make: Target for security scan

2025-11-02 17:11:44 +01:00 · 2022-01-17 15:06:50 +00:00 · 2022-01-17 15:06:50 +00:00 · e286f74647
commit e286f74647
parent b8a05f4197
1 changed files with 6 additions and 1 deletions
--- a/7
+++ b/7
@ -9,7 +9,8 @@ JSONNET_BIN=$(BIN_DIR)/jsonnet
 JSONNETLINT_BIN=$(BIN_DIR)/jsonnet-lint
 JSONNETFMT_BIN=$(BIN_DIR)/jsonnetfmt
 KUBECONFORM_BIN=$(BIN_DIR)/kubeconform
-TOOLING=$(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETLINT_BIN) $(JSONNETFMT_BIN) $(KUBECONFORM_BIN) $(MDOX_BIN)
+KUBESCAPE_BIN=$(BIN_DIR)/kubescape
+TOOLING=$(JB_BIN) $(GOJSONTOYAML_BIN) $(JSONNET_BIN) $(JSONNETLINT_BIN) $(JSONNETFMT_BIN) $(KUBECONFORM_BIN) $(MDOX_BIN) $(KUBESCAPE_BIN)

 JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s

@ -63,6 +64,10 @@ validate-1.23:
 kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
 	$(KUBECONFORM_BIN) -kubernetes-version $(KUBE_VERSION) -schema-location 'default' -schema-location 'crdschemas/{{ .ResourceKind }}.json' -skip CustomResourceDefinition manifests/

+.PHONY: kubescape
+kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above 40%
+	$(KUBESCAPE_BIN) scan -s framework -t 40 nsa manifests/*.yaml
+
 .PHONY: fmt
 fmt: $(JSONNETFMT_BIN)
 	find . -name 'vendor' -prune -o -name '*.libsonnet' -print -o -name '*.jsonnet' -print | \