add automatic pipeline to update admission controller checkov version

michalbil · Mar 2, 2022 · f7604c3 · f7604c3
1 parent f2ecbf4
commit f7604c3
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 3 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -170,8 +170,9 @@ jobs:
           ## update python version
           echo "version = '$new_tag'" > 'checkov/version.py'
           echo "checkov==$new_tag" > 'kubernetes/requirements.txt'
+          echo "checkov==$new_tag" > 'admissioncontroller/checkov-requirements.txt'
 
-          git commit --reuse-message=HEAD@{1} checkov/version.py kubernetes/requirements.txt || echo "No changes to commit"
+          git commit --reuse-message=HEAD@{1} checkov/version.py kubernetes/requirements.txt admissioncontroller/checkov-requirements.txt || echo "No changes to commit"
           git push origin
           git tag $new_tag
           git push --tags
@@ -275,6 +276,29 @@ jobs:
           tags: "latest,${{ env.RELEASE_VERSION }},${{ env.RELEASE_MAJOR_VERSION }}"
           dockerfile: kubernetes/Dockerfile
           buildoptions: "--no-cache"
+  publish-checkov-admissioncontroller-dockerhub:
+    runs-on: [self-hosted, public, linux, x64]
+    needs: publish-package
+    steps:
+      - uses: actions/checkout@v2
+      - name: update checkov-k8s version
+        run: |
+          checkov_version=${{ needs.publish-package.outputs.version }}
+          checkov_major_version=$(echo "${checkov_version}" | head -c1)
+          echo ::set-env name=RELEASE_VERSION::$(echo $checkov_version)
+          echo ::set-env name=RELEASE_MAJOR_VERSION::$(echo $checkov_major_version)
+          echo $RELEASE_VERSION
+        env:
+          ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
+      - name: Publish to Registry
+        uses: elgohr/Publish-Docker-Github-Action@master
+        with:
+          name: bridgecrew/whorf
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          tags: "latest,${{ env.RELEASE_VERSION }},${{ env.RELEASE_MAJOR_VERSION }}"
+          dockerfile: admissioncontroller/Dockerfile
+          buildoptions: "--no-cache"
   update-bridgecrew-projects:
     needs: publish-checkov-dockerhub
     runs-on: [self-hosted, public, linux, x64]

diff --git a/admissioncontroller/Dockerfile b/admissioncontroller/Dockerfile
@@ -3,7 +3,11 @@ FROM python:3.9.7-slim
 RUN apt-get update -y && apt-get install -y python3-pip python-dev
 WORKDIR /app
 COPY requirements.txt /app/requirements.txt
+COPY checkov-requirements.txt /app/checkov-requirements.txt
+
 RUN pip3 install -r /app/requirements.txt
+RUN pip3 install -r /app/checkov-requirements.txt
+
 COPY whorf.py /app
 COPY wsgi.py /app
 

diff --git a/admissioncontroller/checkov-requirements.txt b/admissioncontroller/checkov-requirements.txt
@@ -0,0 +1 @@
+checkov==2.0.911
diff --git a/admissioncontroller/k8s/deployment.yaml b/admissioncontroller/k8s/deployment.yaml
@@ -31,7 +31,7 @@ spec:
             drop:
               - ALL
               - NET_RAW
-        image: eurogig/whorf@sha256:5e8fbbda58cce84226c4ddcdff50a28e3806252b5c5af1de9d82565e7be44dc0
+        image: bridgecrew/whorf
         imagePullPolicy: Always
         resources:
           limits:

diff --git a/admissioncontroller/requirements.txt b/admissioncontroller/requirements.txt
@@ -7,5 +7,4 @@ MarkupSafe==2.0.1
 python-dotenv==0.18.0
 Werkzeug==2.0.1
 gunicorn==20.1.0
-checkov==2.0.801
 pyyaml==5.4.1