mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-26 01:49:28 +00:00
feat: github actions to publish ecr and docker (#782)
* feat: github actions to publish ecr and docker * fix: yaml lint in build Co-authored-by: Carol Valencia <krol3@users.noreply.github.com>
This commit is contained in:
parent
ecdd0b4158
commit
abe0954dcb
38
.github/workflow/build.yml
vendored
Normal file
38
.github/workflow/build.yml
vendored
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
name: Build
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
paths-ignore:
|
||||||
|
- "*.md"
|
||||||
|
- "LICENSE"
|
||||||
|
- "NOTICE"
|
||||||
|
pull_request:
|
||||||
|
paths-ignore:
|
||||||
|
- "*.md"
|
||||||
|
- "LICENSE"
|
||||||
|
- "NOTICE"
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
name: Build
|
||||||
|
runs-on: ubuntu-18.04
|
||||||
|
steps:
|
||||||
|
- name: Setup Go
|
||||||
|
uses: actions/setup-go@v1
|
||||||
|
with:
|
||||||
|
go-version: 1.15
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: yaml-lint
|
||||||
|
uses: ibiqlik/action-yamllint@v3
|
||||||
|
- name: Run unit tests
|
||||||
|
run: make tests
|
||||||
|
- name: Upload code coverage
|
||||||
|
uses: codecov/codecov-action@v1
|
||||||
|
with:
|
||||||
|
file: ./coverage.txt
|
||||||
|
- name: Dry-run release snapshot
|
||||||
|
uses: goreleaser/goreleaser-action@v2
|
||||||
|
with:
|
||||||
|
version: v0.148.0
|
||||||
|
args: release --snapshot --skip-publish --rm-dist
|
37
.github/workflow/publish-ecr.yml
vendored
Normal file
37
.github/workflow/publish-ecr.yml
vendored
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
name: Publish-ECR
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
tags:
|
||||||
|
- "v*"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
deploy:
|
||||||
|
name: Publish to Amazon ECR
|
||||||
|
runs-on: ubuntu-18.04
|
||||||
|
steps:
|
||||||
|
- name: Configure AWS credentials
|
||||||
|
uses: aws-actions/configure-aws-credentials@v1
|
||||||
|
with:
|
||||||
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||||
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||||
|
aws-region: us-east-1
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Install AWS Cli 2.0
|
||||||
|
run: |
|
||||||
|
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
|
||||||
|
unzip awscliv2.zip
|
||||||
|
sudo ./aws/install
|
||||||
|
- name: Get the version
|
||||||
|
id: vars
|
||||||
|
run: echo ::set-output name=tag::$(echo ${GITHUB_REF:10})
|
||||||
|
- name: Publish to ECR
|
||||||
|
env:
|
||||||
|
IMAGE_TAG: ${{steps.vars.outputs.tag}}
|
||||||
|
REP_NAME: kube-bench
|
||||||
|
ALIAS: aquasecurity
|
||||||
|
run: |
|
||||||
|
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/$ALIAS
|
||||||
|
docker build -t $REP_NAME:$IMAGE_TAG .
|
||||||
|
docker tag $REP_NAME:$IMAGE_TAG public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG
|
||||||
|
docker push public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG
|
52
.github/workflow/publish.yml
vendored
Normal file
52
.github/workflow/publish.yml
vendored
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
name: Publish
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
tags:
|
||||||
|
- "v*"
|
||||||
|
jobs:
|
||||||
|
publish:
|
||||||
|
name: Publish
|
||||||
|
runs-on: ubuntu-18.04
|
||||||
|
steps:
|
||||||
|
- name: Check Out Repo
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Set up QEMU
|
||||||
|
uses: docker/setup-qemu-action@v1
|
||||||
|
- name: Cache Docker layers
|
||||||
|
uses: actions/cache@v2
|
||||||
|
with:
|
||||||
|
path: /tmp/.buildx-cache
|
||||||
|
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
||||||
|
restore-keys: |
|
||||||
|
${{ runner.os }}-buildx-
|
||||||
|
- name: Login to Docker Hub
|
||||||
|
uses: docker/login-action@v1
|
||||||
|
with:
|
||||||
|
username: ${{ secrets.DOCKER_HUB_USERNAME }}
|
||||||
|
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
id: buildx
|
||||||
|
uses: docker/setup-buildx-action@v1
|
||||||
|
- name: Docker meta
|
||||||
|
id: docker_meta
|
||||||
|
uses: crazy-max/ghaction-docker-meta@v1
|
||||||
|
with:
|
||||||
|
images: aquasec/kube-bench
|
||||||
|
tag-semver: |
|
||||||
|
{{version}}
|
||||||
|
- name: Build and push
|
||||||
|
id: docker_build
|
||||||
|
uses: docker/build-push-action@v2
|
||||||
|
with:
|
||||||
|
context: ./
|
||||||
|
file: ./Dockerfile
|
||||||
|
platforms: linux/amd64,linux/arm64,linux/386
|
||||||
|
builder: ${{ steps.buildx.outputs.name }}
|
||||||
|
push: true
|
||||||
|
tags: |
|
||||||
|
${{ steps.docker_meta.outputs.tags }}
|
||||||
|
cache-from: type=local,src=/tmp/.buildx-cache
|
||||||
|
cache-to: type=local,dest=/tmp/.buildx-cache
|
||||||
|
labels: ${{ steps.docker_meta.outputs.labels }}
|
||||||
|
- name: Image digest
|
||||||
|
run: echo ${{ steps.docker_build.outputs.digest }}
|
29
.github/workflow/release.yml
vendored
Normal file
29
.github/workflow/release.yml
vendored
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
name: Release
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
tags:
|
||||||
|
- "v*"
|
||||||
|
jobs:
|
||||||
|
release:
|
||||||
|
name: Release
|
||||||
|
runs-on: ubuntu-18.04
|
||||||
|
steps:
|
||||||
|
- name: Setup Go
|
||||||
|
uses: actions/setup-go@v1
|
||||||
|
with:
|
||||||
|
go-version: 1.15
|
||||||
|
- name: Checkout code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
- name: Run unit tests
|
||||||
|
run: make tests
|
||||||
|
- name: Upload code coverage
|
||||||
|
uses: codecov/codecov-action@v1
|
||||||
|
with:
|
||||||
|
file: ./coverage.txt
|
||||||
|
- name: Release
|
||||||
|
uses: goreleaser/goreleaser-action@v2
|
||||||
|
with:
|
||||||
|
version: v0.148.0
|
||||||
|
args: release --rm-dist
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
11
README.md
11
README.md
@ -1,11 +1,22 @@
|
|||||||
|
[![GitHub Release][release-img]][release]
|
||||||
|
![Downloads][download]
|
||||||
|
![Docker Pulls][docker-pull]
|
||||||
|
[![Go Report Card][report-card-img]][report-card]
|
||||||
[![Build Status](https://travis-ci.org/aquasecurity/kube-bench.svg?branch=main)](https://travis-ci.org/aquasecurity/kube-bench)
|
[![Build Status](https://travis-ci.org/aquasecurity/kube-bench.svg?branch=main)](https://travis-ci.org/aquasecurity/kube-bench)
|
||||||
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
|
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
|
||||||
[![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
|
[![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
|
||||||
[![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
|
[![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench)
|
||||||
[![Coverage Status][cov-img]][cov]
|
[![Coverage Status][cov-img]][cov]
|
||||||
|
|
||||||
|
[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github
|
||||||
|
[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github
|
||||||
|
[release]: https://github.com/aquasecurity/kube-bench/releases
|
||||||
|
[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
|
||||||
[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
|
[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
|
||||||
[cov]: https://codecov.io/github/aquasecurity/kube-bench
|
[cov]: https://codecov.io/github/aquasecurity/kube-bench
|
||||||
|
[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench
|
||||||
|
[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench
|
||||||
|
|
||||||
<img src="images/kube-bench.png" width="200" alt="kube-bench logo">
|
<img src="images/kube-bench.png" width="200" alt="kube-bench logo">
|
||||||
|
|
||||||
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
|
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
|
||||||
|
Loading…
Reference in New Issue
Block a user