Merge pull request #43 from draios/nishantkavuru-patch-1

feat [DEVX-2314] Update kube bench to fix the build git workflow

Author: nishantkavuru

.github/workflows/build.yml

@@ -16,26 +16,26 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5.3.0
         with:
-          go-version: 1.16
+          go-version: 1.23.6
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4.2.2
       - name: yaml-lint
         uses: ibiqlik/action-yamllint@v3
       - name: Run unit tests
         run: make tests
       - name: Upload code coverage
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v5.3.1
         with:
           file: ./coverage.txt
       - name: Run integration tests
         run: make integration-tests
       - name: Dry-run release snapshot
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v6.2.1
         with:
-          version: v0.148.0
-          args: release --snapshot --skip-publish --rm-dist
+          version: '~> v2'
+          args: release --snapshot --skip publish --clean

.github/workflows/publish.yml

@@ -12,44 +12,44 @@ env:
 jobs:
   publish:
     name: Publish
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Check Out Repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4.2.2
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3.4.0
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
       - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@v4.2.1
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildxarch-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildxarch-
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Login to ECR
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: public.ecr.aws
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Get version
         id: get_version
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v3.3.1
         with:
           images: ${{ env.REP }}
           tag-semver: |
             {{version}}
 
       - name: Build and push - Docker/ECR
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v6.13.0
         with:
           context: .
           platforms: linux/amd64

.github/workflows/release.yml

@@ -7,22 +7,22 @@ on:
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5.3.0
         with:
-          go-version: 1.16
+          go-version: 1.23.6
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4.2.2
       - name: Run unit tests
         run: make tests
       - name: Run integration tests
         run: make integration-tests
       - name: Release
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v6.2.1
         with:
-          version: v0.148.0
+          version: '~> v2'
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -1,4 +1,6 @@
 ---
+version: 2
+
 env:
   - GO111MODULE=on
   - KUBEBENCH_CFG=/etc/kube-bench/cfg
@@ -20,7 +22,7 @@ builds:
 # Archive customization
 archives:
   - id: default
-    format: tar.gz
+    formats: ['tar.gz']
     name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
     files:
       - "cfg/**/*"
@@ -32,9 +34,17 @@ nfpms:
     description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
     license: Apache-2.0
     homepage: https://github.com/aquasecurity/kube-bench
-    files:
-      "cfg/**/*": "/etc/kube-bench/cfg"
-      "cfg/config.yaml": "/etc/kube-bench/cfg"
+    contents:
+      - src: "cfg/**/*"
+        dst: "/etc/kube-bench/cfg"
+        file_info:
+          mode: 0644
+          mtime: "{{ .CommitDate }}"
+      - src: "cfg/config.yaml"
+        dst: "/etc/kube-bench/cfg"
+        file_info:
+          mode: 0644
+          mtime: "{{ .CommitDate }}"
     formats:
       - deb
       - rpm

Dependency-Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23 AS builder
+FROM golang:1.23.6 AS builder
 
 ENV OUTPUT_DIR=/out
 ENV KUBECTL_VERSION="v1.31.4"

Dependency-Dockerfile_linux_arm64

@@ -1,4 +1,4 @@
-FROM golang:1.23 AS builder
+FROM golang:1.23.6 AS builder
 
 ENV OUTPUT_DIR=/out
 ENV KUBECTL_VERSION="v1.31.4"

Dependency-Dockerfile_linux_s390x

@@ -1,4 +1,4 @@
-FROM golang:1.23 AS builder
+FROM golang:1.23.6 AS builder
 
 ENV OUTPUT_DIR=/out
 ENV KUBECTL_VERSION="v1.31.4"

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23 AS build
+FROM golang:1.23.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY go.mod go.sum ./
 COPY main.go .

cfg/rh-1.0/policies.yaml

@@ -275,7 +275,7 @@ groups:
       - id: 5.2.9
         text: "Minimize the admission of containers with capabilities assigned (Manual)"
         audit: |
-          for i in `oc get scc --template '{{range.items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do 
+          for i in `oc get scc --template '{{range.items}}{{.metadata.name}}{{"\n"}}{{end}}'`; do
               echo "Capabilities=$(oc describe scc $i | grep "Required Drop Capabilities" | sed 's/[[:blank:]]*Required[[:blank:]]*Drop[[:blank:]]*Capabilities:[[:blank:]]*//')"
           done
         use_multiple_values: true
@@ -436,9 +436,9 @@ groups:
           oc get all -n default -o jsonpath="{range .items[*]}{.metadata.name}{'\n'}{end}{'\n'}" | tr '\n' ',' | sed -e 's/^/default-namespace-items=/' -e 's/,$//' -e 's/=$/=<none>/' -e 's/,$//'
         tests:
           test_items:
-            - flag: "default-namespace-items" 
-              compare: 
-                op: eq 
+            - flag: "default-namespace-items"
+              compare:
+                op: eq
                 value: "<none>"
         remediation: |
           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes

go.mod

@@ -1,78 +1,86 @@
 module github.com/aquasecurity/kube-bench
 
-go 1.23
+go 1.23.6
 
 require (
 	github.com/aws/aws-sdk-go v1.35.28
-	github.com/fatih/color v1.5.0
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/jinzhu/gorm v0.0.0-20160404144928-5174cc5c242a
-	github.com/magiconair/properties v1.8.0
-	github.com/onsi/ginkgo v1.10.1
+	github.com/fatih/color v1.18.0
+	github.com/golang/glog v1.2.4
+	github.com/jinzhu/gorm v1.9.16
+	github.com/magiconair/properties v1.8.9
+	github.com/onsi/ginkgo v1.16.5
 	github.com/pkg/errors v0.9.1
-	github.com/spf13/cobra v0.0.3
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/viper v1.4.0
-	github.com/stretchr/testify v1.4.0
-	gopkg.in/yaml.v2 v2.2.8
+	github.com/stretchr/testify v1.5.1
+	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b
 	k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d
 	k8s.io/client-go v11.0.0+incompatible
-	sigs.k8s.io/kind v0.5.1
+	sigs.k8s.io/kind v0.27.0
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/denisenkom/go-mssqldb v0.0.0-20190515213511-eb9f6a1743f3 // indirect
+	github.com/denisenkom/go-mssqldb v0.0.0-20191124224453-732737034ffd // indirect
 	github.com/emicklei/go-restful v2.9.6+incompatible // indirect
 	github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 // indirect
 	github.com/evanphx/json-patch v4.5.0+incompatible // indirect
-	github.com/fsnotify/fsnotify v1.4.7 // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/go-openapi/jsonpointer v0.19.2 // indirect
 	github.com/go-openapi/jsonreference v0.19.2 // indirect
 	github.com/go-openapi/spec v0.19.2 // indirect
 	github.com/go-openapi/swag v0.19.2 // indirect
-	github.com/go-sql-driver/mysql v1.4.1 // indirect
+	github.com/go-sql-driver/mysql v1.5.0 // indirect
 	github.com/gogo/protobuf v1.2.1 // indirect
-	github.com/golang/protobuf v1.3.1 // indirect
+	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/google/gofuzz v1.0.0 // indirect
+	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
 	github.com/googleapis/gnostic v0.3.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.5 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jinzhu/inflection v0.0.0-20170102125226-1c35d901db3d // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.0.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.6 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.1 // indirect
-	github.com/lib/pq v0.0.0-20171126050459-83612a56d3dd // indirect
+	github.com/lib/pq v1.1.1 // indirect
 	github.com/mailru/easyjson v0.0.0-20190620125010-da37f6c1e481 // indirect
-	github.com/mattn/go-colorable v0.0.0-20170210172801-5411d3eea597 // indirect
-	github.com/mattn/go-isatty v0.0.0-20170307163044-57fdcb988a5c // indirect
-	github.com/mattn/go-sqlite3 v1.10.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.0 // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/pelletier/go-toml v1.2.0 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.4.1 // indirect
 	github.com/spf13/afero v1.2.2 // indirect
 	github.com/spf13/cast v1.3.0 // indirect
 	github.com/spf13/jwalterweatherman v1.0.0 // indirect
-	github.com/spf13/pflag v1.0.3 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.2.0 // indirect
-	golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8 // indirect
-	golang.org/x/net v0.0.0-20200202094626-16171245cfb2 // indirect
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
+	golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
+	golang.org/x/sys v0.25.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
 	google.golang.org/appengine v1.5.0 // indirect
+	google.golang.org/protobuf v1.23.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog v0.3.3 // indirect
 	k8s.io/kube-openapi v0.0.0-20190603182131-db7b694dc208 // indirect
 	k8s.io/utils v0.0.0-20191114200735-6ca3b61696b6 // indirect
 	sigs.k8s.io/kustomize/v3 v3.1.1-0.20190821175718-4b67a6de1296 // indirect
-	sigs.k8s.io/yaml v1.1.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )