kube-tools/overlay/usr/local/bin/flux-audit

#!/usr/bin/env bash
set -eo pipefail

KUSTOMIZE_FLAGS=("--load-restrictor=LoadRestrictionsNone")
KUSTOMIZE_CONFIG="**/overlays/**/kustomization.yaml"

FLUX_PATH="${1:-.}"

# shellcheck disable=SC2128
IFS=', ' read -r -a POLARIS_EXCLUDE_PATHS <<<"$POLARIS_EXCLUDE_PATHS"

echo "${POLARIS_EXCLUDE_PATHS[@]}"

if [ -z "$POLARIS_CONFIG" ]; then
    POLARIS_CONFIG=(
        "--format=pretty"
        "--set-exit-code-on-danger"
        "--set-exit-code-below-score=80"
        "--only-show-failed-tests=true"
        "--audit-path=-"
    )
else
    # shellcheck disable=SC2128
    IFS=', ' read -r -a POLARIS_CONFIG <<<"$POLARIS_CONFIG"
fi

printf "\nINFO - Auditing kustomize overlays\n"
find "${FLUX_PATH%/}" -type f -iwholename "$KUSTOMIZE_CONFIG" -print0 | while IFS= read -r -d $'\0' file; do
    KUSTOMIZE_BASENAME=$(basename "$KUSTOMIZE_CONFIG")
    KUSTOMIZE_BUILD="${file/%$KUSTOMIZE_BASENAME/}"

    for EXCLUDE in "${POLARIS_EXCLUDE_PATHS[@]}"; do
        if [ "$EXCLUDE" == "$KUSTOMIZE_BUILD" ]; then
            printf "INFO - Skipping kustomization %s\n" "$KUSTOMIZE_BUILD"
            continue 2
        fi
    done

    printf "INFO - Auditing kustomization %s\n" "$KUSTOMIZE_BUILD"
    kustomize build "$KUSTOMIZE_BUILD" "${KUSTOMIZE_FLAGS[@]}" |
        polaris audit "${POLARIS_CONFIG[@]}"
    echo
    if [[ ${PIPESTATUS[0]} != 0 ]]; then
        exit 1
    fi
done