diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml new file mode 100644 index 00000000..822149e7 --- /dev/null +++ b/.github/linters/.checkov.yaml @@ -0,0 +1,27 @@ +--- +# Don't report passed checks in output +quiet: true + +skip-path: + - zammad/templates/tests + - zammad/ci + - zammad/charts + +skip-check: + # These checks don't seem to make sense with a / our Helm chart + - CKV_K8S_21 # "The default namespace should not be used" + - CKV_K8S_10 # "CPU requests should be set" + - CKV_K8S_11 # "CPU limits should be set" + - CKV_K8S_15 # "Image Pull Policy should be Always" + - CKV_K8S_12 # "Memory requests should be set" + - CKV_K8S_13 # "Memory limits should be set" + - CKV_K8S_43 # "Image should use digest" + - CKV_K8S_38 # "Ensure that Service Account Tokens are only mounted where necessary" + - CKV_K8S_20 # "Containers should not run with allowPrivilegeEscalation" + - CKV_K8S_16 # "Container should not be privileged" + - CKV_K8S_40 # "Containers should run as a high UID to avoid host conflict" + - CKV_K8S_23 # "Minimize the admission of root containers" + - CKV_K8S_22 # "Use read-only filesystem for containers where possible" + + # Maybe consider for improvement + - CKV_K8S_35 # "Prefer using secrets as files over secrets as environment variables" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 805c5de6..f203c962 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,7 +23,7 @@ jobs: fetch-depth: 0 - name: Lint Code Base - uses: github/super-linter/slim@v6 + uses: github/super-linter/slim@v7 env: DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -32,6 +32,7 @@ jobs: VALIDATE_JSCPD: false VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_YAML: false + VALIDATE_YAML_PRETTIER: false lint-chart: runs-on: ubuntu-22.04 diff --git a/zammad/Chart.yaml b/zammad/Chart.yaml index c67d1b71..d09e43ff 100644 --- a/zammad/Chart.yaml +++ b/zammad/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: zammad -version: 12.3.5 -appVersion: 6.3.1-130 +version: 12.3.6 +appVersion: 6.3.1-144 description: Zammad is a web based open source helpdesk/customer support system with many features to manage customer communication via several channels like telephone, facebook, twitter, chat and e-mails. home: https://zammad.org icon: https://raw.githubusercontent.com/zammad/zammad-documentation/main/images/zammad_logo_600x520.png diff --git a/zammad/templates/deployment-scheduler.yaml b/zammad/templates/deployment-scheduler.yaml index e6fa1017..527a3522 100644 --- a/zammad/templates/deployment-scheduler.yaml +++ b/zammad/templates/deployment-scheduler.yaml @@ -7,6 +7,8 @@ metadata: app.kubernetes.io/component: zammad-scheduler annotations: {{- include "zammad.annotations" . | nindent 4 }} + checkov.io/skip1: CKV_K8S_8=Liveness Probe Should be Configured - not possible with scheduler + checkov.io/skip2: CKV_K8S_9=Readiness Probe Should be Configured - not possible with scheduler spec: replicas: 1 # Not scalable, may only run once per cluster. selector: