DEV Community

Cover image for Validate Kubernetes Manifests in GitHub Actions with Datree
Davide 'CoderDave' Benvegnù
Davide 'CoderDave' Benvegnù

Posted on

Validate Kubernetes Manifests in GitHub Actions with Datree

In this second article dedicated to Datree we will explore how to use the tool with GitHub Actions to validate and secure our Kubernetes deployments.


As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.

Link to the video: This part about GitHub Actions starts at minute 14:12

If you rather prefer reading, well... let's just continue :)

The Basics

While I will not cover how to install and use the service in general (check the video and the first article of this series if you want to know more about it), there are few things worth remembering and that will be useful later on in this article:

  • Datree is a CLI tool, which works on Linux, MacOS and Windows
  • The Centralized Policy Management uses a Token as connection between the scans and the account

Datree in GitHub Actions

Alright, let's do this. First thing we have to do, as we would in a local environment, is to install the CLI

      - name: Install DaTree
        run: curl | /bin/bash
Enter fullscreen mode Exit fullscreen mode

In this case the workflow is running on Linux, so I can use the bash script for installing it.

This step will take only few seconds to execute

This is necessary if you are using the GitHub Hosted Runners. If you are instead on Self-hosted Runners you can install the CLI directly on the agent machine so you can skip this step. However, you'd need to manually take care of updating the CLI

Next, we can invoke the validation command:

      - name: Scan with DaTree
        run: datree test ./kubernetes/*.yml
          DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
Enter fullscreen mode Exit fullscreen mode

As you can see, nothing different from what we would normally do.

Since we don't have access to the config file in our CI environment, we need to pass the Token as environment variable. Best practice is to save it as a secret in the repo, and retrieve it using ${{ secrets.YOUR_SECRET_NAME }}

In the example above the Token is passed as environment variable directly in the step to minimize exposure. If you have multiple scans in the same workflow, you can also add it as job or workflow environment variable.

And this is basically all you need.

So the full workflow will look like this:

name: K8S YAML Validation

    branches: [ main ]
    branches: [ main ]


    runs-on: ubuntu-latest

      - uses: actions/checkout@v2

      - name: Install DaTree
        run: curl | /bin/bash

      - name: Scan with DaTree
        run: datree test ./kubernetes/*.yml
          DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} 
Enter fullscreen mode Exit fullscreen mode

Of course you can also integrate this into your own CI or PR validation workflows rather than keeping it separate if you wish so.

Execution and Results

First thing to notice is that, as Ive said before, the installation step is very quick.


This is why it is probably a good idea to leave it there even on Self-hosted runners so you don't have to worry about updating it.


And the validation scan is also very quick.

Second thing to notice is that by design if a validation fails it will break the build/run. This is to ensure the enforcement of the policies and best practices.

Finally, let's take a look at the results.


As you can see, the output is exactly the same as when executing the CLI on any local environment, or anywhere else for what batters, keeping the experience very consistent.


Datree is free to use up to 1000 scans per month, and you can pay for more scans and enhanced support. However...

A Month for Free

You can get 1 month of the Premium plan for FREE is you use this link:


So, what do you think about Datree? Is it something you will adopt as part of your workflow? Let me know in the comment section below, I'd really like to know it.

You may also want to watch this video in which show you how to deploy to Kubernetes in Azure Pipelines starting from scratch.

Like, share and follow me 🚀 for more content:

📽 YouTube
Buy me a coffee
💖 Patreon
📧 Newsletter
🌐 Website
👕 Merch
👦🏻 Facebook page
🐱‍💻 GitHub
👲🏻 Twitter
👴🏻 LinkedIn
🔉 Podcast

Buy Me A Coffee

Top comments (0)