Skip to content

[Security] Harden IaC based on Sysdig CLI Scanner results #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 47 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
2083638
Add Sysdig CLI scan workflow
higakikeita Jul 15, 2025
ea50a2a
Fix: corrected scan.yml quoting for GitHub Actions
higakikeita Jul 15, 2025
6d6c40a
fix: correct voting-app Docker path to ./vote
higakikeita Jul 15, 2025
c1b03df
fix: correct CLI scanner download URL
higakikeita Jul 15, 2025
d15504c
trigger scan
higakikeita Jul 15, 2025
e2f6459
correct scan.yml
higakikeita Jul 15, 2025
bc41329
correctCLIversion scan.yml
higakikeita Jul 15, 2025
ad83a35
Add Sysdig image scan workflow
higakikeita Jul 15, 2025
3729c8d
Add Sysdig image scan workflow
higakikeita Jul 15, 2025
291018b
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
ffecc38
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
33dd483
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
3594936
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
5915318
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
a045331
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
b94af43
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
8fb5b78
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
ea473d1
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
8896a06
correct Sysdig image scan workflow
higakikeita Jul 15, 2025
b230cc5
correct Sysdig image scan workflow
higakikeita Jul 16, 2025
d2502e5
correct Sysdig image scan workflow
higakikeita Jul 16, 2025
4ee922e
correct Sysdig image scan workflow
higakikeita Jul 16, 2025
c10289d
correct Sysdig image scan workflow
higakikeita Jul 16, 2025
76e40d5
correct Sysdig image scan workflow
higakikeita Jul 16, 2025
6348a8d
final Sysdig image scan workflow
higakikeita Jul 16, 2025
72af093
final Sysdig image scan
higakikeita Jul 16, 2025
4936486
final Sysdig image scan
higakikeita Jul 16, 2025
ff0ff14
final Sysdig image scan
higakikeita Jul 16, 2025
d68086c
final Sysdig image scan
higakikeita Jul 16, 2025
698337e
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
0c0c174
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
bdf3d29
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
097f1d7
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
c22d653
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
143bf3b
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
a6eac46
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
f0a0b29
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
8d4fd5a
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
6612d2c
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
621e2e7
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
487ae85
Fix: Ensure SECURE_API_TOKEN is injected properly
higakikeita Jul 16, 2025
75f811c
Fix: Ensure SECURE_TOKEN is injected properly
higakikeita Jul 16, 2025
40634ca
Fix: Ensure SECURE_TOKEN is injected properly
higakikeita Jul 16, 2025
bd11814
Fix: Ensure SECURE_TOKEN is injected properly
higakikeita Jul 16, 2025
f0b136a
Fix: Ensure
higakikeita Jul 16, 2025
91bf861
Fix: Ensure
higakikeita Jul 16, 2025
bfb81b6
Harden Kubernetes IaC manifests based on Sysdig scan results
higakikeita Jul 16, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Voting App Build & Scan

on:
push:
branches:
- main
pull_request:
workflow_dispatch:

jobs:
build-and-scan:
runs-on: ubuntu-latest

env:
SYS_DIG_SECURE_URL: https://app.au1.sysdig.com

steps:
- name: Checkout source
uses: actions/checkout@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Log in to DockerHub (optional)
if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }}
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build Voting App images
run: |
docker build -t voting-app ./vote
docker build -t worker ./worker
docker build -t result ./result

- name: Scan image with Sysdig CLI Scanner
env:
SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
run: |
docker run --rm --platform linux/amd64 --user 0 -v "$(pwd)/scan-logs:/home/nonroot/scan-logs" -v /var/run/docker.sock:/var/run/docker.sock -e SECURE_API_TOKEN="${{ secrets.SECURE_API_TOKEN }}" quay.io/sysdig/sysdig-cli-scanner:1.22.4 --apiurl "$SYS_DIG_SECURE_URL" --loglevel info --skiptlsverify docker://voting-app

47 changes: 29 additions & 18 deletions k8s-specifications/db-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: db
name: db
spec:
replicas: 1
Expand All @@ -14,20 +12,33 @@ spec:
labels:
app: db
spec:
serviceAccountName: default
containers:
- image: postgres:15-alpine
name: postgres
env:
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
value: postgres
ports:
- containerPort: 5432
name: postgres
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: db-data
volumes:
- name: db-data
emptyDir: {}
- name: postgres
image: postgres:15
securityContext:
runAsUser: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
42 changes: 29 additions & 13 deletions k8s-specifications/redis-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: redis
name: redis
spec:
replicas: 1
Expand All @@ -14,15 +12,33 @@ spec:
labels:
app: redis
spec:
serviceAccountName: default
containers:
- image: redis:alpine
name: redis
ports:
- containerPort: 6379
name: redis
volumeMounts:
- mountPath: /data
name: redis-data
volumes:
- name: redis-data
emptyDir: {}
- name: redis
image: redis:7
securityContext:
runAsUser: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
36 changes: 29 additions & 7 deletions k8s-specifications/result-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: result
name: result
spec:
replicas: 1
Expand All @@ -14,9 +12,33 @@ spec:
labels:
app: result
spec:
serviceAccountName: default
containers:
- image: dockersamples/examplevotingapp_result
name: result
ports:
- containerPort: 80
name: result
- name: result
image: dockersamples/examplevotingapp_result
securityContext:
runAsUser: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
36 changes: 29 additions & 7 deletions k8s-specifications/vote-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: vote
name: vote
spec:
replicas: 1
Expand All @@ -14,9 +12,33 @@ spec:
labels:
app: vote
spec:
serviceAccountName: default
containers:
- image: dockersamples/examplevotingapp_vote
name: vote
ports:
- containerPort: 80
name: vote
- name: vote
image: dockersamples/examplevotingapp_vote
securityContext:
runAsUser: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5
33 changes: 29 additions & 4 deletions k8s-specifications/worker-deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: worker
name: worker
spec:
replicas: 1
Expand All @@ -14,6 +12,33 @@ spec:
labels:
app: worker
spec:
serviceAccountName: default
containers:
- image: dockersamples/examplevotingapp_worker
name: worker
- name: worker
image: worker
securityContext:
runAsUser: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 5