diff --git a/.github/workflow/build.yml b/.github/workflow/build.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f32ff136631779d05b16f26eed6dce2748e58d0c
--- /dev/null
+++ b/.github/workflow/build.yml
@@ -0,0 +1,38 @@
+name: Build
+on:
+ push:
+ branches:
+ - main
+ paths-ignore:
+ - "*.md"
+ - "LICENSE"
+ - "NOTICE"
+ pull_request:
+ paths-ignore:
+ - "*.md"
+ - "LICENSE"
+ - "NOTICE"
+jobs:
+ build:
+ name: Build
+ runs-on: ubuntu-18.04
+ steps:
+ - name: Setup Go
+ uses: actions/setup-go@v1
+ with:
+ go-version: 1.15
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: yaml-lint
+ uses: ibiqlik/action-yamllint@v3
+ - name: Run unit tests
+ run: make tests
+ - name: Upload code coverage
+ uses: codecov/codecov-action@v1
+ with:
+ file: ./coverage.txt
+ - name: Dry-run release snapshot
+ uses: goreleaser/goreleaser-action@v2
+ with:
+ version: v0.148.0
+ args: release --snapshot --skip-publish --rm-dist
diff --git a/.github/workflow/publish-ecr.yml b/.github/workflow/publish-ecr.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c6014e8c7280efecd3c348a1df3a50cff96ee3c8
--- /dev/null
+++ b/.github/workflow/publish-ecr.yml
@@ -0,0 +1,37 @@
+name: Publish-ECR
+on:
+ push:
+ tags:
+ - "v*"
+
+jobs:
+ deploy:
+ name: Publish to Amazon ECR
+ runs-on: ubuntu-18.04
+ steps:
+ - name: Configure AWS credentials
+ uses: aws-actions/configure-aws-credentials@v1
+ with:
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ aws-region: us-east-1
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Install AWS Cli 2.0
+ run: |
+ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+ unzip awscliv2.zip
+ sudo ./aws/install
+ - name: Get the version
+ id: vars
+ run: echo ::set-output name=tag::$(echo ${GITHUB_REF:10})
+ - name: Publish to ECR
+ env:
+ IMAGE_TAG: ${{steps.vars.outputs.tag}}
+ REP_NAME: kube-bench
+ ALIAS: aquasecurity
+ run: |
+ aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/$ALIAS
+ docker build -t $REP_NAME:$IMAGE_TAG .
+ docker tag $REP_NAME:$IMAGE_TAG public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG
+ docker push public.ecr.aws/$ALIAS/$REP_NAME:$IMAGE_TAG
diff --git a/.github/workflow/publish.yml b/.github/workflow/publish.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7279e6d1ebd506c9d0a60023b8cb74abbac487e0
--- /dev/null
+++ b/.github/workflow/publish.yml
@@ -0,0 +1,52 @@
+name: Publish
+on:
+ push:
+ tags:
+ - "v*"
+jobs:
+ publish:
+ name: Publish
+ runs-on: ubuntu-18.04
+ steps:
+ - name: Check Out Repo
+ uses: actions/checkout@v2
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v1
+ - name: Cache Docker layers
+ uses: actions/cache@v2
+ with:
+ path: /tmp/.buildx-cache
+ key: ${{ runner.os }}-buildx-${{ github.sha }}
+ restore-keys: |
+ ${{ runner.os }}-buildx-
+ - name: Login to Docker Hub
+ uses: docker/login-action@v1
+ with:
+ username: ${{ secrets.DOCKER_HUB_USERNAME }}
+ password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+ - name: Set up Docker Buildx
+ id: buildx
+ uses: docker/setup-buildx-action@v1
+ - name: Docker meta
+ id: docker_meta
+ uses: crazy-max/ghaction-docker-meta@v1
+ with:
+ images: aquasec/kube-bench
+ tag-semver: |
+ {{version}}
+ - name: Build and push
+ id: docker_build
+ uses: docker/build-push-action@v2
+ with:
+ context: ./
+ file: ./Dockerfile
+ platforms: linux/amd64,linux/arm64,linux/386
+ builder: ${{ steps.buildx.outputs.name }}
+ push: true
+ tags: |
+ ${{ steps.docker_meta.outputs.tags }}
+ cache-from: type=local,src=/tmp/.buildx-cache
+ cache-to: type=local,dest=/tmp/.buildx-cache
+ labels: ${{ steps.docker_meta.outputs.labels }}
+ - name: Image digest
+ run: echo ${{ steps.docker_build.outputs.digest }}
diff --git a/.github/workflow/release.yml b/.github/workflow/release.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e1991f4e4b482b50ec1d12f0b3159e04743fad4a
--- /dev/null
+++ b/.github/workflow/release.yml
@@ -0,0 +1,29 @@
+name: Release
+on:
+ push:
+ tags:
+ - "v*"
+jobs:
+ release:
+ name: Release
+ runs-on: ubuntu-18.04
+ steps:
+ - name: Setup Go
+ uses: actions/setup-go@v1
+ with:
+ go-version: 1.15
+ - name: Checkout code
+ uses: actions/checkout@v2
+ - name: Run unit tests
+ run: make tests
+ - name: Upload code coverage
+ uses: codecov/codecov-action@v1
+ with:
+ file: ./coverage.txt
+ - name: Release
+ uses: goreleaser/goreleaser-action@v2
+ with:
+ version: v0.148.0
+ args: release --rm-dist
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
index 00439b9d640d20741ff716eb1b369d32b8ab1042..4656264d90dc5a374b9c6d36eb536446e07a0f98 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,22 @@
+[![GitHub Release][release-img]][release]
+![Downloads][download]
+![Docker Pulls][docker-pull]
+[![Go Report Card][report-card-img]][report-card]
[](https://travis-ci.org/aquasecurity/kube-bench)
[](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE)
[](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com")
[](https://microbadger.com/images/aquasec/kube-bench)
[![Coverage Status][cov-img]][cov]
+[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github
+[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github
+[release]: https://github.com/aquasecurity/kube-bench/releases
+[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg
[cov]: https://codecov.io/github/aquasecurity/kube-bench
+[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench
+[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench
+
<img src="images/kube-bench.png" width="200" alt="kube-bench logo">
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).