Skip to content

Fix DB and Redis secrets #533

Fix DB and Redis secrets

Fix DB and Redis secrets #533

Workflow file for this run

---
name: "CI"
on: # yamllint disable-line rule:truthy
workflow_dispatch: # yamllint disable-line rule:empty-values
pull_request: # yamllint disable-line rule:empty-values
concurrency:
group: "${{ github.head_ref }}-ci"
cancel-in-progress: true
jobs:
pre-commit-check:
name: "Run pre-commit checks"
runs-on: "ubuntu-22.04"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
with:
fetch-depth: 0
- name: "Setup Go"
uses: "actions/setup-go@v5"
- run: "echo $HOME/go/bin >> $GITHUB_PATH"
- name: "Setup Helm"
uses: "azure/setup-helm@v3"
- run: "mkdir template_output"
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami"
- run: "helm dependency update charts/nautobot"
- name: "Install helm-docs"
run: "go install github.com/norwoodj/helm-docs/cmd/[email protected]"
env:
GO111MODULE: "on"
- uses: "dorny/paths-filter@v2"
id: "filter"
with:
list-files: "shell"
filters: |
addedOrModified:
- added|modified: '**'
# run only if changed files were detected
- name: "Run against changes"
uses: "pre-commit/[email protected]"
if: "steps.filter.outputs.addedOrModified == 'true'"
with:
extra_args: "--files ${{ steps.filter.outputs.addedOrModified_files }}"
# run if no changed files were detected (e.g. workflow_dispatch on main branch)
- name: "Run against all files"
uses: "pre-commit/[email protected]"
if: "steps.filter.outputs.addedOrModified != 'true'"
with:
extra_args: "--all-files"
# - name: "Upload result to GitHub Code Scanning"
# uses: "github/codeql-action/upload-sarif@v2"
# with:
# sarif_file: "checkov.sarif"
snyk-security-check:
name: "Snyk Security Scanning"
runs-on: "ubuntu-22.04"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
- uses: "azure/setup-helm@v3"
- run: "mkdir template_output"
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami"
- run: "helm dependency update charts/nautobot"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot --output-dir=./template_output/test-postgresql"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot --output-dir=./template_output/test-mysql"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot --output-dir=./template_output/test-postgresql-ha"
- run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot --output-dir=./template_output/test-defaults"
- name: "Run Snyk to check template files for security issues"
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: "snyk/actions/iac@master"
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}"
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: "./template_output"
- name: "Upload result to GitHub Code Scanning"
uses: "github/codeql-action/upload-sarif@v2"
with:
sarif_file: "snyk.sarif"
kubescape-security-check:
name: "Kubescape Security Scanning"
runs-on: "ubuntu-22.04"
env:
GITHUB_PATH: "/home/runner/.kubescape/bin"
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
- uses: "azure/setup-helm@v3"
- name: "Install Kubescape"
run: "curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash"
- run: 'echo "${HOME}/.kubescape/bin" >> $GITHUB_PATH' # yamllint disable-line rule:quoted-strings
- run: "helm repo add bitnami https://charts.bitnami.com/bitnami"
- run: "helm dependency update charts/nautobot"
- name: "Kubescape NSA Scan - Defaults"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape NSA Scan - PostgreSQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape NSA Scan - MySQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape NSA Scan - PostgreSQL HA"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework nsa - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - Defaults"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - PostgreSQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - MySQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape MITRE Scan - PostgreSQL HA"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework mitre - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - Defaults"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - PostgreSQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - MySQL"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_mysql.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"
- name: "Kubescape ARMOBest Scan - PostgreSQL HA"
run: "helm template -n testing -f charts/nautobot/linter_values_minimum.yaml -f charts/nautobot/linter_values.yaml -f charts/nautobot/linter_values_postgresql_ha.yaml charts/nautobot | kubescape scan framework armobest - --compliance-threshold 0 --exceptions ./kubescape-exceptions.json"