Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Rego validations #104

Merged
merged 8 commits into from
Jun 13, 2024
Merged

Update Rego validations #104

merged 8 commits into from
Jun 13, 2024

Conversation

santoshkal
Copy link
Collaborator

@santoshkal santoshkal commented Jun 13, 2024
edited
Loading

This PR adds functionality to validate resources using regoval command with default Rego policies.

Now, if a user does not provide a rego policy in --policy flag. Genval will fetch default policies for the resource and validate the resource against it.

default_policies

Closes: #88

@santoshkal
WIP: implement validating with default policies
ec03ddf 
Need to handle the error throwing when unable to fetch metadata feilds from the defaultpolicies

Signed-off-by: Santosh <[email protected]>
@santoshkal
WIP: Improved logging individual policy errors
35b2061 
Signed-off-by: Santosh <[email protected]>
@santoshkal
WIP: Removed all the error which were showing even with correct valid…
cbba315 
…ation results

Signed-off-by: Santosh <[email protected]>
@santoshkal
WIP: Fetching policies using .env file
e4eea59 
This method would require to supply the '.env' file to users, without
which the command will fail with error: Error reading .env file
Another approach could be to store all the ociURLs in a const and refer
them to pull default policies.

Signed-off-by: Santosh <[email protected]>
@santoshkal
Update: Validation with default policies forinfrafile and terraform f…
223f8c4 
…iles

Added examples for using default policies. Updated the logic for adding the source annotation for creating a OCI artifact

Signed-off-by: Santosh <[email protected]>
@santoshkal
Update ValidateWithRego() to validate with new format of Rego policy
94d1b0f 
Signed-off-by: Santosh <[email protected]>
@santoshkal
Update URLs for default policies
8208857 
Signed-off-by: Santosh <[email protected]>
@santoshkal
fix failing tests
63d1174 
Signed-off-by: Santosh <[email protected]>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 13, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 2 findings
Authn/Authz Analyzer 0 findings
SQL Injection Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the security and functionality of the genval application, which is a tool for validating infrastructure configurations (such as Kubernetes, Terraform, and Docker) against security policies. The changes introduce several enhancements, including:

  1. Support for Default Policies: The code now allows users to validate their infrastructure configurations using default policies maintained by the community, without the need to provide a specific policy file. This makes the tool more accessible and user-friendly.
  2. Improved Error Handling and Logging: The code now provides more detailed error messages and logging to help users better understand and troubleshoot any issues that may arise during the validation process.
  3. Remote Policy and Input File Support: The code now supports fetching policy files and input files from remote sources, such as GitHub, which can help centralize and standardize the security validation process.
  4. Dependency Updates: The code updates several dependencies to their latest versions, which is important for maintaining the application's security and stability.

From an application security perspective, these changes are generally positive and help to improve the overall security posture of the genval application. However, it's important to carefully review the implementation details, especially when it comes to handling remote resources and user-provided inputs, to ensure that there are no unintended security vulnerabilities introduced.

Files Changed:

  • cmd/regoval.go: The changes in this file are minor and involve updating the command description.
  • cmd/regoval_dockerfileval.go: The changes in this file improve the handling of default policies and provide more robust error handling for the dockerfileval command.
  • cmd/artifact_push.go: The changes in this file enhance the artifact push functionality, including the ability to sign artifacts using Cosign.
  • cmd/cel_infrafile.go: The changes in this file focus on improving the functionality of the celval infrafile command, which validates Kubernetes and related manifests using CEL policies.
  • cmd/regoval_infrafile.go: The changes in this file introduce the ability to validate infrastructure files using default policies, and they also improve error handling and logging.
  • cmd/regoval_terraform.go: The changes in this file add support for validating Terraform files using default policies and remote policy/input files.
  • go.mod and go.sum: These files have been updated to reflect changes in the project's dependencies.
  • pkg/oci/ociUtils.go: The changes in this file improve the handling of Git repository URLs, ensuring that any sensitive information is removed before returning the URL.
  • pkg/validate/printresults.go: The changes in this file focus on improving the error handling and logging within the PrintResults function.
  • pkg/validate/regoval.go: The changes in this file enhance the handling of multiple Rego policy files and their evaluation.
  • pkg/validate/validatedockerfile.go: The changes in this file improve the error handling within the ValidateDockerfile function.
  • pkg/validate/constants.go: The changes in this file introduce new constants related to Rego policy management.
  • pkg/validate/types.go: The changes in this file modify the structure of metadata and policy-related types.
  • Various Rego policy files: The changes in these files update the policy configurations and enforce security best practices for Kubernetes deployments.

Powered by DryRun Security

@santoshkal santoshkal requested a review from devopstoday11 June 13, 2024 09:05
@santoshkal santoshkal merged commit c52ebb0 into main Jun 13, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@devopstoday11 devopstoday11 devopstoday11 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhance the validation workflow for regoval and celval commands
2 participants
@santoshkal @devopstoday11