Release Semgr8s v0.1.12

.github/actions/build/action.yml

@@ -77,8 +77,8 @@ runs:
       id: verify
       run: |
         cosign tree ${TAGS}
-        cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity-regexp "^https://github\.com/sse-secure-systems/semgr8s/" --certificate-github-workflow-repository "${{ github.repository }}" --certificate-github-workflow-ref "${{ github.ref }}" ${TAGS}
-        cosign verify-attestation --type cyclonedx --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity-regexp "^https://github\.com/sse-secure-systems/semgr8s/" --certificate-github-workflow-repository "${{ github.repository }}" --certificate-github-workflow-ref "${{ github.ref }}" ${TAGS}
+        cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity-regexp "^https://github\.com/semgr8ns/semgr8s/" --certificate-github-workflow-repository "${{ github.repository }}" --certificate-github-workflow-ref "${{ github.ref }}" ${TAGS}
+        cosign verify-attestation --type cyclonedx --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity-regexp "^https://github\.com/semgr8ns/semgr8s/" --certificate-github-workflow-repository "${{ github.repository }}" --certificate-github-workflow-ref "${{ github.ref }}" ${TAGS}
         SIGNATURE=$(cosign triangulate ${TAGS})
         SBOM="${SIGNATURE::-4}.att"
         echo signature=${SIGNATURE} >> ${GITHUB_OUTPUT}
@@ -125,11 +125,11 @@ runs:
         echo "<details><summary>:mag: Verify Build</summary>" >> ${GITHUB_STEP_SUMMARY}
         echo "(might require <a href='https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry'>Docker login via PAT</a> with package:read permission)" >> ${GITHUB_STEP_SUMMARY}
         echo "<ul>" >> ${GITHUB_STEP_SUMMARY}
-        echo "<li>Verify <b>Cosign signature</b> using <a href='https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect'>keyless OIDC signatures<a>: <pre lang="bash"><code>cosign verify --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' --certificate-identity-regexp '^https://github\.com/sse-secure-systems/semgr8s/' --certificate-github-workflow-repository '${{ github.repository }}' --certificate-github-workflow-ref '${{ github.ref }}' ${{ inputs.image_registry }}/${{ inputs.image_repo }}:${{ inputs.image_tag }} </code></pre></li>" >> ${GITHUB_STEP_SUMMARY}
+        echo "<li>Verify <b>Cosign signature</b> using <a href='https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect'>keyless OIDC signatures<a>: <pre lang="bash"><code>cosign verify --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' --certificate-identity-regexp '^https://github\.com/semgr8ns/semgr8s/' --certificate-github-workflow-repository '${{ github.repository }}' --certificate-github-workflow-ref '${{ github.ref }}' ${{ inputs.image_registry }}/${{ inputs.image_repo }}:${{ inputs.image_tag }} </code></pre></li>" >> ${GITHUB_STEP_SUMMARY}
         echo "<li>Display all <b>Cosign supply chain security artifacts</b>: <pre lang="bash"><code>cosign tree ${{ inputs.image_registry }}/${{ inputs.image_repo }}:${{ inputs.image_tag }} </code></pre></li>" >> ${GITHUB_STEP_SUMMARY}
         echo "<li>Download <b>Cosign-attached SBOM</b> (syft-generated cyclonedx-json): <pre lang="bash"><code>
         cosign verify-attestation --type cyclonedx \\
-        --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' --certificate-identity-regexp '^https://github\.com/sse-secure-systems/semgr8s/' --certificate-github-workflow-repository '${{ github.repository }}' --certificate-github-workflow-ref '${{ github.ref }}' \
+        --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' --certificate-identity-regexp '^https://github\.com/semgr8ns/semgr8s/' --certificate-github-workflow-repository '${{ github.repository }}' --certificate-github-workflow-ref '${{ github.ref }}' \
         ${{ inputs.image_registry }}/${{ inputs.image_repo }}:${{ inputs.image_tag }} \\
         | jq -r '.payload' | base64 -d | jq '.predicate' > sbom.cdx
           </code></pre></li>" >> ${GITHUB_STEP_SUMMARY}

.github/workflows/.reusable-cleanup-registry.yml

@@ -16,7 +16,7 @@ jobs:
           cut-off: three weeks ago UTC+1
           timestamp-to-use: updated_at
           account-type: org
-          org-name: sse-secure-systems
+          org-name: semgr8ns
           token: ${{ secrets.GHCR_PAT }}
       - name: Cleanup dangling images without tag
         uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2.2.1
@@ -26,7 +26,7 @@ jobs:
           cut-off: four hours ago UTC+1
           timestamp-to-use: updated_at
           account-type: org
-          org-name: sse-secure-systems
+          org-name: semgr8ns
           token: ${{ secrets.GHCR_PAT }}
       #      - name: Cleanup all images
       #        uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2.2.1
@@ -36,5 +36,5 @@ jobs:
       #          cut-off: four days ago UTC+1
       #          timestamp-to-use: updated_at
       #          account-type: org
-      #          org-name: sse-secure-systems
+      #          org-name: semgr8ns
       #          token: ${{ secrets.GHCR_PAT }}

README.md

@@ -37,7 +37,7 @@ Getting started to validate Kubernetes resources against Semgrep rules is only a
 Installation files are contained within this repository:
 
 ```bash
-git clone https://github.com/sse-secure-systems/semgr8s.git
+git clone https://github.com/semgr8ns/semgr8s.git
 cd semgr8s
 ```
 

build/Dockerfile

@@ -66,7 +66,7 @@ RUN sh /harden.sh
 
 USER 10001:20001
 
-LABEL org.opencontainers.image.documentation="https://sse-secure-systems.github.io/semgr8s/"
+LABEL org.opencontainers.image.documentation="https://semgr8ns.github.io/semgr8s/"
 LABEL org.opencontainers.image.authors="Christoph Hamsen <christoph.hamsen@securesystems.de>"
 LABEL org.opencontainers.image.vendor="Secure Systems Engineering"
 

charts/semgr8s/Chart.yaml

@@ -2,16 +2,16 @@ apiVersion: v2
 name: semgr8s
 description: Semgrep-based Policy Controller for Kubernetes
 type: application
-version: "0.1.11"
-appVersion: "0.1.11"
+version: "0.1.12"
+appVersion: "0.1.12"
 keywords:
   - kubernetes
   - admission controller
   - policy management
-home: https://sse-secure-systems.github.io/semgr8s/latest
+home: https://semgr8ns.github.io/semgr8s/latest
 sources:
-  - https://github.com/sse-secure-systems/semgr8s
-icon: https://raw.githubusercontent.com/sse-secure-systems/semgr8s/main/docs/assets/semgr8s-logo.png
+  - https://github.com/semgr8ns/semgr8s
+icon: https://raw.githubusercontent.com/semgr8ns/semgr8s/main/docs/assets/semgr8s-logo.png
 maintainers:
   - name: Christoph Hamsen
     email: christoph.hamsen@securesystems.de

charts/semgr8s/rules/test-semgr8s-forbidden-label.yaml

@@ -6,7 +6,7 @@ rules:
     technology:
       - kubernetes
     references:
-      - https://sse-secure-systems.github.io/semgr8s/latest/#testing
+      - https://semgr8ns.github.io/semgr8s/latest/#testing
   languages: [yaml]
   severity: INFO
   patterns:

charts/semgr8s/values.yaml

@@ -1,6 +1,6 @@
 deployment:
   image:
-    repository: ghcr.io/sse-secure-systems/semgr8s
+    repository: ghcr.io/semgr8ns/semgr8s
     pullPolicy: IfNotPresent
     tag: ""
   imagePullSecrets: []

docs/usage.md

@@ -7,7 +7,7 @@ Understand how to plan, install and operate Semgr8s.
 Before integrating Semgr8s, it is important to bear a few considerations in mind:
 
 * Semgr8s is still in an early stage of development with exciting ideas for improvement :rocket:
-* There is only limited operational experience so far and there might be breaking changes. We are happy for any feedback, bug reports, feature requests, and contributions via [GitHub discussions](https://github.com/sse-secure-systems/semgr8s/discussions),  [issues](https://github.com/sse-secure-systems/semgr8s/issues) and PRs :pray:
+* There is only limited operational experience so far and there might be breaking changes. We are happy for any feedback, bug reports, feature requests, and contributions via [GitHub discussions](https://github.com/semgr8ns/semgr8s/discussions),  [issues](https://github.com/semgr8ns/semgr8s/issues) and PRs :pray:
 * Semgrep's *yaml* support is currently [experimental](https://semgrep.dev/docs/supported-languages#semgrep-code-language-support).
 * Semgr8s (like any other Kubernetes admission controller) can break a cluster when misconfigured. Therefore, testing should be rigorous and happen on a dedicated test cluster.
 * Semgr8s can be used with remote rules. Those introduce an external dependence for validation which can affect performance and availability.
@@ -32,7 +32,7 @@ Semgr8s is installed via *Helm*, but instructions can be adapted for usage with
 The Helm charts are contained within the Semgr8s repository:
 
 ```bash
-git clone https://github.com/sse-secure-systems/semgr8s.git
+git clone https://github.com/semgr8ns/semgr8s.git
 cd semgr8s
 ```
 
@@ -260,7 +260,7 @@ Remote rules can currently only be configured prior to deployment and changes re
 
 Local rules are your custom written rules and added as configmaps with label `semgr8s/rule=true` to Semgr8s's namespace `semgr8ns`.
 They can either be provided prior to installation as files under `charts/semgr8s/rules/` or added after deployment.
-Templates and selected rules are available under [`./rules/`](https://github.com/sse-secure-systems/semgr8s/tree/main/rules).
+Templates and selected rules are available under [`./rules/`](https://github.com/semgr8ns/semgr8s/tree/main/rules).
 
 !!! tip "Share your own rules :writing_hand:"
     We hope to continuously extend the list of selected rules to facilitate policy creation.

mkdocs.yml

@@ -1,13 +1,13 @@
 # Project information
 site_name: semgr8s - Semgrep-based Policy Controller for Kubernetes.
 
-site_url: https://sse-secure-systems.github.io/semgr8s/
+site_url: https://semgr8ns.github.io/semgr8s/
 site_description: >-
     Admission controller to use your well-known publicly available or custom Semgrep rules to validate k8s resources before deployment to the cluster.
 
 # Repository
-repo_name: sse-secure-systems/semgr8s/
-repo_url: https://github.com/sse-secure-systems/semgr8s
+repo_name: semgr8ns/semgr8s/
+repo_url: https://github.com/semgr8ns/semgr8s
 edit_uri: ""
 
 # Company
@@ -63,10 +63,10 @@ extra:
       provider: mike
   social:
     - icon: fontawesome/brands/github
-      link: https://github.com/sse-secure-systems
+      link: https://github.com/semgr8ns
       name: SSE on GitHub
     - icon: fontawesome/brands/docker
-      link: https://ghcr.io/sse-secure-systems/semgr8s
+      link: https://ghcr.io/semgr8ns/semgr8s
       name: Semgr8s images on GHCR
     - icon: fontawesome/brands/medium
       link: https://medium.com/sse-blog

tests/data/sample_k8s_resources/configmaps.json

@@ -4,7 +4,7 @@
     {
       "apiVersion": "v1",
       "data": {
-        "test-semgr8s-forbidden-label.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://sse-secure-systems.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
+        "test-semgr8s-forbidden-label.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://semgr8ns.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
       },
       "kind": "ConfigMap",
       "metadata": {
@@ -30,7 +30,7 @@
     {
       "apiVersion": "v1",
       "data": {
-        "tester-test-name.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://sse-secure-systems.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
+        "tester-test-name.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://semgr8ns.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
       },
       "kind": "ConfigMap",
       "metadata": {

tests/data/sample_k8s_resources/configmaps_broken_nodata.json

@@ -28,7 +28,7 @@
     {
       "apiVersion": "v1",
       "data": {
-        "tester-test-broken.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://sse-secure-systems.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
+        "tester-test-broken.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://semgr8ns.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
       },
       "kind": "ConfigMap",
       "metadata": {

tests/data/sample_k8s_resources/configmaps_broken_nojson.json

@@ -30,7 +30,7 @@
     {
       "apiVersion": "v1",
       "data": {
-        "tester-test-broken_nojson.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://sse-secure-systems.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
+        "tester-test-broken_nojson.yaml": "rules:\n- id: test-semgr8s-forbidden-label\n  patterns:\n    - pattern-inside: |\n        metadata:\n          ...\n    - pattern-inside: |\n        labels:\n          ...\n    - pattern: |\n        semgr8s-test: forbidden-test-label-e3b0c44298fc1c\n  fix: \"\"\n  message: TEST ONLY. Found kubernetes resource with semgr8s forbidden test label. Any resource with label \"semgr8s-test=forbidden-test-label-e3b0c44298fc1c\" is denied. This label carries no meaning beyond testing and demonstration purposes.\n  metadata:\n    category: test \n    technology:\n      - kubernetes\n    references:\n      - https://semgr8ns.github.io/semgr8s/latest/#testing\n  languages: [yaml]\n  severity: INFO\n"
       },
       "kind": "ConfigMap",
       "metadata": {