bump k8s.io dependencies and update README.md (#33)

* build(deps): bump actions/setup-go from 4 to 5

* bump alpine base image from 3.18.4 to 3.19.0

* bump k8s.io dependencies from v0.27.3 to v0.28.3 and update CEL env options

* chore: rename M-500 message

* chore: rename M-410 message

* doc: update output example in README.md to include the new checks

* doc: update README.md

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
         run: git fetch --force --tags
 
       - name: setup go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: setup go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
           cache: true

Dockerfile

@@ -34,10 +34,9 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build \
     -X github.com/undistro/marvin/pkg/version.commit=${COMMIT} \
     -X github.com/undistro/marvin/pkg/version.date=${DATE}" -a -o marvin main.go
 
-FROM alpine:3.18.4
+FROM alpine:3.19.0
 
-RUN addgroup -g 8494 -S nonroot && adduser -u 8494 -D -S nonroot -G nonroot \
-    && apk add libcrypto3=3.1.4-r0 libssl3=3.1.4-r0 # fix CVE-2023-5363
+RUN addgroup -g 8494 -S nonroot && adduser -u 8494 -D -S nonroot -G nonroot
 USER 8494:8494
 
 WORKDIR /

README.md

@@ -2,7 +2,7 @@
 
 <picture>
   <source media="(prefers-color-scheme: dark)" srcset="assets/banner-dark.png">
-  <img alt="Zora logo" src="assets/banner-light.png">
+  <img alt="Marvin logo" src="assets/banner-light.png">
 </picture>
 
 [![Go Reference](https://pkg.go.dev/badge/github.com/undistro/marvin.svg)](https://pkg.go.dev/github.com/undistro/marvin)
@@ -40,6 +40,8 @@ Marvin is also used as a plugin in [Zora](https://zora-docs.undistro.io/latest/)
 * [License](#license)
 <!-- TOC -->
 
+_Please [star :star:](https://github.com/undistro/marvin/stargazers) the repo if you want us to continue developing and improving Marvin!_ :grin:
+
 # Installation
 
 The pre-compiled binaries are available in [GitHub releases page](https://github.com/undistro/marvin/releases) 
@@ -88,36 +90,40 @@ marvin scan
 ```
 ```
 SEVERITY   ID      CHECK                                                   STATUS   FAILED   PASSED   SKIPPED 
-High       M-101   Host namespaces                                         Failed   8        7        0         
-High       M-104   HostPath volume                                         Failed   8        7        0         
-High       M-201   Application credentials stored in configuration files   Failed   2        25       0         
-High       M-102   Privileged container                                    Failed   2        13       0         
-High       M-103   Insecure capabilities                                   Failed   2        13       0         
-High       M-100   Privileged access to the Windows node                   Passed   0        15       0         
-High       M-105   Not allowed hostPort                                    Passed   0        15       0         
-Medium     M-113   Container could be running as root user                 Failed   15       0        0         
-Medium     M-407   CPU not limited                                         Failed   13       2        0         
-Medium     M-406   Memory not limited                                      Failed   9        6        0         
-Medium     M-404   Memory requests not specified                           Failed   8        7        0         
-Medium     M-402   Readiness and startup probe not configured              Failed   7        8        0         
-Medium     M-403   Liveness probe not configured                           Failed   7        8        0         
-Medium     M-405   CPU requests not specified                              Failed   5        10       0         
-Medium     M-106   Forbidden AppArmor profile                              Passed   0        15       0         
-Medium     M-107   Forbidden SELinux options                               Passed   0        15       0         
-Medium     M-108   Forbidden proc mount type                               Passed   0        15       0         
-Medium     M-109   Forbidden seccomp profile                               Passed   0        15       0         
-Medium     M-110   Unsafe sysctls                                          Passed   0        15       0         
-Medium     M-112   Allowed privilege escalation                            Passed   0        15       0         
-Medium     M-200   Image registry not allowed                              Passed   0        15       0         
-Medium     M-400   Image tagged latest                                     Passed   0        15       0         
-Low        M-116   Not allowed added/dropped capabilities                  Failed   15       0        0         
-Low        M-202   Automounted service account token                       Failed   15       0        0         
-Low        M-115   Not allowed seccomp profile                             Failed   11       4        0         
-Low        M-300   Root filesystem write allowed                           Failed   11       4        0         
-Low        M-111   Not allowed volume type                                 Failed   8        7        0         
-Low        M-203   SSH server running inside container                     Passed   0        17       0         
-Low        M-114   Container running as root UID                           Passed   0        15       0         
-Low        M-401   Unmanaged Pod                                           Passed   0        9        0         
+High       M-101   Host namespaces                                         Failed   8        25       0         
+High       M-104   HostPath volume                                         Failed   8        25       0         
+High       M-201   Application credentials stored in configuration files   Failed   2        45       0         
+High       M-102   Privileged container                                    Failed   2        31       0         
+High       M-103   Insecure capabilities                                   Failed   2        31       0         
+High       M-100   Privileged access to the Windows node                   Passed   0        33       0         
+High       M-105   Not allowed hostPort                                    Passed   0        33       0         
+Medium     M-113   Container could be running as root user                 Failed   33       0        0         
+Medium     M-407   CPU not limited                                         Failed   31       2        0         
+Medium     M-406   Memory not limited                                      Failed   27       6        0         
+Medium     M-404   Memory requests not specified                           Failed   26       7        0         
+Medium     M-402   Readiness and startup probe not configured              Failed   25       8        0         
+Medium     M-403   Liveness probe not configured                           Failed   25       8        0         
+Medium     M-405   CPU requests not specified                              Failed   23       10       0         
+Medium     M-106   Forbidden AppArmor profile                              Passed   0        33       0         
+Medium     M-107   Forbidden SELinux options                               Passed   0        33       0         
+Medium     M-108   Forbidden proc mount type                               Passed   0        33       0         
+Medium     M-109   Forbidden seccomp profile                               Passed   0        33       0         
+Medium     M-110   Unsafe sysctls                                          Passed   0        33       0         
+Medium     M-112   Allowed privilege escalation                            Passed   0        33       0         
+Medium     M-200   Image registry not allowed                              Passed   0        33       0         
+Medium     M-400   Image tagged latest                                     Passed   0        33       0         
+Medium     M-408   Sudo in container entrypoint                            Passed   0        33       0         
+Medium     M-409   Deprecated image registry                               Passed   0        33       0         
+Medium     M-500   Workload in default namespace                           Passed   0        33       0         
+Medium     M-410   Not allowed restartPolicy                               Passed   0        18       0         
+Low        M-116   Not allowed added/dropped capabilities                  Failed   33       0        0         
+Low        M-202   Automounted service account token                       Failed   33       0        0         
+Low        M-115   Not allowed seccomp profile                             Failed   29       4        0         
+Low        M-300   Root filesystem write allowed                           Failed   29       4        0         
+Low        M-111   Not allowed volume type                                 Failed   8        25       0         
+Low        M-203   SSH server running inside container                     Passed   0        39       0         
+Low        M-114   Container running as root UID                           Passed   0        33       0         
+Low        M-401   Unmanaged Pod                                           Passed   0        15       0         
 ```
 
 The default output format is `table` which represents a summary of checks result. 

go.mod

@@ -5,19 +5,19 @@ go 1.20
 require (
 	github.com/Masterminds/semver/v3 v3.2.0
 	github.com/fatih/color v1.14.1
-	github.com/go-logr/logr v1.2.3
-	github.com/google/cel-go v0.16.0
+	github.com/go-logr/logr v1.2.4
+	github.com/google/cel-go v0.16.1
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.2
-	k8s.io/api v0.27.3
-	k8s.io/apimachinery v0.27.3
-	k8s.io/apiserver v0.27.3
-	k8s.io/cli-runtime v0.27.3
-	k8s.io/client-go v0.27.3
-	k8s.io/klog/v2 v2.90.1
-	k8s.io/utils v0.0.0-20230209194617-a36077c30491
+	k8s.io/api v0.28.3
+	k8s.io/apimachinery v0.28.3
+	k8s.io/apiserver v0.28.3
+	k8s.io/cli-runtime v0.28.3
+	k8s.io/client-go v0.28.3
+	k8s.io/klog/v2 v2.100.1
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -28,14 +28,14 @@ require (
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
@@ -56,24 +56,26 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
-	github.com/xlab/treeprint v1.1.0 // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
-	golang.org/x/net v0.8.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
-	golang.org/x/sys v0.6.0 // indirect
-	golang.org/x/term v0.6.0 // indirect
-	golang.org/x/text v0.8.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221227171554-f9683d7f8bef // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.13.2 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect
+	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )