GitHub Actions

How to integrate Kubescape to GitHub CI

Scanning YAML files in your workflow

Basic setup

Create a YAML file in your repository under .github/workflows and add the following content

name: Kubescape 

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
   
jobs:
  nsa-security-check:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/[email protected]

      - name: Install Kubescape
        run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
        
      - name: Scan YAML files
        run: kubescape scan framework nsa *.yaml

This will print the results to the result log of the GitHub Action every time it runs

Failing the job with too many security issues

In case if you are not only want to use Kubescape for logging, but also as a security gate in your delivery process, you can set up a failure threshold.

For example, you want to make sure that at least 80% of your objects are passing the security checks, you can invoke the tool with -t option with the appropriate parameter:
kubescape scan framework nsa -t 80 *.yaml

This will return failure in case that the results are getting bellow 80%.

Scanning your entire Cluster in your workflow

In some cases you would want to scan your entire cluster after you applied the new YAML.
Note that in this case you need the CI/CD worker to have access to the target K8s cluster.

Adding Cluster Scan

Follow the instruction as in scanning a YAML file (#Scanning-YAML-files-in-your-workflow)
Replace the scan step with:

run: kubescape scan framework nsa --exclude-namespaces kube-system,kube-public

Did this page help you?