Skip to content

chore(ci): Added terrascan support for K8s manifests #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
GabrielPalmar merged 13 commits into from
Jun 25, 2025
Merged

chore(ci): Added terrascan support for K8s manifests #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
26a9605
chore(ci): Added terrascan support for K8s manifests
GabrielPalmar Jun 23, 2025
dddfb74
fix(ci): Resolved terrascan versioning
GabrielPalmar Jun 23, 2025
158d35b
fix(ci): Removed Sarif
GabrielPalmar Jun 23, 2025
2f844f7
fix(k8s): Resolved terrascan warnings
GabrielPalmar Jun 23, 2025
f7df469
fix(k8s): Resolved terrascan warnings pt. 2
GabrielPalmar Jun 23, 2025
66fdca2
fix(k8s): Resolved terrascan warnings pt. 3
GabrielPalmar Jun 23, 2025
d232a46
fix(ci): Bug related to terrascan
GabrielPalmar Jun 24, 2025
541f4fb
fix(ci): Bug related to terrascan pt. 2
GabrielPalmar Jun 24, 2025
2445ea5
fix(ci): Bug related to terrascan pt. 3
GabrielPalmar Jun 24, 2025
f999bc5
fix(ci): Bug related to terrascan pt. 4
GabrielPalmar Jun 24, 2025
000d27d
fix(ci): Skipping rule AC_K8S_0080
GabrielPalmar Jun 24, 2025
7c0f816
fix(ci): Skipping rule AC_K8S_0080 pt.2
GabrielPalmar Jun 24, 2025
a566e3a
fix(ci): Skipping rule AC_K8S_0080 pt.3
GabrielPalmar Jun 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/terrascan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Terrascan IaC scanner

on:
push:
branches:
- main
pull_request:
branches:
- main

permissions:
pull-requests: read
contents: read

jobs:
Analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Terrascan
uses: tenable/terrascan-action@v1.4.1
with:
iac_type: k8s
iac_version: v1
iac_dir: k8s
policy_type: k8s
verbose: true
skip_rules: AC_K8S_0080
only_warn: true
41 changes: 40 additions & 1 deletion k8s/deployment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,58 @@ spec:
metadata:
labels:
app: hivebox
annotations:
container.apparmor.security.beta.kubernetes.io/hivebox: runtime/default
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: hivebox
image: ghcr.io/gabrielpalmar/hivebox:latest
image: ghcr.io/gabrielpalmar/hivebox:0.4.0@sha256:31dccc066ffd02ef65850ed8125fc2dadf0bd65958fb49bee0517e40afab2e1c
ports:
- containerPort: 5000
env:
- name: FLASK_ENV
value: "production"
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "256Mi"
cpu: "250m"
livenessProbe:
httpGet:
path: /version
port: 5000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /version
port: 5000
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
volumeMounts:
- name: tmp-volume
mountPath: /tmp
volumes:
- name: tmp-volume
emptyDir: {}