I'm trying to send a kubescape report via github action and unfortunetely, I have an error shown as below:
Scan results have not been submitted: Sign up for free:
https://portal.armo.cloud/account/sign-up
Of course I've created an account, and I try to submit the report like this:
kubescape:
runs-on: ubuntu-20.04
strategy:
matrix: { dir_kube: ['ionos/kubernetes/dev/*.yaml', 'azure/kubernetes/prod/*.yaml', 'ionos/kubernetes/prod/*.yaml']}
steps:
- name: Clone repo
uses: actions/checkout#master
- name: Install kubescape
run: curl -s https://raw.githubusercontent.com/armosec/kubescape/master/install.sh | /bin/bash
# Scanning cluster, specified by filter path
- name: Scan repository
run: kubescape scan --submit --account=${{ secrets.KUBESCAPE_REPORT }} ${{ matrix.dir_kube }}
The secret is corresponding to my key account.
What I've tried:
Replace the secret (In case I would have mistyped it)
add --verbose
add --logger debug
scan and send the report from my machine directly
(I manage to send the report correctly, but as you wonder, I don't want to do from my machine as it is a cron job.)
Is it even possible to do it from GA? Am I missing something?
Kubescape just released support for submitting file scans to the portal. Check it now with the latest version!
Set a github secret called KUBESCAPE_ACCOUNT.
Then, add the following code to your workflow (copied from here):
name: Kubescape scanning for misconfigurations
on: [push, pull_request]
jobs:
kubescape:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- uses: kubescape/github-action#main
continue-on-error: true
with:
format: sarif
outputFile: results.sarif
# Specify the Kubescape cloud account ID
account: ${{secrets.KUBESCAPE_ACCOUNT}}
- name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif#v2
with:
sarif_file: results.sarif
Related
I am trying to create a CI/CD pipeline for Android project. What I want to achieve is to upload the debug build in Firebase App distribution when the github Action is triggered.
I am using https://github.com/marketplace/actions/firebase-app-distribution-action#firebase-app-distribution-github-action to upload the build in app distribution
I have also tried https://github.com/marketplace/actions/firebase-app-distribution
but getting the same issue in both the cases
Attaching the ScreenShot of the error getting during the github Action
Here is my workflow yaml file
name: Workflow_1
on:
pull_request:
branches: [ dev ]
types:
- closed
jobs:
build:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
steps:
# checking out the code to the environment
- uses: actions/checkout#v2
- name: set up Java
uses: actions/setup-java#v2
with:
distribution: 'adopt'
java-version: 11
- name: Make gradlew executable
run: chmod +x ./gradlew
# - name: Build debug APK
# run: ./gradlew assembleDebug
# - name: Upload Debug APKs
# uses: actions/upload-artifact#v2
# with:
# name: Test-App
# path: app/build/outputs/
- name: Firebase App Distribution3
uses: hasretsariyer/firebase-app-distribution-github-action#v1.0
with:
app_id: "${{ secrets.FIREBASE_APP_ID }}"
firebase_token: "${{ secrets.FIREBASE_TOKEN }}"
app_file: app-debug.apk
tester_groups: demoGRP
I searched the web not getting this issue linked with github Action.
Update:
By guessing from the comments below, I edited the checkout part in yaml file
- uses: actions/checkout#v2
with:
set-safe-directory: '*'
which lead to another issues: (Screenshot below)
Hello my expert friends.
I know this question might sound really simple but I am seeking for some advice and best practices to follow/learn.
I have a testing infra in azure divided in 2 environment. One is Staging and the other is Production.
Those environment have the same configurations for on hand practices as I want to learn how to deploy specific docker images from staging to production.
At the current state, I have 1 web app in Staging and 1 web app in Production.
My Build pipeline for this lab is try to trigger the build pipeline in staging only if I push to GitHub a Tag, and I achieved this by setting my pipeline as follow:
trigger:
batch: true
tags:
include:
- '*'
branches:
exclude:
- Staging
This runs a docker build with some c# code and deploys it to a container registry.
But in my current pipeline, under the task Docker:
- task: Docker#2
name: 'dockerBuildAndPush'
displayName: 'docker - Build & Push'
inputs:
repository: $(imageRepository)
Dockerfile: $(dockerfilePath)
containerRegistry: ${{ variables.dockerRegistryServiceConnection }}
buildContext: ${{ variables.buildContext }}
tags: |
$(Build.BuildNumber)
latest
As you can see I have a tags that is based on the Build.BuildNumber
This of course during the build process it get the current date + build number, but I wanted to do is target the latest tag coming from GitHub and pass it to the build.
And this is where I got confuse and not really sure about the best practice to follow.
Assuming that on GitHub I push the update with the tag v1.0, is there a way how I can use the pipeline to pick the tag number and pass it automatically to the build? Or I have to update the Tag value manually in the pipeline every time before to push to GitHub?
So basically what I want to have in my container registry is as follow:
Github push tag v1.0
Azure Container registry have a build docker build:v1.0
In this way, I will be easier to detect quickly which docker image is running on Staging and Production later on.
Sorry if I couldn't explain my dilemma clearly and please if this is the case, don't hesitate to ask for more informations.
UPDATE:
Thank you so much Dave for your reply and you solution. I will look into it asap.
Right I was looking for something a bit easier to achieve to understand the full process and get confident with it.
At the current state I managed my pipeline in the following order.
parameters:
- name: tag
type: string
default: 'v1.1'
trigger:
batch: true
tags:
include:
- '*'
branches:
exclude:
- Staging
and in my docker task set the tag to the parameters
- task: Docker#2
name: 'dockerBuildAndPush'
displayName: 'docker - Build & Push'
inputs:
repository: $(imageRepository)
Dockerfile: $(dockerfilePath)
containerRegistry: ${{ variables.dockerRegistryServiceConnection }}
buildContext: ${{ variables.buildContext }}
tags: '${{ parameters.tag }}'
This process worked exactly how expected. In my container registry in the portal I have a version named 'v.1.1'
The issue I am facing is during the release phase of this image.
In the tag for the release I have the $(Build.BuildNumber) which of course as I am setting a parameters variable to build that image, I don't have a build number but a v1.1.
I have been reading around that I can override the BuildNumber with a specific variable name in the yaml file to map the Build.BuildNumber to a parameter and in the relelease pipeline I can leave the Build.BuildNumber as a reference. But is not 100% clear to me how this can be done.
You could use GitVersion to generate a version number from your repository tags.
This could be used from your pipeline as follows:
- task: UseDotNet#2
displayName: Use .NET Core CLI
inputs:
version: "6.x"
- task: DotNetCoreCLI#2
displayName: Install GitVersion
continueOnError: true
inputs:
command: "custom"
custom: "tool"
arguments: "install GitVersion.Tool --version 5.* --global"
- task: PowerShell#2
displayName: Set build version
inputs:
targetType: "inline"
script: |
Write-Host "##vso[build.updatebuildnumber]$(dotnet-gitversion /showvariable FullSemVer)"
The above example will set the Build.BuildNumber variable to a version string based on the last tag. You can, of course, set some other variable instead.
You can also customise the way GitVersion chooses a version number by adding a GitVersion.yml file to your repository.
This answer should serve as a starting point for you - it doesn't produce exactly the format you want, you will need to look at configuration options and such if you want a very specific format.
Also, look at the different modes that GitVersion can run in, since they will affect the version numbers generated for any commits inbetween tagged commits!
Im trying to find out if there is a way to exclude certain files from being sent over github actions, for example, i have a server and a client in the same repository. right now, both the server (node.js) and the client (its a react.js application) are being hosted together on azure app services. once the / is hit, it serves up the index.html file from the build folder.
however I am finding that hosting these two things together is taking its toll on the overall application, for example, it sometimes takes up to 10 seconds for the server to respond and return the index file to the client. I remember in my training some of my more senior devs didnt like to host the server and client together, and im starting to see why..
so I likely will need to split these up to improve performance, but before i go through a daunting task of splitting the repositories up. is there a way to specify in github actions in a workflow to ignore certain files/folders etc..
the only modification i've made to this is that i added an action to zip the application for faster upload to azure to improve workload performance.
here is my workflow:
# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
# More GitHub Actions for Azure: https://github.com/Azure/actions
name: Build and deploy Node.js app to Azure Web App
on:
push:
branches:
- main
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Set up Node.js version
uses: actions/setup-node#v1
with:
node-version: '14.x'
- name: npm install, build, and test
run: |
npm install
npm run build --if-present
npm run test --if-present
- name: Zip artifact for deployment
run: zip release.zip ./* -r
- name: Upload artifact for deployment job
uses: actions/upload-artifact#v2
with:
name: node-app
path: release.zip
deploy:
runs-on: ubuntu-latest
needs: build
environment:
name: 'Production'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
steps:
- name: Download artifact from build job
uses: actions/download-artifact#v2
with:
name: node-app
- name: unzip artifact for deployment
run: unzip release.zip
- name: 'Deploy to Azure Web App'
id: deploy-to-webapp
uses: azure/webapps-deploy#v2
with:
app-name: 'Omitted'
slot-name: 'Production'
publish-profile: ${{SECRET}}
package: .
You could create a shell script that excludes the files you don't want.
In .github, create a new folder scripts. Inside the scripts folder, create a new file named exclude.sh.
In the exclude.sh, add the following:
zip -r [file_name.zip] [files/folder to zip] -x [file path/name to exclude]
In your workflow:
- name: unzip artifact for deployment
run: unzip file_name.zip
on:
push:
branches:
- master
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout#master
- name: Install Dependencies
run: npm install
- name: Build
run: npm run build
- name: Archive Production Artifact
uses: actions/upload-artifact#master
with:
name: build
path: build
deploy:
name: Deploy
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout#master
- name: Download Artifact
uses: actions/download-artifact#master
with:
name: build
- name: Deploy to Firebase
uses: w9jds/firebase-action#master
with:
args: deploy --only hosting
env:
FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
now this is the gtihub actions workflow it is executing build job without errors but in deployment there comes an error
this is the error image
the error its shows is Error: Specified public directory 'build' does not exist, can't deploy hosting to site landing-page-design-1 i have followed the blog from where the workflow is copied i did everything same except some of my project details which is obvious please help me out why is this error occuring and how can i fix it
You're probably unpacking artifact to root directory instead of build/.
I'm guessing article was written for download-artifact#v1 while you are using download-artifact#v2 (as that's where master points currently). Difference between both is discussed here.
I'd verify first what is going on after artifact is downloaded
- name: Display directory structure
run: ls -R
shell: bash
If files are indeed in root directory, adding path should fix that.
- name: Download Artifact
uses: actions/download-artifact#v2
with:
name: build
path: build
PS: Using actions/<name>#master is not recommended, as it can always lead to issues if same action behaves differently between versions... for example actions/download-artifact ;)
You can also try to use firebase-publish-react to simplify your workflow file
This particular action plugin takes care of building the application internally and also can reuse the build directory from previous steps.
- name: Deploy to Firebase
uses: mohammed-atif/firebase-publish-react#v1.0
with:
firebase-token: ${{ secrets.FIREBASE_TOKEN }}
Having some problems using git clone from within a Github Actions, i get the following no matter what i try:
The code that fails in my main.yml:
jobs:
terraform:
name: 'Terraform with Github Actions!'
runs-on: ubuntu-latest
steps:
- name: 'Login to Azure'
uses: azure/login#v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: 'Checkout'
uses: actions/checkout#master
- name: 'Preparing blueprint-environment'
run: |
snip
git clone git#github.com:ourcompany/whateverrepo.git
Error message:
git#github.com: Permission denied (publickey).
Ive seen many posts on adding ssh-keys, but thats locally, not in a ubuntu-release running from Github actions - what am i missing here? I cant generate ssh-keys and add the private key on the fly to the Github repo-settings, how can i fix this?
If you need to checkout two repositories I would recommend using checkout again to a relative path. See the documentation to checkout multiple repos side by side. You may need to use a repo scoped Personal Access Token (PAT)
- name: 'Checkout'
uses: actions/checkout#v2
- name: 'Preparing blueprint-environment'
uses: actions/checkout#v2
with:
token: ${{ secrets.PAT }}
repository: ourcompany/whateverrepo
path: whateverrepo
If it's really necessary, Deploy keys can be used to clone a repository via SSH.
Create a new SSH key pair for your repository. Do not set a passphrase.
Copy the contents of the public key (.pub file) to a new repository deploy key and check the box to "Allow write access."
Add a secret to the repository containing the entire contents of the private key.
As shown in the example below, configure actions/checkout to use the deploy key you have created.
steps:
- uses: actions/checkout#v2
with:
ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}