{"id":21392182,"url":"https://github.com/sysdiglabs/k8s-security-configwatch","last_synced_at":"2025-07-13T18:31:04.182Z","repository":{"id":65161942,"uuid":"238811559","full_name":"sysdiglabs/k8s-security-configwatch","owner":"sysdiglabs","description":"Git action to generate security lint report for Kubernetes workload YAML files on PR","archived":false,"fork":false,"pushed_at":"2022-03-19T09:19:05.000Z","size":20,"stargazers_count":30,"open_issues_count":1,"forks_count":9,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-03-14T15:50:31.066Z","etag":null,"topics":["git-workflow","k8s","security"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sysdiglabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-02-07T00:14:28.000Z","updated_at":"2024-02-08T23:08:21.000Z","dependencies_parsed_at":"2023-01-04T12:39:03.122Z","dependency_job_id":null,"html_url":"https://github.com/sysdiglabs/k8s-security-configwatch","commit_stats":{"total_commits":10,"total_committers":1,"mean_commits":10.0,"dds":0.0,"last_synced_commit":"d547a433d36a0fb2fbdb40496d17b58fb4cfe1b8"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/sysdiglabs/k8s-security-configwatch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fk8s-security-configwatch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fk8s-security-configwatch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fk8s-security-configwatch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fk8s-security-configwatch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sysdiglabs","download_url":"https://codeload.github.com/sysdiglabs/k8s-security-configwatch/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sysdiglabs%2Fk8s-security-configwatch/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265186466,"owners_count":23724674,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["git-workflow","k8s","security"],"created_at":"2024-11-22T13:39:31.689Z","updated_at":"2025-07-13T18:31:03.891Z","avatar_url":"https://github.com/sysdiglabs.png","language":"Shell","readme":"# Kubernetes Security Config Watch\n\nThis Git Action run security lint check against Kubernetes workloads in Git workflow (PR open, commit pushed etc.).\n\n## Inputs\n\n### `sourceDir`\n\n**Required** The source directory for k8s workload yaml. (master branch)\n\n### `targetDir`\n\n**Required** The target directory for k8s workload yaml. (PR branch)\n\n## Use Cases\n0. Integrate the `k8s-security-lint` action into the git workflow.\n1. Examine the following security attributes changes in k8s workload YAMLs in a PR:\n- `Privileged`\n- `HostPID`\n- `HostIPC`\n- `HostNetwork`\n- `Capabilities`\n- `ReadOnlyRootFileSystem`\n- `RunAsUser` (root/nonroot)\n- `RunAsGroup` (root/nonroot)\n- volume types\n2. Define your own criteria based on the lint result, for example:\n- Send lint report to slack channel if `privileged` mode is set to true\n- Fail the check on the PR if some host level namespaces are enabled. (`hostNetwork` etc.)\n- Assign extra reviewers (security architect/engineer) to the PR.\n\n## Example Usage in Git workflow\n```\n# checkout master branch\n- uses: actions/checkout@v2\n    with:\n      ref: master\n      path: master\n# checkout PR branch\n- uses: actions/checkout@v2\n    with:\n      path: candidate\n      ref: ${{ github.event.pull_request.head.sha }}\n# pass the yamls directory to k8s-privilege-check git action\n- name: Kubernetes Security Lint\n  uses: sysdiglabs/k8s-security-lint@v1.0.0\n  with:\n    sourceDir: '/master/yamls'\n    targetDir: '/candidate/yamls'\n# evaluate escalation report\n- name: Post Privilege Check\n  run: |\n    echo ${{ toJSON(steps.k8s_privilege_check.outputs.escalation_report) }}\n    # slack\n    # or other git action like adding another reviewer\n```\n\n\n## Outputs\n\n### `escalation_report`\n```\n{\n  \"total_source_workloads\": 2,\n  \"total_target_workloads\": 2,\n  \"total_source_images\": 2,\n  \"total_target_images\": 2,\n  \"escalation_count\": 2,\n  \"reduction_count\": 1,\n  \"escalations\": [\n    {\n      \"name\": \"nginx\",\n      \"kind\": \"Pod\",\n      \"namespace\": \"default\",\n      \"file\": \"nginx.yaml\"\n    },\n    {\n      \"name\": \"my-busybox\",\n      \"kind\": \"Pod\",\n      \"namespace\": \"psp-test\",\n      \"file\": \"busy-box.yaml\"\n    }\n  ],\n  \"reductions\": [\n    {\n      \"name\": \"my-busybox\",\n      \"kind\": \"Pod\",\n      \"namespace\": \"psp-test\",\n      \"file\": \"busy-box.yaml\"\n    }\n  ],\n  \"new_privileged\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"false\",\n    \"current\": \"true\",\n    \"workloads\": [\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\",\n        \"image\": \"kaizheh/nginx\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"removed_privileged\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"true\",\n    \"current\": \"false\",\n    \"workloads\": [\n      {\n        \"name\": \"my-busybox\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"psp-test\",\n        \"file\": \"busy-box.yaml\",\n        \"image\": \"busybox\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"new_hostIPC\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"false\",\n    \"current\": \"true\",\n    \"workloads\": [\n      {\n        \"name\": \"my-busybox\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"psp-test\",\n        \"file\": \"busy-box.yaml\"\n      },\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\"\n      }\n    ],\n    \"workloads_count\": 2\n  },\n  \"removed_hostIPC\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"true\",\n    \"current\": \"false\",\n    \"workloads\": [],\n    \"workloads_count\": 0\n  },\n  \"new_hostNetwork\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"false\",\n    \"current\": \"true\",\n    \"workloads\": [\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"removed_hostNetwork\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"true\",\n    \"current\": \"false\",\n    \"workloads\": [\n      {\n        \"name\": \"my-busybox\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"psp-test\",\n        \"file\": \"busy-box.yaml\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"new_hostPID\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"false\",\n    \"current\": \"true\",\n    \"workloads\": [\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"removed_hostPID\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"true\",\n    \"current\": \"false\",\n    \"workloads\": [\n      {\n        \"name\": \"my-busybox\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"psp-test\",\n        \"file\": \"busy-box.yaml\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"new_volume_types\": {\n    \"hostPath\": {\n      \"status\": \"Escalated\",\n      \"previous\": \"\",\n      \"current\": \"hostPath\",\n      \"workloads\": [\n        {\n          \"name\": \"nginx\",\n          \"kind\": \"Pod\",\n          \"namespace\": \"default\",\n          \"file\": \"nginx.yaml\"\n        }\n      ],\n      \"workloads_count\": 1\n    }\n  },\n  \"removed_volume_types\": {},\n  \"new_capabilities\": {},\n  \"reduced_capabilities\": {\n    \"SYS_ADMIN\": {\n      \"status\": \"Reduced\",\n      \"previous\": \"SYS_ADMIN\",\n      \"current\": \"\",\n      \"workloads\": [\n        {\n          \"name\": \"my-busybox\",\n          \"kind\": \"Pod\",\n          \"namespace\": \"psp-test\",\n          \"file\": \"busy-box.yaml\",\n          \"image\": \"busybox\"\n        }\n      ],\n      \"workloads_count\": 1\n    },\n    \"SYS_CHROOT\": {\n      \"status\": \"Reduced\",\n      \"previous\": \"SYS_CHROOT\",\n      \"current\": \"\",\n      \"workloads\": [\n        {\n          \"name\": \"my-busybox\",\n          \"kind\": \"Pod\",\n          \"namespace\": \"psp-test\",\n          \"file\": \"busy-box.yaml\",\n          \"image\": \"busybox\"\n        }\n      ],\n      \"workloads_count\": 1\n    }\n  },\n  \"new_run_user_as_root\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"non-root\",\n    \"current\": \"root\",\n    \"workloads\": [\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\",\n        \"image\": \"kaizheh/nginx\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"removed_run_user_as_root\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"root\",\n    \"current\": \"non-root\",\n    \"workloads\": [],\n    \"workloads_count\": 0\n  },\n  \"new_run_group_as_root\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"non-root\",\n    \"current\": \"root\",\n    \"workloads\": [\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\",\n        \"image\": \"kaizheh/nginx\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"removed_run_group_as_root\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"root\",\n    \"current\": \"non-root\",\n    \"workloads\": [],\n    \"workloads_count\": 0\n  },\n  \"new_read_only_root_fs\": {\n    \"status\": \"Reduced\",\n    \"previous\": \"false\",\n    \"current\": \"true\",\n    \"workloads\": [\n      {\n        \"name\": \"my-busybox\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"psp-test\",\n        \"file\": \"busy-box.yaml\",\n        \"image\": \"busybox\"\n      }\n    ],\n    \"workloads_count\": 1\n  },\n  \"removed_read_only_root_fs\": {\n    \"status\": \"Escalated\",\n    \"previous\": \"true\",\n    \"current\": \"false\",\n    \"workloads\": [\n      {\n        \"name\": \"nginx\",\n        \"kind\": \"Pod\",\n        \"namespace\": \"default\",\n        \"file\": \"nginx.yaml\",\n        \"image\": \"kaizheh/nginx\"\n      }\n    ],\n    \"workloads_count\": 1\n  }\n}\n```\nThe above escalation report is generated in [PR](https://github.com/Kaizhe/k8s-workloads/pull/13)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fk8s-security-configwatch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsysdiglabs%2Fk8s-security-configwatch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsysdiglabs%2Fk8s-security-configwatch/lists"}