.github/workflows/build.yml

@@ -14,7 +14,7 @@ on:
       - "LICENSE"
       - "NOTICE"
 env:
-  GO_VERSION: "1.21"
+  GO_VERSION: "1.23.6"
   KIND_VERSION: "v0.11.1"
   KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 
@@ -32,10 +32,10 @@ jobs:
       - name: yaml-lint
         uses: ibiqlik/action-yamllint@v3
       - name: Setup golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: latest
-          args: --verbose
+          version: v1.61
+          args: --verbose --timeout 2m
   unit:
     name: Unit tests
     runs-on: ubuntu-latest
@@ -49,7 +49,7 @@ jobs:
       - name: Run unit tests
         run: make tests
       - name: Upload code coverage
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           file: ./coverage.txt
   e2e:
@@ -63,7 +63,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Setup Kubernetes cluster (KIND)
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@v0.6.2
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -95,7 +95,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Dry-run release snapshot
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: v1.7.0

.github/workflows/mkdocs-deploy.yaml

@@ -20,7 +20,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: true
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.x
       - run: |

.github/workflows/publish.yml

@@ -9,6 +9,7 @@ env:
   ALIAS: aquasecurity
   DOCKERHUB_ALIAS: aquasec
   REP: kube-bench
+
 jobs:
   publish:
     name: Publish
@@ -46,17 +47,21 @@ jobs:
           images: ${{ env.REP }}
           tag-semver: |
             {{version}}
-
+      - name: Extract variables from makefile (kubectl)
+        id: extract_vars
+        run: |
+          echo "KUBECTL_VERSION=$(grep -oP '^KUBECTL_VERSION\s*\?=\s*\K.*' makefile)" >> $GITHUB_ENV
       - name: Build and push - Docker/ECR
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
           builder: ${{ steps.buildx.outputs.name }}
           push: true
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
+            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
@@ -67,7 +72,7 @@ jobs:
 
       - name: Build and push ubi image - Docker/ECR
         id: docker_build_ubi
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -76,6 +81,7 @@ jobs:
           file: Dockerfile.ubi
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
+            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
@@ -86,7 +92,7 @@ jobs:
 
       - name: Build and push fips ubi image - Docker/ECR
         id: docker_build_fips_ubi
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -95,6 +101,7 @@ jobs:
           file: Dockerfile.fips.ubi
           build-args: |
             KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
+            KUBECTL_VERSION=${{ env.KUBECTL_VERSION }}
           tags: |
             ${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips
             public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi-fips

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
     tags:
       - "v*"
 env:
-  GO_VERSION: "1.21"
+  GO_VERSION: "1.23.6"
   KIND_VERSION: "v0.11.1"
   KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 
@@ -25,7 +25,7 @@ jobs:
       - name: Run unit tests
         run: make tests
       - name: Setup Kubernetes cluster (KIND)
-        uses: engineerd/setup-kind@v0.5.0
+        uses: engineerd/setup-kind@v0.6.2
         with:
           version: ${{ env.KIND_VERSION }}
           image: ${{ env.KIND_IMAGE }}
@@ -44,7 +44,7 @@ jobs:
           second_file_path: integration/testdata/Expected_output.data
           expected_result: PASSED
       - name: Release
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: v1.7.0

.golangci.yaml

@@ -2,11 +2,9 @@
 linters:
   disable-all: true
   enable:
-    - deadcode
     - gocyclo
     - gofmt
     - goimports
     - govet
     - misspell
     - typecheck
-    - varcheck

.goreleaser.yml

@@ -2,10 +2,15 @@
 project_name: kube-bench
 env:
   - GO111MODULE=on
+  - CGO_ENABLED=0
   - KUBEBENCH_CFG=/etc/kube-bench/cfg
 builds:
-  - main: main.go
+  - main: .
     binary: kube-bench
+    tags:
+      - osusergo
+      - netgo
+      - static_build
     goos:
       - linux
       - darwin
@@ -19,6 +24,9 @@ builds:
       - 6
       - 7
     ldflags:
+      - "-s"
+      - "-w"
+      - "-extldflags '-static'"
       - "-X github.com/aquasecurity/kube-bench/cmd.KubeBenchVersion={{.Version}}"
       - "-X github.com/aquasecurity/kube-bench/cmd.cfgDir={{.Env.KUBEBENCH_CFG}}"
 # Archive customization

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.22.1 AS build
+FROM golang:1.23.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,11 +9,22 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
-FROM alpine:3.19.1 AS run
+# Add kubectl to run policies checks
+ARG KUBECTL_VERSION TARGETARCH
+RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
+RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+
+# Verify kubectl sha256sum
+RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+
+RUN chmod +x /usr/local/bin/kubectl
+
+FROM alpine:3.21.2 AS run
 WORKDIR /opt/kube-bench/
-# add GNU ps for -C, -o cmd, and --no-headers support
+# add GNU ps for -C, -o cmd, --no-headers support and add findutils to get GNU xargs
 # https://github.com/aquasecurity/kube-bench/issues/109
-RUN apk --no-cache add procps
+# https://github.com/aquasecurity/kube-bench/issues/1656
+RUN apk --no-cache add procps findutils
 
 # Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752
 # https://github.com/aquasecurity/kube-bench/issues/943
@@ -29,21 +40,34 @@ RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/s
 RUN apk add gcompat
 RUN apk add jq
 
-ENV PATH=$PATH:/usr/local/mount-from-host/bin
+# Add bash for running helper scripts
+RUN apk add bash
+
+ENV PATH=$PATH:/usr/local/mount-from-host/bin:/go/bin
 
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
+COPY helper_scripts/check_files_owner_in_dir.sh /go/bin/
+RUN chmod a+x /go/bin/check_files_owner_in_dir.sh
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 
 # Build-time metadata as defined at http://label-schema.org
 ARG BUILD_DATE
 ARG VCS_REF
+ARG KUBEBENCH_VERSION
+
 LABEL org.label-schema.build-date=$BUILD_DATE \
-    org.label-schema.name="kube-bench" \
-    org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
-    org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
-    org.label-schema.vcs-ref=$VCS_REF \
-    org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
-    org.label-schema.schema-version="1.0"
+      org.label-schema.name="kube-bench" \
+      org.label-schema.vendor="Aqua Security Software Ltd." \
+      org.label-schema.version=$KUBEBENCH_VERSION \
+      org.label-schema.release=$KUBEBENCH_VERSION \
+      org.label-schema.summary="Aqua security server" \
+      org.label-schema.maintainer="admin@aquasec.com" \
+      org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
+      org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
+      org.label-schema.schema-version="1.0"

Dockerfile.fips.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.22.1 AS build
+FROM golang:1.23.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,6 +9,14 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build-fips && cp kube-bench /go/bin/kube-bench
 
+# Add kubectl to run policies checks
+ARG KUBECTL_VERSION TARGETARCH
+RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
+RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+# Verify kubectl sha256sum
+RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+RUN chmod +x /usr/local/bin/kubectl
+
 
 # ubi8-minimal base image for build with ubi standards
 FROM registry.access.redhat.com/ubi9/ubi-minimal as run
@@ -31,19 +39,28 @@ ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY LICENSE /licenses/LICENSE
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
+COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 
 
 # Build-time metadata as defined at http://label-schema.org
 ARG BUILD_DATE
 ARG VCS_REF
+ARG KUBEBENCH_VERSION
+
 LABEL org.label-schema.build-date=$BUILD_DATE \
-    org.label-schema.name="kube-bench" \
-    org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
-    org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
-    org.label-schema.vcs-ref=$VCS_REF \
-    org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
-    org.label-schema.schema-version="1.0"
+      org.label-schema.name="kube-bench" \
+      org.label-schema.vendor="Aqua Security Software Ltd." \
+      org.label-schema.version=$KUBEBENCH_VERSION \
+      org.label-schema.release=$KUBEBENCH_VERSION \
+      org.label-schema.summary="Aqua security server" \
+      org.label-schema.maintainer="admin@aquasec.com" \
+      org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
+      org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
+      org.label-schema.schema-version="1.0"

Dockerfile.ubi

@@ -1,4 +1,4 @@
-FROM golang:1.22.1 AS build
+FROM golang:1.23.6 AS build
 WORKDIR /go/src/github.com/aquasecurity/kube-bench/
 COPY makefile makefile
 COPY go.mod go.sum ./
@@ -9,6 +9,14 @@ COPY internal/ internal/
 ARG KUBEBENCH_VERSION
 RUN make build && cp kube-bench /go/bin/kube-bench
 
+# Add kubectl to run policies checks
+ARG KUBECTL_VERSION TARGETARCH
+RUN wget -O /usr/local/bin/kubectl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl"
+RUN wget -O kubectl.sha256 "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256"
+# Verify kubectl sha256sum
+RUN /bin/bash -c 'echo "$(<kubectl.sha256)  /usr/local/bin/kubectl" | sha256sum -c -'
+RUN chmod +x /usr/local/bin/kubectl
+
 
 # ubi8-minimal base image for build with ubi standards
 FROM registry.access.redhat.com/ubi9/ubi-minimal as run
@@ -27,23 +35,32 @@ RUN microdnf install -y yum findutils openssl \
 
 WORKDIR /opt/kube-bench/
 
-ENV PATH=$PATH:/usr/local/mount-from-host/bin 
+ENV PATH=$PATH:/usr/local/mount-from-host/bin
 
 COPY LICENSE /licenses/LICENSE
 COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
+COPY --from=build /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY entrypoint.sh .
 COPY cfg/ cfg/
+COPY helper_scripts/check_files_owner_in_dir.sh /go/bin
 ENTRYPOINT ["./entrypoint.sh"]
 CMD ["install"]
 
 
 # Build-time metadata as defined at http://label-schema.org
 ARG BUILD_DATE
 ARG VCS_REF
+ARG KUBEBENCH_VERSION
+
 LABEL org.label-schema.build-date=$BUILD_DATE \
-    org.label-schema.name="kube-bench" \
-    org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
-    org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
-    org.label-schema.vcs-ref=$VCS_REF \
-    org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
-    org.label-schema.schema-version="1.0"
+      org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
+      org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
+      org.label-schema.schema-version="1.0" \
+      vendor="Aqua Security Software Ltd." \
+      maintainer="Aqua Security Software Ltd." \
+      version=$KUBEBENCH_VERSION \
+      release=$KUBEBENCH_VERSION \
+      summary="Aqua Security Kube-bench." \
+      description="Run the CIS Kubernetes Benchmark tests"

cfg/ack-1.0/node.yaml

@@ -377,7 +377,7 @@ groups:
                 op: valid_elements
                 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
         remediation: |
-          If using a Kubelet config file, edit the file to set TLSCipherSuites: to
+          If using a Kubelet config file, edit the file to set tlsCipherSuites: to
           TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
           or to a subset of these values.
           If using executable arguments, edit the kubelet service file

cfg/cis-1.10/config.yaml

@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml