kubeaudit icon indicating copy to clipboard operation
kubeaudit copied to clipboard

Published 20 hours ago verified publisher icon Shopify

github action for kubeaudit to generate sarif results

Open dani-santos-code opened this issue 3 years ago • 1 comments
trafficstars

ISSUE TYPE
  • [ ] Bug Report
  • [x] Feature Idea
SUMMARY

the idea here is to offer open source users the convenience of uploading a sarif result as a step in their github action Some ideas for this suggested by @thepwagner:

Make Shopify/kubeaudit an action

We add a action.yml file to the Shopify/kubeaudit, turning it into either a Docker container action or composite action.

This would mean users enable it like:

- uses: actions/checkout@v3

- uses: Shopify/[email protected]
- uses: Shopify/[email protected] # or a different version

- uses: github/codeql-action/upload-sarif@v2

Depending on the implementation, it can result in compiling the kubeaudit binary each run (and be slow).

Make a Shopify/kubeaudit-action action

This is a common pattern when an action is wrapping a tool with its own release process, that doesn't want to pollute the original tool by Actions-izing it. https://github.com/golangci/golangci-lint-action is a good example.

TypeScript is pretty dope for building actions that do this:

  • https://github.com/actions/typescript-action is handy for getting started (I used it for oncall-action)
  • https://github.com/actions/toolkit/tree/main/packages/tool-cache is a good chunk of the tool's functionality (downloading the appropriate version of kubeaudit).

This would mean users enable like:

- uses: actions/checkout@v3

- uses: Shopify/[email protected]
  with:
    version: v0.19.0
- uses: Shopify/[email protected]
  with:
    version: v0.20.0

- uses: github/codeql-action/upload-sarif@v2

Since TypeScript runs without container overhead, and this pattern downloads pre-compiled binaries I think this would have the fastest runtimes.

FEATURE IDEA

  • [x] If the maintainers agree with the feature as described here, I intend to submit a Pull Request myself.1

Proposal:

1 This is the quickest way to get a new feature! We reserve the right to close feature requests, even ones we like, if the proposer does not intend to contribute to the feature and it doesn't fit in our current roadmap.

dani-santos-code avatar Jul 26 '22 15:07 dani-santos-code

This could also just be documentation: we can write a sample workflow that fetches kubeaudit via curl and invokes it via bash.

Wrapping the functionality as an Action(TM) is just an added convenience.

thepwagner avatar Jul 27 '22 13:07 thepwagner