Helm Scan With GitHub Actions & K8s Advisor

GitHub Actions is a recent continuous integration (CI) and continuous deployment (CD) service from GitHub. GitHub Actions powers GitHub's built-in continuous integration service. In its essence, GitHub Actions help developers automate software development workflows in the same place they store code and collaborate on pull requests and issues.

GitHub Actions enable developers to write individual tasks, called actions, and combine them to create a custom workflow. Workflows are custom automated processes that developers can set up in their repository to build, test, package, release, or deploy any code project on GitHub.

Create Kubernetes KIND Cluster

Kubernetes IN Docker, KIND, is a tool to create local clusters for testing Kubernetes using Docker containers. KIND was primarily designed for testing Kubernetes itself but may be used for local development or CI.

Multi-node clusters and other advanced features may be configured with a config file - the detailed usage information and documentation are here. GitHub Actions has a marketplace for reusable actions, and the folks behind Helm already managed to put together Kind Cluster, a reusable action that can be plugged into GitHub’s automation workflow.

Security Scanning of Helm Charts with GitHub Actions Workflow

Alcide Advisor, an API driven, Kubernetes security and hygiene scanner, has a wide integration surface into the continuous deployment (CD) platforms. However, GitHub's actions combined with KIND, introduce an interesting approach for scanning helm charts in continuous integration (CI) stage.
In the example below, a GitHub workflow has 3 sequential jobs:

1. Build
2. Test
3. Advisor Scan

The Advisor Scan Job performs the following steps:

1. Download Helm 3
2. Launch Kind Cluster using a GitHub Action
3. Install a chart (uswitch kiam in this example) into a specific namespace
4. Download Alcide Advisor scanner
5. Scan with Alcide Advisor the namespace into which kiam was installed
6. Publish the scan report into the pipeline artifacts

Conclusion

Helm is the de-facto tool for collaborating when creating, installing, and managing applications inside of Kubernetes. Rendering helm charts with configuration into a cluster that can be scanned by Alcide Advisor, opens the door for developers & DevOps to ‘get a handle‘ on the security and hygiene level of new helm charts as well as helm charts changes. To see the full pipeline example go to https://github.com/alcideio/pipeline