Merge branch 'main' into kb-cis-support-rancher

7 months ago · 7eb142f5e7
parent fe172aa89e 0918b41eca
commit 7eb142f5e7
11 changed files with 29 additions and 20 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -95,7 +95,7 @@ jobs:
        with:
          fetch-depth: 0
      - name: Dry-run release snapshot
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
        with:
          distribution: goreleaser
          version: v1.7.0
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -17,7 +17,7 @@ jobs:
      - name: Check Out Repo
        uses: actions/checkout@v3
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v2
@ -41,7 +41,7 @@ jobs:
          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
      - name: Get version
        id: get_version
-        uses: crazy-max/ghaction-docker-meta@v4
+        uses: crazy-max/ghaction-docker-meta@v5
        with:
          images: ${{ env.REP }}
          tag-semver: |
@ -49,7 +49,7 @@ jobs:

      - name: Build and push - Docker/ECR
        id: docker_build
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@ -67,7 +67,7 @@ jobs:

      - name: Build and push ubi image - Docker/ECR
        id: docker_build_ubi
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@ -86,7 +86,7 @@ jobs:

      - name: Build and push fips ubi image - Docker/ECR
        id: docker_build_fips_ubi
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -44,7 +44,7 @@ jobs:
          second_file_path: integration/testdata/Expected_output.data
          expected_result: PASSED
      - name: Release
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
        with:
          distribution: goreleaser
          version: v1.7.0
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-FROM golang:1.20.6 AS build
+FROM golang:1.21.1 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@ -9,7 +9,7 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench

-FROM alpine:3.18.2 AS run
+FROM alpine:3.18.3 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
 # https://github.com/aquasecurity/kube-bench/issues/109
--- a/Dockerfile.fips.ubi
+++ b/Dockerfile.fips.ubi
@ -1,4 +1,4 @@
-FROM golang:1.20.6 AS build
+FROM golang:1.21.1 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
--- a/Dockerfile.ubi
+++ b/Dockerfile.ubi
@ -1,4 +1,4 @@
-FROM golang:1.20.6 AS build
+FROM golang:1.21.1 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
--- a/README.md
+++ b/README.md
@ -24,7 +24,12 @@ Tests are configured with YAML files, making this tool easy to update as test sp

 ![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security")

-### Quick start
+## CIS Scanning as part of Trivy and the Trivy Operator
+
+[Trivy](https://github.com/aquasecurity/trivy), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/aquasecurity/trivy-operator) inside a cluster.
+Both, the [Trivy CLI](https://github.com/aquasecurity/trivy), and the [Trivy Operator](https://github.com/aquasecurity/trivy-operator) support CIS Kubernetes Benchmark scanning among several other features.
+
+## Quick start

 There are multiple ways to run kube-bench.
 You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
--- a/cmd/util.go
+++ b/cmd/util.go
@ -296,10 +296,14 @@ Alternatively, you can specify the version with --version

 func getKubeVersion() (*KubeVersion, error) {
 	kubeConfig, err := rest.InClusterConfig()
-	k8sClient, err := kubernetes.NewForConfig(kubeConfig)
-	isRKE, err := providers.IsRKE(context.Background(), k8sClient)
-	if err != nil {
-		glog.V(3).Infof("Error detecting RKE cluster: %s", err)
+
+	isRKE := false
+	if kubeConfig != nil {
+		k8sClient, err := kubernetes.NewForConfig(kubeConfig)
+		isRKE, err = providers.IsRKE(context.Background(), k8sClient)
+		if err != nil {
+			glog.V(3).Infof("Error detecting RKE cluster: %s", err)
+		}
 	}

 	if k8sVer, err := getKubeVersionFromRESTAPI(); err == nil {
--- a/go.mod
+++ b/go.mod
@ -7,7 +7,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.18.4
 	github.com/aws/aws-sdk-go-v2/service/securityhub v1.29.1
 	github.com/fatih/color v1.14.1
-	github.com/golang/glog v1.0.0
+	github.com/golang/glog v1.1.2
 	github.com/magiconair/properties v1.8.7
 	github.com/onsi/ginkgo v1.16.5
 	github.com/pkg/errors v0.9.1
--- a/go.sum
+++ b/go.sum
@ -137,8 +137,8 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
+github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo=
+github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
--- a/job.yaml
+++ b/job.yaml
@ -11,7 +11,7 @@ spec:
    spec:
      containers:
        - command: ["kube-bench"]
-          image: docker.io/aquasec/kube-bench:v0.6.17
+          image: docker.io/aquasec/kube-bench:v0.6.19
          name: kube-bench
          volumeMounts:
            - mountPath: /var/lib/etcd