/kubescape-orb

A simple CircleCI orb to install Kubescape and use it to scan for vulnerabilities in your Kubernetes resources.

Primary LanguageShellMIT LicenseMIT

Kubescape Orb

CircleCI Kubescape Orb

Harden your Kubernetes cluster with this orb for simplifying Kubescape installation and use within CircleCI.

CircleCI Build Status CircleCI Orb Version GitHub License CircleCI Community

This is an unofficial orb used to install Kubescape in your CircleCI pipeline and scan for security issues in Kubernetes. Contributions are welcome!

Scan Kubernetes YAML files and Helm charts in your CI pipeline using frameworks such as NSA, MITRE, SOC2, CIS, and more!

Features

Secure By Design

  • Least Privilege: Installs to a user-owned directory by default, with no sudo usage anywhere in this orb.
  • Integrity: Checksum validation of all downloaded binaries using SHA-512.
  • Provenance: Installs directly from Kubescape's official releases page on GitHub. No third-party websites, domains, or proxies are used.
  • Confidentiality: All secrets and environment variables are handled in accordance with CircleCI's security recommendations and best practices.
  • Privacy: No usage data of any kind is collected or shipped back to the orb developer.

Info for security teams:

  • Required external access to allow, if running a locked down, self-hosted CircleCI pipeline on-prem:
    • github.com: For download and installation of the Kubescape tool.

Example Usage

The following example assumes a Helm chart was built in a previous job, and saved to the workspace.

This example uses the NSA framework for demonstration purposes, but many organizations will elect to use "all" (the default, if not supplied).

  version: 2.1

  orbs:
    kubescape: juburr/kubescape-orb@0.3.1

  jobs:
    helm_scan:
      docker:
        - image: cimg/base:current-22.04
      steps:
        - attach_workspace:
            at: /home/circleci/project/helm_charts
        - kubescape/install
        - kubescape/helm_scan_framework:
            chart_path: /home/circleci/project/helm_charts/myservice-1.0.0.tgz
            framework: nsa
            output_file: myservice_nsa_scan.json
            output_format: json