From 0cbd67257ab6651017e09ee6918b0e715df7c144 Mon Sep 17 00:00:00 2001 From: Kjeld Schouten-Lebbing Date: Mon, 26 Dec 2022 20:46:47 +0100 Subject: [PATCH] Delete secgen.yaml Signed-off-by: Kjeld Schouten-Lebbing --- .github/workflows/secgen.yaml | 131 ---------------------------------- 1 file changed, 131 deletions(-) delete mode 100644 .github/workflows/secgen.yaml diff --git a/.github/workflows/secgen.yaml b/.github/workflows/secgen.yaml deleted file mode 100644 index a125fe3a6c5..00000000000 --- a/.github/workflows/secgen.yaml +++ /dev/null @@ -1,131 +0,0 @@ -name: "Chore: Generate Security Docs" - -concurrency: helm-release - -on: - workflow_dispatch: - -jobs: - gen-sec: - runs-on: ubuntu-latest - container: - image: ghcr.io/truecharts/devcontainer:v3.1.1@sha256:f0ecaa533663f88346b745eb497f6f6acf63561ad88e345cd71c8280963b8c1e - steps: - - name: Install Kubernetes tools - uses: yokawasa/action-setup-kube-tools@b91bb02bc122bd84ac7bbea5f25ed6b0f2ec6275 # tag=v0.9.2 - with: - setup-tools: | - helmv3 - helm: "3.8.0" - - - name: Prep Helm - run: | - helm repo add truecharts https://charts.truecharts.org - helm repo add truecharts-library https://library-charts.truecharts.org - helm repo add bitnami https://charts.bitnami.com/bitnami - helm repo add prometheus https://prometheus-community.github.io/helm-charts - helm repo update - - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3 - with: - token: ${{ secrets.BOT_TOKEN }} - fetch-depth: 0 - - - name: Setting repo parent dir as safe safe.directory - run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - - name: Checkout website - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3 - with: - fetch-depth: 1 - repository: truecharts/website - token: ${{ secrets.BOT_TOKEN }} - path: website - - - name: fetch dependencies - shell: bash - run: | - .github/scripts/fetch_helm_deps.sh - - - name: generate security reports - shell: bash - run: | - #!/bin/bash - render() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Rendering helm-template for ${chartname}" - mkdir -p ${chart}/render - helm template ${chart} >> ${chart}/render/app.yaml || echo "Helm template failed..." - } - helm_sec_scan() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Scanning helm security for ${chartname}" - mkdir -p ${chart}/render - rm -rf website/docs/charts/${train}/${chartname}/helm-security.md || echo "removing old helm-security file failed..." - echo "# Helm Security" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "## Helm-Chart" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/helm-security.md - echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md - trivy config -f template --template "@./templates/trivy-config.tpl" ${chart}/render >> website/docs/charts/${train}/${chartname}/helm-security.md || echo "trivy scan failed..." - } - container_sec_scan() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "Scanning container security for ${chartname}" - mkdir -p ${chart}/render - rm -rf website/docs/charts/${train}/${chartname}/container-security.md || echo "removing old container-security file failed..." - echo "# Container Security" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "##### Detected Containers" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp - cat ${chart}/render/containers.tmp >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - for container in $(cat ${chart}/render/containers.tmp | sort | uniq); do - if [[ "$container" == *"truecharts/alpine"* || "$container" == *"truecharts/ubuntu"* || "$container" == *"truecharts/kubectl"* ]]; then - echo "Skipping ${container}, as it's a shared common container..." - else - echo "**Container: ${container}**" >> website/docs/charts/${train}/${chartname}/container-security.md - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - trivy image --security-checks vuln -f template --template "@./templates/trivy-container.tpl" ${container} >> website/docs/charts/${train}/${chartname}/container-security.md || echo "trivy container scan failed..." - echo "" >> website/docs/charts/${train}/${chartname}/container-security.md - fi - done - } - cleanfiles() { - local chart="$1" - local chartname="$2" - local train="$3" - echo "sanitising website output for ${chartname}..." - rm -rf ${chart}/render - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/helm-security.md - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/container-security.md - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/helm-security.md - sed -i 's|
|
|g' website/docs/charts/${train}/${chartname}/container-security.md - } - for train in enterprise stable incubator dependency; do - echo "Processing Charts for Train: ${train}..." - for chart in $(ls "charts/${train}"); do - render "charts/${train}/${chart}" ${chart} ${train} && helm_sec_scan "charts/${train}/${chart}" ${chart} ${train} && container_sec_scan "charts/${train}/${chart}" ${chart} ${train} && cleanfiles "charts/${train}/${chart}" ${chart} ${train} || echo "processing failed for ${chart}" - done - done - echo "finsihed security scan" - - - name: Commit Website Changes - run: | - cd website - git config user.name "TrueCharts-Bot" - git config user.email "bot@truecharts.org" - git add --all - git commit -sm "Commit released docs for TrueCharts" || exit 0 - git push