From 384d799f2c7135d7c1a8c2de7c45c7b829b37c84 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:19:36 +0200 Subject: [PATCH 1/5] add Datree --- code-scanning/datree.yml | 44 +++++++++++++++++++ .../properties/datree.properties.json | 7 +++ icons/datree.svg | 1 + 3 files changed, 52 insertions(+) create mode 100644 code-scanning/datree.yml create mode 100644 code-scanning/properties/datree.properties.json create mode 100644 icons/datree.svg diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml new file mode 100644 index 0000000..682ab5d --- /dev/null +++ b/code-scanning/datree.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Datree policy check + continue-on-error: true + uses: hadar-co/action-datree@main + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: datree.sarif \ No newline at end of file diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json new file mode 100644 index 0000000..99e07a5 --- /dev/null +++ b/code-scanning/properties/datree.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Datree", + "creator": "Datree", + "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", + "iconName": "datree", + "categories": ["Code Scanning", "YAML"] +} \ No newline at end of file diff --git a/icons/datree.svg b/icons/datree.svg new file mode 100644 index 0000000..ca986c6 --- /dev/null +++ b/icons/datree.svg @@ -0,0 +1 @@ + \ No newline at end of file From b79ff384b92634dae9948e7acda99c752827710a Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 23 Nov 2022 16:37:43 +0200 Subject: [PATCH 2/5] add Datree --- code-scanning/datree.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 682ab5d..df301c7 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -12,10 +12,10 @@ name: Datree on: push: - branches: [ main ] + branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: [ $default-branch ] jobs: datree: From 2fe9028318a16ee399cbb6fc832b30e3486f93b6 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:23:25 +0200 Subject: [PATCH 3/5] fix workflow --- code-scanning/datree.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index df301c7..44afd69 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -17,6 +17,9 @@ on: # The branches below must be a subset of the branches above branches: [ $default-branch ] +permissions: + contents: read + jobs: datree: permissions: @@ -27,7 +30,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Datree policy check continue-on-error: true - uses: hadar-co/action-datree@main + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. @@ -41,4 +44,4 @@ jobs: - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: datree.sarif \ No newline at end of file + sarif_file: datree.sarif From eaef38b7d53821181be4769ca49cd73b29a1dc95 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 7 Dec 2022 16:24:28 +0200 Subject: [PATCH 4/5] fix workflow --- code-scanning/properties/datree.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/datree.properties.json b/code-scanning/properties/datree.properties.json index 99e07a5..b7c695c 100644 --- a/code-scanning/properties/datree.properties.json +++ b/code-scanning/properties/datree.properties.json @@ -4,4 +4,4 @@ "description": "Detect misconfigurations in your Kubernetes manifests and present them in Github code scanning", "iconName": "datree", "categories": ["Code Scanning", "YAML"] -} \ No newline at end of file +} From bf83018c61c4c637421536d74854c789df696c20 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Thu, 8 Dec 2022 09:57:36 +0200 Subject: [PATCH 5/5] Update code-scanning/datree.yml Co-authored-by: Sampark Sharma --- code-scanning/datree.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/datree.yml b/code-scanning/datree.yml index 44afd69..2e44682 100644 --- a/code-scanning/datree.yml +++ b/code-scanning/datree.yml @@ -34,7 +34,7 @@ jobs: env: # In order to use the Datree action you will need to have a Datree token. # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. - DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} with: # Add the path to the configuration file/s that you would like to test. # See https://github.com/datreeio/action-datree#usage for all available options.