Update functions and readme

.github/Taskfile.yml

@@ -1,7 +1,7 @@
 version: "3"
 
 tasks:
-  # # Lind and test (local)
+  # # Scan with GH Super-Linter slim (local)
 
   lint: # https://github.com/super-linter/super-linter
     desc: "GitHub Super-Linter"
@@ -21,3 +21,16 @@ tasks:
     desc: "Trivy security scanner"
     cmds:
       - source .github/scripts/test.sh && trivy
+
+  # # Show changed files (local)
+  diff:
+    desc: "Git diff to return changed files"
+    cmds:
+      - source .github/scripts/test.sh && get_changed_files
+    silent: true
+
+  # # Scan with Kubescape (local)
+  kube_scape:
+    desc: "Kubescape security platform"
+    cmds:
+      - source .github/scripts/test.sh && kube_scape

.github/gh_actions.md

@@ -0,0 +1,99 @@
+# How CI works
+
+The idea is to have an easy to use pattern that can be used locally and in GitHub Actions similar to [How CI works at GitHub and locally](https://github.com/github/scripts-to-rule-them-all)
+
+- `.github/scripts` contains bash scripts responsible for a unit of work.
+
+- `.github/Taskfile.yml` contains tasks that run the scripts.
+
+- `workflows/ci.yml` contains the GitHub Actions workflow
+
+---
+
+## What is used in this project
+
+1. [GitHub Super Linter](https://github.com/github/super-linter/blob/main/docs/run-linter-locally.md)
+
+2. [Checkov](https://www.checkov.io/)
+
+3. [Trivy](https://github.com/aquasecurity/trivy)
+
+4. [Kubescape](https://github.com/kubescape/kubescape)
+
+---
+
+## Accessing the GitHub Actions tasks
+
+`In your project root folder:`
+
+Update your `Taskfile.yml` to use the GitHub Actions tasks:
+
+```yaml
+# Include the github actions tasks
+includes:
+  run: .github/Taskfile.yml
+```
+
+Create a task to run the GitHub Actions tasks:
+
+```yaml
+test:
+  desc: "Run static tests"
+  cmds:
+    - task: run:lint
+    - task: run:trivy
+    - task: run:checkov
+    - task: run:diff
+```
+
+---
+
+## Commit code only if all tests pass
+
+Create a [git hook](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) to verify tests are running before commiting:
+
+> Git hooks are local to your machine and are not committed to the repository.
+
+```bash
+# Open the hooks directory for this repository
+code .git/hooks
+```
+
+```bash
+# Rename the pre-commit.sample file to pre-commit
+mv .git/hooks/pre-commit.sample .git/hooks/pre-commit
+
+# Make it executable
+chmod +x .git/hooks/pre-commit
+```
+
+Add the following to the `.git/hooks/pre-commit` file:
+
+```bash
+#!/bin/sh
+
+# Run task command and exit
+task test
+
+# If task test fails then exit with 1
+if [ $? -ne 0 ]; then
+ echo
+ echo "Tests must pass before commit!"
+ echo
+ exit 1
+fi
+```
+
+Verify the hook is working:
+
+```bash
+git commit -m "test commit"
+```
+
+If the tests fail you should see the following:
+
+```shell
+task: Failed to run task "test": exit status 1
+
+Tests must pass before commit!
+```

.github/linters/.yaml-lint.yml

@@ -8,19 +8,17 @@
 ###########################################
 rules:
   braces:
-    disable
-    # level: warning
-    # min-spaces-inside: 0
-    # max-spaces-inside: 0
-    # min-spaces-inside-empty: 1
-    # max-spaces-inside-empty: 5
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 5
   brackets:
-    disable
-    # level: warning
-    # min-spaces-inside: 0
-    # max-spaces-inside: 0
-    # min-spaces-inside-empty: 1
-    # max-spaces-inside-empty: 5
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 1
+    max-spaces-inside-empty: 5
   colons:
     level: warning
     max-spaces-before: 0

.github/scripts/server.sh

@@ -1,18 +1,21 @@
 #!/usr/bin/env bash
 
+# This script is used to start all components needed to run locally.
+
 set -e
 
 # # #  WSL  # # #
 
 # Start Docker Desktop if it's not running
-if ! docker ps; then
+if ! docker ps -q; then
     powershell.exe "Start-Process -FilePath 'C:\Program Files\Docker\Docker\Docker Desktop.exe'"
     while ! docker ps; do # Wait for Docker to start
         echo "==> Docker is starting"
         sleep 3
     done
 else
     echo "==> Docker is running"
+    echo
 fi
 
 # # #  WSL  # # #

.github/scripts/test.sh

@@ -1,8 +1,10 @@
 #!/usr/bin/env bash
 
+# This script is used to hold all testing/linting functions for the project
+
 set -e
 
-# # Create a bash function to run super-linter
+# Bash function to run Super-Linter
 function gh_super_linter() {
     # Start docker desktop if it's not running
     source "$PWD/.github/scripts/server.sh"
@@ -14,28 +16,47 @@ function gh_super_linter() {
         -v "$PWD":/tmp/lint github/super-linter:slim-v5
 }
 
-# Create a bash function to run checkov
+# Bash function to  run Checkov
 function checkov() {
     # Start docker desktop if it's not running
     source "$PWD/.github/scripts/server.sh"
 
     # Run the docker container
-    docker run -it --rm \
+    docker run --rm \
         -v "$PWD":/tmp/lint --workdir /tmp/lint \
         bridgecrew/checkov \
         --directory /tmp/lint \
-        --soft-fail \
         --quiet
 }
 
-# Create a bash function to run trivy
+# Bash function to run Trivy
 function trivy() {
     # Start docker desktop if it's not running
     source "$PWD/.github/scripts/server.sh"
 
     # Run the docker container
-    docker run -it --rm \
+    docker run --rm \
         -v "$PWD":/tmp/lint --workdir /tmp/lint \
         aquasec/trivy:latest \
-        fs --scanners vuln,config,secret .
+        fs --scanners vuln,config,secret . \
+        --severity CRITICAL,HIGH,MEDIUM
+}
+
+# Bash function to return the names of all the changed files
+function get_changed_files() {
+    # Get the list of changed files
+    git --no-pager diff --stat
+}
+
+# Bash function to run kubescape checks
+function kube_scape() {
+    # Install Kubescape if it's not installed
+    if ! command -v kubescape &>/dev/null; then
+        echo "==> Installing Kubescape"
+        brew install kubescape
+    else
+        # Scan running Kubernetes cluster
+        echo "==> Scanning running Kubernetes cluster"
+        kubescape scan
+    fi
 }

.github/workflows/ci.yml

@@ -8,14 +8,39 @@ on:
 permissions: read-all
 
 jobs:
-  lint:
-    # Run GH Super-Linter against code base
+  scan:
     runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+
+      # Add the super-linter env file to the GITHUB_ENV
       - run: cat .github/super-linter.env >> "$GITHUB_ENV"
+
+      # Scan with GH Super-Linter slim
       - name: Lint Code Base
         uses: super-linter/super-linter/slim@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DEFAULT_BRANCH: main
+
+      # Scan with Checkov
+      - name: Checkov Scan
+        uses: bridgecrewio/checkov-action@master
+        with:
+          quiet: true
+          output_format: github_failed_only
+
+      # Scan with Trivy
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln,config,secret"
+
+      # Scan with Kubescape
+      - uses: kubescape/github-action@main
+        continue-on-error: true
+        with:
+          severityThreshold: medium

Taskfile.yaml

@@ -39,22 +39,30 @@ tasks:
   tf_init:
     desc: "Initialize terraform"
     cmds:
-      - terraform -chdir='{{fromSlash "kube/bootstrap"}}' init
+      - terraform -chdir='{{fromSlash "kube/minik8s"}}' init
     status: # If terraform is initialized, skip the task
-      - terraform -chdir='{{fromSlash "kube/bootstrap"}}' state list
+      - terraform -chdir='{{fromSlash "kube/minik8s"}}' state list
 
   deploy:
     desc: "Bootstrap cluster and deploy apps"
     cmds:
       - task: create
       - task: tf_init
-      - terraform -chdir='{{fromSlash "kube/bootstrap"}}' test
-      - terraform -chdir='{{fromSlash "kube/bootstrap"}}' apply -auto-approve
+      - terraform -chdir='{{fromSlash "kube/minik8s"}}' test
+      - terraform -chdir='{{fromSlash "kube/minik8s"}}' apply -auto-approve
 
   delete:
     desc: "Delete cluster"
     cmds:
       - k3d cluster delete {{.CLUSTER_NAME}}
-      - '{{if eq OS "linux"}}rm -rf kube/bootstrap/.terraf*{{end}}'
+      - '{{if eq OS "linux"}}rm -rf kube/minik8s/.terraf*{{end}}'
       - '{{if eq OS "windows"}}powershell Remove-Item "kube\bootstrap\.terraf*" -Recurse -Force{{end}}'
     silent: true
+
+  test:
+    desc: "Run static tests"
+    cmds:
+      - task: run:lint
+      - task: run:trivy
+      - task: run:checkov
+      - task: run:diff