Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/kubeshop/monokle-action

Run this GitHub action to validate your Kubernetes resources with the Monokle SARIF validator.
https://github.com/kubeshop/monokle-action

devsecops github-actions kubernetes sarif sarif-report scanner security validation

Last synced: 21 days ago
JSON representation

Run this GitHub action to validate your Kubernetes resources with the Monokle SARIF validator.

Awesome Lists containing this project

README 

        


  Monokle Logo






  

    

  



  

    

  




# Welcome to Monokle Action



Monokle Action is a GitHub Action for static analysis of Kubernetes resources.



Use it to prevent misconfigurations within Kustomize, Helm or default Kubernetes resources. The output is available as a SARIF file which you can upload to GitHub CodeScan.



Under the hood it uses [@monokle/validation][monokle-validation] which allows you to configure validation rules extensively.



[Explore a demo pull request][demo-pr]



## Table of content



- [Usage](#usage)

  - [Understanding the Action's result](#understanding-the-actions-result)

  - [Validate the output of Kustomize](#validate-the-output-of-kustomize)

  - [Validate the output of Helm](#validate-the-output-of-helm)

  - [Validate default Kubernetes resources](#validate-default-kubernetes-resources)

  - [Validate and upload to GitHub CodeScan](#validate-and-upload-to-github-codescan)

- [Configuration](#configuration)

  - [Action inputs](#action-inputs)

  - [@monokle/validation rules](#monoklevalidation-rules)



## Usage



### Understanding the Action's result



The action will find problems for you.



You can configure the validator whether a problem is an error or a warning.



The action fails when at least one error is found. Only warnings will not result in a failure and allow you to still merge. This allows for transition periods in your policies.



### Validate the output of Kustomize



```yaml

on: push



jobs:

  validate:

    name: Validate Kustomize with Monokle

    runs-on: ubuntu-latest

    steps:

      - id: checkout

        uses: actions/checkout@master

      - id: bake

        uses: azure/[email protected]

        with:

          renderEngine: "kustomize"

          kustomizationPath: "./kustomize-happy-cms/overlays/local"

      - id: validate

        uses: kubeshop/[email protected]

        with:

          path: ${{ steps.bake.outputs.manifestsBundle }}

```



### Validate the output of Helm



```yaml

on: push



jobs:

  validate:

    name: Validate Helm with Monokle

    runs-on: ubuntu-latest

    steps:

      - id: checkout

        uses: actions/checkout@master

      - id: bake

        uses: azure/[email protected]

        with:

          renderEngine: "helm"

          helmChart: "./helm-yellow-wordpress"

      - id: validate

        uses: kubeshop/[email protected]

        with:

          path: ${{ steps.bake.outputs.manifestsBundle }}

```



### Validate default Kubernetes resources



```yaml

on: push



jobs:

  validate:

    name: Validate Kubernetes resources with Monokle

    runs-on: ubuntu-latest

    steps:

      - id: checkout

        uses: actions/checkout@master

      - id: validate

        uses: kubeshop/[email protected]

        with:

          path: __path_to_file_or_directory_with_kubernetes_yaml_files__

```



### Validate and upload to GitHub CodeScan



```yaml

on: push



jobs:

  validate:

    runs-on: ubuntu-latest

    permissions:

      security-events: write

    name: Validate Kustomize with Monokle

    steps:

      - id: checkout

        uses: actions/checkout@master

      - id: bake

        uses: azure/[email protected]

        with:

          renderEngine: "kustomize"

          kustomizationPath: "./kustomize-happy-cms/overlays/local"

      - id: validate

        uses: kubeshop/[email protected]

        with:

          path: ${{ steps.bake.outputs.manifestsBundle }}

      - id: upload-sarif

        if: always()

        uses: github/codeql-action/upload-sarif@v2

        with:

          sarif_file: ${{ steps.validate.outputs.sarif }}

```



## Configuration



### Action inputs



**[path]** Relative path to a directory or a YAML file with Kubernetes resources.



**[config]** Relative path to the Monokle validation configuration file.



### @monokle/validation rules



The Monokle Action looks for a Monokle Validation configuration.



The default path is found at `./monokle.validation.yaml`.



[Learn more about Monokle Validation configuration][monokle-validation-docs]



**Example**



```yaml

plugins:

  yaml-syntax: true

  kubernetes-schema: true

rules:

  yaml-syntax/no-bad-alias: "warn"

  yaml-syntax/no-bad-directive: false

  open-policy-agent/no-last-image: "err"

  open-policy-agent/cpu-limit: "err"

  open-policy-agent/memory-limit: "err"

  open-policy-agent/memory-request: "err"

settings:

  kubernetes-schema:

    schemaVersion: v1.24.2

```



[monokle-validation]: https://github.com/kubeshop/monokle-core/tree/main/packages/validation

[monokle-validation-docs]: https://github.com/kubeshop/monokle-core/blob/main/packages/validation/docs/configuration.md

[demo-pr]: https://github.com/kubeshop/monokle-demo/pull/1