khulnasoft-lab · NxPKG · Jul 8, 2024 · Jul 8, 2024 · Jul 8, 2024 · Jul 8, 2024
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -2,8 +2,8 @@
 blank_issues_enabled: false
 contact_links:
   - name: Feature request
-    url: https://github.com/khulnasoft/kube-bench/discussions/new?category_id=19113743
+    url: https://github.com/khulnasoft-lab/kube-bench/discussions/new?category_id=19113743
     about: Share ideas for new features
   - name: Ask a question
-    url: https://github.com/khulnasoft/kube-bench/discussions/new?category_id=19113742
+    url: https://github.com/khulnasoft-lab/kube-bench/discussions/new?category_id=19113742
     about: Ask questions and discuss with other community members
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,7 +1,6 @@
 ---
 name: Build
 on:
-  workflow_dispatch:
   push:
     branches:
       - main
@@ -30,8 +29,10 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
       - name: Checkout code
         uses: actions/checkout@v4
+      - name: yaml-lint
+        uses: ibiqlik/action-yamllint@v3
       - name: Setup golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v4
         with:
           version: v1.57.2
           args: --verbose
@@ -94,7 +95,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Dry-run release snapshot
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: v1.7.0

diff --git a/.github/workflows/mkdocs-deploy.yaml b/.github/workflows/mkdocs-deploy.yaml
@@ -29,7 +29,7 @@ jobs:
           pip install mkdocs-macros-plugin
         env:
           # Note: It is not the same as ${{ secrets.GITHUB_TOKEN }} !
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
       - run: |
           git config user.name "khulnasoft-bot"
           git config user.email "khulnasoft-bot@users.noreply.github.com"

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -9,6 +9,7 @@ env:
   ALIAS: khulnasoft
   DOCKERHUB_ALIAS: khulnasoft
   REP: kube-bench
+
 jobs:
   publish:
     name: Publish
@@ -31,17 +32,19 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
-
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Get version
         id: get_version
         uses: crazy-max/ghaction-docker-meta@v5
         with:
           images: ${{ env.REP }}
           tag-semver: |
             {{version}}
-
+      - name: Extract variables from makefile (kubectl)
+        id: extract_vars
+        run: |
+          echo "KUBECTL_VERSION=$(grep -oP '^KUBECTL_VERSION\s*\?=\s*\K.*' makefile)" >> $GITHUB_ENV
       - name: Build and push - Docker/ECR
         id: docker_build
         uses: docker/build-push-action@v5
@@ -52,6 +55,7 @@ jobs:
           push: true
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
+            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:latest
@@ -69,6 +73,7 @@ jobs:
           file: Dockerfile.ubi
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
+            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
           cache-from: type=local,src=/tmp/.buildx-cache/release
@@ -87,6 +92,7 @@ jobs:
           file: Dockerfile.fips.ubi
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
+            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
           cache-from: type=local,src=/tmp/.buildx-cache/release

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -44,7 +44,7 @@ jobs:
           second_file_path: integration/testdata/Expected_output.data
           expected_result: PASSED
       - name: Release
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: v1.7.0

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -2,9 +2,11 @@
 linters:
   disable-all: true
   enable:
+    - deadcode
     - gocyclo
     - gofmt
     - goimports
     - govet
     - misspell
     - typecheck
+    - varcheck
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -27,8 +27,8 @@ builds:
       - "-s"
       - "-w"
       - "-extldflags '-static'"
-      - "-X github.com/khulnasoft/kube-bench/cmd.KubeBenchVersion={{.Version}}"
-      - "-X github.com/khulnasoft/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
+      - "-X github.com/khulnasoft-lab/kube-bench/cmd.KubeBenchVersion={{.Version}}"
+      - "-X github.com/khulnasoft-lab/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
 # Archive customization
 archives:
   - id: default
@@ -41,9 +41,9 @@ nfpms:
   -
     vendor: Khulnasoft Security
     description: "The Kubernetes Bench for Security is a Go application that checks whether Kubernetes is deployed according to security best practices"
-    maintainer: KhulnaSoft DevOps <security@khulnasoft.com>
+    maintainer: Yoav Rotem <yoav.rotem@khulnasoft.com>
     license: Apache-2.0
-    homepage: https://github.com/khulnasoft/kube-bench
+    homepage: https://github.com/khulnasoft-lab/kube-bench
     file_name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
     contents:
       - src: "cfg/**/*"

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -17,7 +17,7 @@ Thank you for taking an interest in contributing to kube-bench !
 
 If you think you have found a bug please follow the instructions below.
 
-- Open a [new bug](https://github.com/khulnasoft/kube-bench/issues/new?assignees=&labels=&template=bug_report.md) if a duplicate doesn't already exist.
+- Open a [new bug](https://github.com/khulnasoft-lab/kube-bench/issues/new?assignees=&labels=&template=bug_report.md) if a duplicate doesn't already exist.
 - Make sure to give as much information as possible in the following questions
   - Overview
   - How did you run kube-bench?
@@ -34,7 +34,7 @@ If you think you have found a bug please follow the instructions below.
 
 We also use the GitHub discussions to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below.
 
-- Open a [new discussion](https://github.com/khulnasoft/kube-bench/discussions/new?category_id=19113743) if a duplicate doesn't already exist.
+- Open a [new discussion](https://github.com/khulnasoft-lab/kube-bench/discussions/new?category_id=19113743) if a duplicate doesn't already exist.
 - Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others.
 - Clearly define the use case, using concrete examples. For example, I type `this` and kube-bench does `that`.
 - If you would like to include a technical design for your feature please feel free to do so.
@@ -43,7 +43,7 @@ We also use the GitHub discussions to track feature requests. If you have an ide
 
 We also use the GitHub discussions to Q&A.
 
-- Open a [new discussion](https://github.com/khulnasoft/kube-bench/discussions/new) if a duplicate doesn't already exist.
+- Open a [new discussion](https://github.com/khulnasoft-lab/kube-bench/discussions/new) if a duplicate doesn't already exist.
 - Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others.
 
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
-FROM golang:1.22.2 AS build
-WORKDIR /go/src/github.com/khulnasoft/kube-bench/
+FROM golang:1.22.4 AS build
+WORKDIR /go/src/github.com/khulnasoft-lab/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
 COPY main.go .
@@ -9,18 +9,26 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
+# Add kubectl to run policies checks
+ARG KUBECTL_VERSION TARGETARCH
+RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
+RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+# Verify kubectl sha256sum
+RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+RUN chmod +x /usr/local/bin/kubectl
+
 FROM alpine:3.20.0 AS run
 WORKDIR /opt/kube-bench/
 # add GNU ps for -C, -o cmd, and --no-headers support
-# https://github.com/khulnasoft/kube-bench/issues/109
+# https://github.com/khulnasoft-lab/kube-bench/issues/109
 RUN apk --no-cache add procps
 
 # Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752
-# https://github.com/khulnasoft/kube-bench/issues/943
+# https://github.com/khulnasoft-lab/kube-bench/issues/943
 RUN apk --no-cache upgrade apk-tools
 
 # Openssl is used by OpenShift tests
-# https://github.com/khulnasoft/kube-bench/issues/535
+# https://github.com/khulnasoft-lab/kube-bench/issues/535
 # Ensuring that we update/upgrade before installing openssl, to mitigate CVE-2021-3711 and CVE-2021-3712
 RUN apk update && apk upgrade && apk --no-cache add openssl
 
@@ -32,6 +40,7 @@ RUN apk add jq
 ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
 ENTRYPOINT ["./entrypoint.sh"]
@@ -43,7 +52,7 @@ ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.name="kube-bench" \
     org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
-    org.label-schema.url="https://github.com/khulnasoft/kube-bench" \
+    org.label-schema.url="https://github.com/khulnasoft-lab/kube-bench" \
     org.label-schema.vcs-ref=$VCS_REF \
-    org.label-schema.vcs-url="https://github.com/khulnasoft/kube-bench" \
+    org.label-schema.vcs-url="https://github.com/khulnasoft-lab/kube-bench" \
     org.label-schema.schema-version="1.0"
diff --git a/Dockerfile.fips.ubi b/Dockerfile.fips.ubi
@@ -1,5 +1,5 @@
-FROM golang:1.22.2 AS build
-WORKDIR /go/src/github.com/khulnasoft/kube-bench/
+FROM golang:1.22.4 AS build
+WORKDIR /go/src/github.com/khulnasoft-lab/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
 COPY main.go .
@@ -9,6 +9,14 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build-fips && cp kube-bench /go/bin/kube-bench
 
+# Add kubectl to run policies checks
+ARG KUBECTL_VERSION TARGETARCH
+RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
+RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+# Verify kubectl sha256sum
+RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+RUN chmod +x /usr/local/bin/kubectl
+
 
 # ubi8-minimal base image for build with ubi standards
 FROM registry.access.redhat.com/ubi9/ubi-minimal as run
@@ -31,6 +39,7 @@ ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY LICENSE /licenses/LICENSE
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
 ENTRYPOINT ["./entrypoint.sh"]
@@ -43,7 +52,7 @@ ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.name="kube-bench" \
     org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
-    org.label-schema.url="https://github.com/khulnasoft/kube-bench" \
+    org.label-schema.url="https://github.com/khulnasoft-lab/kube-bench" \
     org.label-schema.vcs-ref=$VCS_REF \
-    org.label-schema.vcs-url="https://github.com/khulnasoft/kube-bench" \
+    org.label-schema.vcs-url="https://github.com/khulnasoft-lab/kube-bench" \
     org.label-schema.schema-version="1.0"
diff --git a/Dockerfile.ubi b/Dockerfile.ubi
@@ -1,5 +1,5 @@
-FROM golang:1.22.2 AS build
-WORKDIR /go/src/github.com/khulnasoft/kube-bench/
+FROM golang:1.22.4 AS build
+WORKDIR /go/src/github.com/khulnasoft-lab/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
 COPY main.go .
@@ -9,6 +9,14 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
+# Add kubectl to run policies checks
+ARG KUBECTL_VERSION TARGETARCH
+RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
+RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+# Verify kubectl sha256sum
+RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+RUN chmod +x /usr/local/bin/kubectl
+
 
 # ubi8-minimal base image for build with ubi standards
 FROM registry.access.redhat.com/ubi9/ubi-minimal as run
@@ -31,6 +39,7 @@ ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY LICENSE /licenses/LICENSE
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
 ENTRYPOINT ["./entrypoint.sh"]
@@ -43,7 +52,7 @@ ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE \
     org.label-schema.name="kube-bench" \
     org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
-    org.label-schema.url="https://github.com/khulnasoft/kube-bench" \
+    org.label-schema.url="https://github.com/khulnasoft-lab/kube-bench" \
     org.label-schema.vcs-ref=$VCS_REF \
-    org.label-schema.vcs-url="https://github.com/khulnasoft/kube-bench" \
+    org.label-schema.vcs-url="https://github.com/khulnasoft-lab/kube-bench" \
     org.label-schema.schema-version="1.0"
diff --git a/OWNERS b/OWNERS
@@ -1,3 +1,3 @@
 approvers:
- - nxpkg
- - khulnasoft-bot
+ - lizrice
+ - jerbia
diff --git a/README.md b/README.md
@@ -2,27 +2,33 @@
 [![Downloads][download]][release]
 [![Docker Pulls][docker-pull]][docker]
 [![Go Report Card][report-card-img]][report-card]
-[![Build Status](https://github.com/khulnasoft/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/khulnasoft/kube-bench/actions)
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/khulnasoft/kube-bench/blob/main/LICENSE)
+[![Build Status](https://github.com/khulnasoft-lab/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/khulnasoft-lab/kube-bench/actions)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/khulnasoft-lab/kube-bench/blob/main/LICENSE)
 [![Coverage Status][cov-img]][cov]
 
-[download]: https://img.shields.io/github/downloads/khulnasoft/kube-bench/total?logo=github
-[release-img]: https://img.shields.io/github/release/khulnasoft/kube-bench.svg?logo=github
-[release]: https://github.com/khulnasoft/kube-bench/releases
+[download]: https://img.shields.io/github/downloads/khulnasoft-lab/kube-bench/total?logo=github
+[release-img]: https://img.shields.io/github/release/khulnasoft-lab/kube-bench.svg?logo=github
+[release]: https://github.com/khulnasoft-lab/kube-bench/releases
 [docker-pull]: https://img.shields.io/docker/pulls/khulnasoft/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench
 [docker]: https://hub.docker.com/r/khulnasoft/kube-bench
-[cov-img]: https://codecov.io/github/khulnasoft/kube-bench/branch/main/graph/badge.svg
-[cov]: https://codecov.io/github/khulnasoft/kube-bench
-[report-card-img]: https://goreportcard.com/badge/github.com/khulnasoft/kube-bench
-[report-card]: https://goreportcard.com/report/github.com/khulnasoft/kube-bench
+[cov-img]: https://codecov.io/github/khulnasoft-lab/kube-bench/branch/main/graph/badge.svg
+[cov]: https://codecov.io/github/khulnasoft-lab/kube-bench
+[report-card-img]: https://goreportcard.com/badge/github.com/khulnasoft-lab/kube-bench
+[report-card]: https://goreportcard.com/report/github.com/khulnasoft-lab/kube-bench
 
+<img src="docs/images/kube-bench.png" width="200" alt="kube-bench logo">
 
 kube-bench is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
 
 Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
 
 ![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security")
 
+## CIS Scanning as part of Tunnel and the Tunnel Operator
+
+[Tunnel](https://github.com/khulnasoft/tunnel), the all in one cloud native security scanner, can be deployed as a [Kubernetes Operator](https://github.com/khulnasoft/khulnasoft-operator) inside a cluster.
+Both, the [Tunnel CLI](https://github.com/khulnasoft/tunnel), and the [Tunnel Operator](https://github.com/khulnasoft/khulnasoft-operator) support CIS Kubernetes Benchmark scanning among several other features.
+
 ## Quick start
 
 There are multiple ways to run kube-bench.

diff --git a/cfg/cis-1.9/config.yaml b/cfg/cis-1.9/config.yaml
@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml