diff --git a/.github/workflow/build.yml b/.github/workflow/build.yml new file mode 100644 index 0000000..f32ff13 --- /dev/null +++ b/.github/workflow/build.yml @@ -0,0 +1,38 @@ +name: Build +on: + push: + branches: + - main + paths-ignore: + - "*.md" + - "LICENSE" + - "NOTICE" + pull_request: + paths-ignore: + - "*.md" + - "LICENSE" + - "NOTICE" +jobs: + build: + name: Build + runs-on: ubuntu-18.04 + steps: + - name: Setup Go + uses: actions/setup-go@v1 + with: + go-version: 1.15 + - name: Checkout code + uses: actions/checkout@v2 + - name: yaml-lint + uses: ibiqlik/action-yamllint@v3 + - name: Run unit tests + run: make tests + - name: Upload code coverage + uses: codecov/codecov-action@v1 + with: + file: ./coverage.txt + - name: Dry-run release snapshot + uses: goreleaser/goreleaser-action@v2 + with: + version: v0.148.0 + args: release --snapshot --skip-publish --rm-dist diff --git a/.github/workflow/publish-ecr.yml b/.github/workflow/publish-ecr.yml new file mode 100644 index 0000000..c6014e8 --- /dev/null +++ b/.github/workflow/publish-ecr.yml @@ -0,0 +1,37 @@ +name: Publish-ECR +on: + push: + tags: + - "v*" + +jobs: + deploy: + name: Publish to Amazon ECR + runs-on: ubuntu-18.04 + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: us-east-1 + - name: Checkout code + uses: actions/checkout@v2 + - name: Install AWS Cli 2.0 + run: | + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + unzip awscliv2.zip + sudo ./aws/install + - name: Get the version + id: vars + run: echo ::set-output name=tag::$(echo ${GITHUB_REF:10}) + - name: Publish to ECR + env: + IMAGE_TAG: ${{steps.vars.outputs.tag}} + REP_NAME: kube-bench + ALIAS: aquasecurity + run: | + aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/$ALIAS + docker build -t $REP_NAME:$IMAGE_TAG . + docker tag $REP_NAME:$IMAGE_TAG public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG + docker push public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG diff --git a/.github/workflow/publish.yml b/.github/workflow/publish.yml new file mode 100644 index 0000000..7279e6d --- /dev/null +++ b/.github/workflow/publish.yml @@ -0,0 +1,52 @@ +name: Publish +on: + push: + tags: + - "v*" +jobs: + publish: + name: Publish + runs-on: ubuntu-18.04 + steps: + - name: Check Out Repo + uses: actions/checkout@v2 + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v1 + - name: Docker meta + id: docker_meta + uses: crazy-max/ghaction-docker-meta@v1 + with: + images: aquasec/kube-bench + tag-semver: | + {{version}} + - name: Build and push + id: docker_build + uses: docker/build-push-action@v2 + with: + context: ./ + file: ./Dockerfile + platforms: linux/amd64,linux/arm64,linux/386 + builder: ${{ steps.buildx.outputs.name }} + push: true + tags: | + ${{ steps.docker_meta.outputs.tags }} + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + labels: ${{ steps.docker_meta.outputs.labels }} + - name: Image digest + run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflow/release.yml b/.github/workflow/release.yml new file mode 100644 index 0000000..e1991f4 --- /dev/null +++ b/.github/workflow/release.yml @@ -0,0 +1,29 @@ +name: Release +on: + push: + tags: + - "v*" +jobs: + release: + name: Release + runs-on: ubuntu-18.04 + steps: + - name: Setup Go + uses: actions/setup-go@v1 + with: + go-version: 1.15 + - name: Checkout code + uses: actions/checkout@v2 + - name: Run unit tests + run: make tests + - name: Upload code coverage + uses: codecov/codecov-action@v1 + with: + file: ./coverage.txt + - name: Release + uses: goreleaser/goreleaser-action@v2 + with: + version: v0.148.0 + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index 00439b9..4656264 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,22 @@ +[![GitHub Release][release-img]][release] +![Downloads][download] +![Docker Pulls][docker-pull] +[![Go Report Card][report-card-img]][report-card] [![Build Status](https://travis-ci.org/aquasecurity/kube-bench.svg?branch=main)](https://travis-ci.org/aquasecurity/kube-bench) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE) [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com") [![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench) [![Coverage Status][cov-img]][cov] +[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github +[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github +[release]: https://github.com/aquasecurity/kube-bench/releases +[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench [cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg [cov]: https://codecov.io/github/aquasecurity/kube-bench +[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench +[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench + kube-bench logo kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).