Alcide Advisor GitHub Actions (#1)

Initial Release

.github/release-drafter.yml

@@ -0,0 +1,39 @@
+name-template: 'v$NEXT_PATCH_VERSION 🚀'
+tag-template: 'v$NEXT_PATCH_VERSION'
+categories:
+  - title: 'Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: 'Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🚀 Highlights'
+    labels:
+      - 'release/highlight'
+  - title: '⚠️ Breaking Changes'
+    labels:
+      - 'release/breaking-change'      
+  - title: 'Maintenance'
+    label: 'chore'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+template: |
+  ## Changes
+
+  $CHANGES 
+
+## About *Alcide Advisor*
+
+Alcide Advisor is an agentless service for Kubernetes audit and compliance that’s built to ensure a frictionless and secured DevSecOps workflow by layering a hygiene scan of Kubernetes cluster & workloads early in the development process and before moving to production. With Alcide Advisor, you can cover the following security checks
+*  Kubernetes infrastructure vulnerability scanning.
+*  Hunting misplaced secrets, or excessive priviliges for secret access.
+*  Workload hardening from Pod Security to network policies.
+*  Istio security configuration and best practices.
+*  Ingress Controllers for security best practices.
+*  Kubernetes API server access privileges.
+*  Kubernetes operators security best practices.
+*  Deployment conformance to labeling, annotating, resource limits and much more ...
+
+[Create Alcide Advisor Account](https://www.alcide.io/pricing)

.github/workflows/releasme.yml

@@ -0,0 +1,40 @@
+name: Release Draft (from master)
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  tag-master:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+      with:
+        fetch-depth: '0'
+    - name: Bump version and push tag
+      uses: anothrNick/[email protected]
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        WITH_V: true
+        DEFAULT_BUMP: patch
+
+  release-draft:
+    name: Release Me
+    runs-on: ubuntu-latest
+    needs: tag-master
+    env:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_GITHUB_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      DOCKER_REGISTRY_URL: "docker.pkg.github.com"  
+      DOCKER_IMAGE: kruzio/kube-dialer
+      REPOSITORY: kruzio/kube-dialer/dialer  
+
+    steps:
+      - name: Create Release
+        id: create_release
+        uses: release-drafter/release-drafter@v5
+        with:
+          config-name: release-drafter.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yaml

@@ -0,0 +1,43 @@
+name: Test Alcide Advisor
+
+on:
+  pull_request:
+  push:
+    branches:
+      - '*'
+      - '!master'
+
+jobs:
+  advisor-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Launch Cluster
+        uses: helm/[email protected]
+        with:
+          version: v0.7.0
+          name: kruzer
+          node_image: kindest/node:v1.16.4
+          wait: 5m
+          install_local_path_provisioner: true
+
+      - name: Test
+        run: |
+          kubectl cluster-info
+          kubectl get storageclass standard
+
+      - name: Scan Local Cluster
+        uses: ./    
+        with:
+          exclude_namespaces: '-'
+          include_namespaces: '*'
+          output_file: 'advisor-scan.html'
+
+      - name: Upload Alcide Advisor Scan Report
+        uses: actions/upload-artifact@v1
+        with:
+          name: advisor-scan.html 
+          path: advisor-scan.html 
+

.gitignore

@@ -1,104 +1,4 @@
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-node_modules/
-jspm_packages/
-
-# TypeScript v1 declaration files
-typings/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Microbundle cache
-.rpt2_cache/
-.rts2_cache_cjs/
-.rts2_cache_es/
-.rts2_cache_umd/
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
-# dotenv environment variables file
-.env
-.env.test
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-
-# Next.js build output
-.next
-
-# Nuxt.js build / generate output
-.nuxt
-dist
-
-# Gatsby files
-.cache/
-# Comment in the public line in if your project uses Gatsby and *not* Next.js
-# https://nextjs.org/blog/next-9-1#public-directory-support
-# public
-
-# vuepress build output
-.vuepress/dist
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
-
-# TernJS port file
-.tern-port
+.idea
+.project
+.settings
+.vscode

CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Community Code of Conduct
+
+Alcide follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -186,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright The Helm Authors.
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,2 +1,62 @@
-# advisor-action
-Alcide Advisor GitHub Action
+# *Alcide Advisor* Action
+
+[![](https://github.com/alcideio/advisor-action/workflows/Test/badge.svg?branch=master)](https://github.com/alcideio/advisor-action/actions)
+
+
+A GitHub Action for security scan your Kubernetes clustet in a pipeline workflow.
+
+
+## About *Alcide Advisor*
+
+Alcide Advisor is an agentless service for Kubernetes audit and compliance that’s built to ensure a frictionless and secured DevSecOps workflow by layering a hygiene scan of Kubernetes cluster & workloads early in the development process and before moving to production. With Alcide Advisor, you can cover the following security checks:
+*  Kubernetes infrastructure vulnerability scanning.
+*  Hunting misplaced secrets, or excessive priviliges for secret access.
+*  Workload hardening from Pod Security to network policies.
+*  Istio security configuration and best practices.
+*  Ingress Controllers for security best practices.
+*  Kubernetes API server access privileges.
+*  Kubernetes operators security best practices.
+*  Deployment conformance to labeling, annotating, resource limits and much more ...
+
+
+## Usage
+
+### Pre-requisites
+
+Create a workflow YAML file in your `.github/workflows` directory. An [example workflow](#example-workflow) is available below.
+For more information, reference the GitHub Help Documentation for [Creating a workflow file](https://help.github.com/en/articles/configuring-a-workflow#creating-a-workflow-file).
+
+### Inputs
+
+For more information on inputs, see the [API Documentation](https://developer.github.com/v3/repos/releases/#input)
+
+- `version`: The kind version to use (default: `v0.7.0`)
+- `config`: The path to the kind config file
+- `node_image`: The Docker image for the cluster nodes
+- `cluster_name`: The name of the cluster to create (default: `chart-testing`)
+- `wait`: The duration to wait for the control plane to become ready (default: `60s`)
+- `log_level`: The log level for kind
+
+### Example Workflow
+
+Create a workflow (eg: `.github/workflows/create-cluster.yml`):
+
+```yaml
+name: Create Cluster
+
+on: pull_request
+
+jobs:
+  create-cluster:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create k8s Kind Cluster
+        uses: alcideio/[email protected]
+```
+
+This uses [@alcideio/advisor-action](https://www.github.com/alcideio/advisor-action) GitHub Action to spin up a [kind](https://kind.sigs.k8s.io/) Kubernetes cluster on every Pull Request.
+See [@helm/chart-testing-action](https://www.github.com/helm/chart-testing-action) for a more practical example.
+
+## Code of conduct
+
+Participation in the Helm community is governed by the [Code of Conduct](CODE_OF_CONDUCT.md).

action.yml

@@ -0,0 +1,53 @@
+name: "Advisor Scan"
+description: "Security Scan Kubernetes Cluster"
+author: "Alcide"
+branding:
+  color: blue
+  icon: alert-triangle
+inputs:
+
+  include_namespaces:
+    description: Namespaces to include in the scan - defaults to all
+    required: false
+    default: "*"  
+  exclude_namespaces:
+    description: Namespaces to exclude in the scan - defaults to kube-system,istio-system
+    required: false
+    default: "kube-system,istio-system"  
+
+  output_file:
+    description: Scan result file name. You can publish this artifact in a later step.
+    required: false
+    default: "advisor-scan-result.html"
+  fail_on_critical:
+    description: Fail the task if critical findings observed.
+    required: false
+    default: ""
+  policy_profile:
+    description: Alcide policy profile the cluster will be scanned against. 
+    required: false
+    #default: ""
+
+  #
+  # Alcide Cloud Account
+  #
+  policy_profile_id:
+    description: The profile id with which cluster should be scanned. Note - Alcide Api Key is required to run a scan with customized profile 
+    required: false
+  alcide_apikey:
+    description: Alcide API Key - to run advisor scan with customized profile an api-key is needed - login to your account to obtain one
+    required: false
+  alcide_apiserver:
+    description: Alcide API Server - The api server provisioned to your account
+    required: false
+
+
+
+
+runs:
+  using: "node12"
+  main: "main.js"
+
+
+
+