| format: template | |
| template: manifests/sarif.tpl | |
| output: kubesec-results.sarif | |
| exit-code: "0" | |
| - name: Validate SARIF file | |
| id: validate | |
| run: | | |
| if [ -f kubesec-results.sarif ] && [ -s kubesec-results.sarif ]; then | |
| # Check if the SARIF has valid runs array with at least one result | |
| if jq -e '.runs | length > 0' kubesec-results.sarif > /dev/null 2>&1; then | |
| echo "valid=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "SARIF file has no runs, skipping upload" | |
| echo "valid=false" >> $GITHUB_OUTPUT | |
| fi | |
| else | |
| echo "SARIF file is empty or missing, skipping upload" | |
| echo "valid=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Upload Kubesec scan results to GitHub Security tab | |
| if: steps.validate.outputs.valid == 'true' | |
| uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 | |
| with: | |
| sarif_file: kubesec-results.sarif |