chore(crds): Merge starboard-crds repository in

.github/workflows/build.yml

@@ -0,0 +1,21 @@
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.14
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Vendor Go modules
+        run: go mod vendor
+      - name: Verify generated code
+        run: GOPATH="$(go env GOPATH)" ./hack/verify-codegen.sh

.gitignore

@@ -1 +1,3 @@
 .idea/
+
+vendor/

README.md

@@ -1,3 +1,5 @@
+[![GitHub Release][release-img]][release]
+[![Build Actions][build-action-img]][build-action]
 [![License][license-img]][license]
 
 # Starboard
@@ -161,6 +163,10 @@ Kubernetes-native ways.
 
 This repository is available under the [Apache License 2.0][license].
 
+[release-img]: https://img.shields.io/github/release/aquasecurity/starboard.svg
+[release]: https://github.com/aquasecurity/starboard/releases
+[build-action-img]: https://github.com/aquasecurity/starboard/workflows/build/badge.svg
+[build-action]: https://github.com/aquasecurity/starboard/actions
 [license-img]: https://img.shields.io/github/license/aquasecurity/starboard.svg
 [license]: https://github.com/aquasecurity/starboard/blob/master/LICENSE
 

go.mod

@@ -0,0 +1,10 @@
+module github.com/aquasecurity/starboard
+
+go 1.14
+
+require (
+	k8s.io/apiextensions-apiserver v0.17.5
+	k8s.io/apimachinery v0.17.5
+	k8s.io/code-generator v0.17.5
+	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
+)

hack/tools.go

@@ -0,0 +1,6 @@
+// +build tools
+
+// This package imports things required by build scripts, to force `go mod` to see them as dependencies.
+package tools
+
+import _ "k8s.io/code-generator"

hack/update-codegen.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+bash vendor/k8s.io/code-generator/generate-groups.sh all \
+  github.com/aquasecurity/starboard/pkg/generated \
+  github.com/aquasecurity/starboard/pkg/apis \
+  aquasecurity:v1alpha1 \
+  --output-base "${GOPATH}/src" \
+  --go-header-file "hack/boilerplate.go.txt"

hack/verify-codegen.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+
+DIFFROOT="${SCRIPT_ROOT}/pkg"
+TMP_DIFFROOT="${SCRIPT_ROOT}/_tmp/pkg"
+_tmp="${SCRIPT_ROOT}/_tmp"
+
+cleanup() {
+  rm -rf "${_tmp}"
+}
+trap "cleanup" EXIT SIGINT
+
+cleanup
+
+mkdir -p "${TMP_DIFFROOT}"
+cp -a "${DIFFROOT}"/* "${TMP_DIFFROOT}"
+
+"${SCRIPT_ROOT}/hack/update-codegen.sh"
+echo "diffing ${DIFFROOT} against freshly generated codegen"
+ret=0
+diff -Naupr "${DIFFROOT}" "${TMP_DIFFROOT}" || ret=$?
+cp -a "${TMP_DIFFROOT}"/* "${DIFFROOT}"
+if [[ $ret -eq 0 ]]
+then
+  echo "${DIFFROOT} up to date."
+else
+  echo "${DIFFROOT} is out of date. Please run hack/update-codegen.sh"
+  exit 1
+fi

kube/crd/ciskubernetesbenchmarks-crd.yaml

@@ -0,0 +1,20 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ciskubernetesbenchmarks.aquasecurity.github.com
+spec:
+  group: aquasecurity.github.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  scope: Cluster
+  names:
+    singular: ciskubernetesbenchmark
+    plural: ciskubernetesbenchmarks
+    kind: CISKubernetesBenchmark
+    listKind: CISKubernetesBenchmarkList
+    categories:
+      - all
+    shortNames:
+      - ciskubebench

kube/crd/configauditreports-crd.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: configauditreports.aquasecurity.github.com
+spec:
+  group: aquasecurity.github.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    singular: configauditreport
+    plural: configauditreports
+    kind: ConfigAuditReport
+    listKind: ConfigAuditReportList
+    categories:
+      - all

kube/crd/kubehunterreports-crd.yaml

@@ -0,0 +1,18 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: kubehunterreports.aquasecurity.github.com
+spec:
+  group: aquasecurity.github.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  scope: Cluster
+  names:
+    singular: kubehunterreport
+    plural: kubehunterreports
+    kind: KubeHunterReport
+    listKind: KubeHunterReportList
+    categories:
+      - all

kube/crd/vulnerabilities-crd.yaml

@@ -0,0 +1,140 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: vulnerabilities.aquasecurity.github.com
+spec:
+  group: aquasecurity.github.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  scope: Namespaced
+  names:
+    singular: vulnerability
+    plural: vulnerabilities
+    kind: Vulnerability
+    listKind: VulnerabilityList
+    categories:
+      - all
+    shortNames:
+      - vuln
+      - vulns
+  validation:
+    openAPIV3Schema:
+      type: object
+      required:
+        - apiVersion
+        - kind
+        - metadata
+        - report
+      properties:
+        apiVersion:
+          type: string
+        kind:
+          type: string
+        metadata:
+          type: object
+        report:
+          type: object
+          required:
+            - generatedAt
+            - scanner
+            - artifact
+            - summary
+            - vulnerabilities
+          properties:
+            generatedAt:
+              type: string
+              format: date-time
+            scanner:
+              type: object
+              required:
+                - name
+                - vendor
+                - version
+              properties:
+                name:
+                  type: string
+                vendor:
+                  type: string
+                version:
+                  type: string
+            registry:
+              type: object
+              properties:
+                url:
+                  type: string
+                  format: url
+            artifact:
+              type: object
+              properties:
+                repository:
+                  type: string
+                digest:
+                  type: string
+                tag:
+                  type: string
+                mimeType:
+                  type: string
+            summary:
+              type: object
+              required:
+                - criticalCount
+                - highCount
+                - mediumCount
+                - lowCount
+                - unknownCount
+              properties:
+                criticalCount:
+                  type: integer
+                  minimum: 0
+                highCount:
+                  type: integer
+                  minimum: 0
+                mediumCount:
+                  type: integer
+                  minimum: 0
+                lowCount:
+                  type: integer
+                  minimum: 0
+                unknownCount:
+                  type: integer
+                  minimum: 0
+            vulnerabilities:
+              type: array
+              items:
+                type: object
+                required:
+                  - vulnerabilityID
+                  - resource
+                  - installedVersion
+                  - fixedVersion
+                  - severity
+                  - title
+                properties:
+                  vulnerabilityID:
+                    type: string
+                  resource:
+                    type: string
+                  installedVersion:
+                    type: string
+                  fixedVersion:
+                    type: string
+                  severity:
+                    type: string
+                    enum:
+                      - CRITICAL
+                      - HIGH
+                      - MEDIUM
+                      - LOW
+                      - UNKNOWN
+                  title:
+                    type: string
+                  description:
+                    type: string
+                  layerID:
+                    type: string
+                  links:
+                    type: array
+                    items:
+                      type: string

kube/example/vulnerabilities.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: aquasecurity.github.com/v1alpha1
+kind: Vulnerability
+metadata:
+  name: "sha256.bfb2cb1b47766fc424a7826d5ae79dc3aa70a8bbb697de7e683b965d47eb4295"
+report:
+  generatedAt: "2020-03-22T00:11:08Z"
+  scanner:
+    name: Trivy
+    vendor: Aqua Security
+    version: 0.5.2
+  registry:
+    url: https://index.docker.io/v1/
+  artifact:
+    repository: "library/alpine"
+    digest: "sha256:bfb2cb1b47766fc424a7826d5ae79dc3aa70a8bbb697de7e683b965d47eb4295"
+    tag: "3.10.2"
+    mimeType: "application/vnd.docker.distribution.manifest.v2+json"
+  summary:
+    criticalCount: 0
+    highCount: 0
+    mediumCount: 2
+    lowCount: 0
+    unknownCount: 0
+  vulnerabilities:
+    - vulnerabilityID: CVE-2019-1549
+      resource: openssl
+      installedVersion: 1.1.1c-r0
+      fixedVersion: 1.1.1d-r0
+      severity: MEDIUM
+      title: "openssl: information disclosure in fork()"
+      layerID: "sha256:bfb2cb1b47766fc424a7826d5ae79dc3aa70a8bbb697de7e683b965d47eb4295"
+      description: |
+        OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the
+        event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG
+        state. However this protection was not being used in the default case. A partial mitigation for this issue is that
+        the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process
+        sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using
+        OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
+      links:
+        - "https://nvd.nist.gov/vuln/detail/CVE-2019-1549"
+    - vulnerabilityID: CVE-2019-1563
+      resource: openssl
+      installedVersion: 1.1.1c-r0
+      fixedVersion: 1.1.1d-r0
+      severity: MEDIUM
+      title: "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey"

pkg/apis/aquasecurity/register.go

@@ -0,0 +1,6 @@
+package aquasecurity
+
+// GroupName is the group name used in this package.
+const (
+	GroupName = "aquasecurity.github.com"
+)