Skip to content

Datree CLI

Actions
Use the Datree CLI in a github action
v1.1.0
Latest
By datreeio
Verified creator
Star (24)

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Overview

The Datree CLI provides a policy enforcement solution to run automatic checks for rule violations in Kuberenetes configuration files.
This action runs the Datree CLI against given k8s configuration file/s in your repository, featuring full Helm and Kustomize support.
To learn more about Datree, visit the datree website.

Setup

Get started in 2 simple steps:

  • Obtain your Datree account token by following the instructions described here.
  • Configure your token by setting DATREE_TOKEN as a secret or environment variable (see "Examples" section of this readme).

Usage

In your workflow, set this action as a step. For example:

- name: Run Datree Policy Check
  uses: datreeio/action-datree@main
  with:
    path: 'someDirectory/someFile.yaml'
    cliArguments: '--schema-version 1.20.0'
Input Required Description
path Yes A path to the file/s you wish to run your Datree test against. This can be a single file or a Glob pattern signifying a directory.
cliArguments No The desired Datree CLI arguments for the policy check. In the above example, schema version 1.20.0 will be used.
isHelmChart No Specify whether the given path is a Helm chart. If this option is unused, the path will be considered as a regular yaml file. When isHelmChart is set, it will perform a recursive test for all helm charts inside the given path.
helmArguments No The Helm arguments to be used, if the path is a Helm chart.
isKustomization No Specify whether the given path is a directory containing a "kustomization.yaml" file. If this option is unused, the path will be considered as a regular yaml file.
kustomizeArguments No The Kustomize arguments to be used, if the path is a Kustomization directory.

For more information and examples of using this action with Helm/Kustomize, see below

Examples

Here is an example workflow that uses this action to run a Datree policy check on all of the k8s manifest files under the current directory, on every push/pull request:

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
    
env:
  DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 

jobs:
  k8sPolicyCheck:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        
      - name: Run Datree Policy Check
        uses: datreeio/action-datree@main
        with:
          path: '**/*.yaml'
          cliArguments: '--only-k8s-files'

Here is another example that runs a policy check on a single file in the root of the repository on every push, using a policy named "Staging". The output will be in simple text, with no colors or emojis:

on:
  push:
    branches: [ main ]
    
env:
  DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 

jobs:
  k8sPolicyCheck:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2
        
      - name: Run Datree Policy Check
        uses: datreeio/action-datree@main
        with:
          path: 'file.yaml'
          cliArguments: '--policy Staging --output simple'

Using Helm

This action enables performing policy checks on Helm charts, by utilizing the Datree Helm plugin.
To test a Helm chart, simply set the "isHelmChart" parameter to "true", and add any Helm arguments you wish to use to the "helmArguments" parameter, like so:

- name: Run Datree Policy Check
        uses: datreeio/action-datree@main
        with:
          path: 'myChartDirectory'
          cliArguments: ''
          isHelmChart: true
          helmArguments: '--values values.yaml'

Using Kustomize

This action utilizes the Datree CLI's built-in Kustomize support. To use the plugin to test a kustomization, set "isKustomization" to 'true', and add any Kustomize arguments you wish to use to the "kustomizeArguments" setting, like so:

- name: Run Datree Policy Check
        uses: datreeio/action-datree@main
        with:
          path: 'my/kustomization/directory'
          isKustomization: true
          kustomizeArguments:

Github Code Scanning (SARIF)

You can upload your policy check results to Github's code scanning to be displayed as security alerts by doing the following:

  • Set -o sarif in the CLI arguments of this action (this will automatically create a file named datree.sarif containing your test results)
  • Upload the SARIF file to Github by adding the following step to your workflow:
- name: Upload analysis results to GitHub
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: datree.sarif
    wait-for-processing: true

Output

The result of your policy checks will look like this:

In addition to Datree's standard output, Github's job summary feature is now supported 📝
Your job summary will look like this:

Contributors (4)

@hadar-co@shimont@loeken@MVladislav

Resources

Datree CLI is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Use the Datree CLI in a github action
v1.1.0
Latest
By datreeio

Verified

GitHub has manually verified the creator of the action as an official partner organization. For more info see About badges in GitHub Marketplace.

Contributors (4)

@hadar-co@shimont@loeken@MVladislav

Resources

Datree CLI is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.