-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from intelops/patch-1
Add Input templates and Default polcies for Genval
Showing
52 changed files
with
3,663 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
name: ci | ||
on: | ||
push: | ||
branches: | ||
- main | ||
|
||
permissions: | ||
contents: write | ||
security-events: write | ||
# Optional: allow read access to pull request. Use with `only-new-issues` option. | ||
pull-requests: read | ||
|
||
jobs: | ||
push-artifact: | ||
name: CI | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/setup-go@v4 | ||
with: | ||
go-version: '1.22' | ||
cache: false | ||
|
||
- name: inetall genval | ||
run: go install github.com/intelops/genval@latest | ||
|
||
- name: push-rego-policies | ||
run: | | ||
genval artifact push --reqinput ./defaultpolicies/rego/docker_policies \ | ||
--dest ghcr.io/intelops/genval-security-policies/dockerfile-policies:v0.0.1 \ | ||
--annotations="authors=intelops Inc." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
.todo | ||
modules/go.* | ||
genval |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# TODO | ||
- Add Rego policy for checking if a Dockefile has ENTRYPOINT instruction | ||
- Add Rego policy to Check and Secrets or sensitive data in Dockerfile ARG,RUN COPY instructions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# STAGE 0 | ||
FROM cgr.dev/chainguard/clang:latest-dev as builder | ||
ENV APP_HOME=/app | ||
RUN useradd -m -s /bin/bash -d $APP_HOME myappuser | ||
WORKDIR $APP_HOME | ||
RUN apk add --no-cache clang clang-dev alpine-sdk dpkg \ | ||
&& apk add --update --no-cache cmake \ | ||
&& apk add --update --no-cache ccache | ||
COPY src/ $APP_HOME/src/ \ | ||
&& Makefile $APP_HOME/ | ||
RUN make -C $APP_HOME | ||
|
||
# STAGE 1 | ||
FROM cgr.dev/chainguard/static:latest | ||
ENV APP_USER=myappuser | ||
ENV APP_HOME=/app | ||
RUN useradd -m -s /bin/bash -d $APP_HOME $APP_USER | ||
WORKDIR $APP_HOME | ||
COPY --from=builder $APP_HOME/myapp $APP_HOME/myapp | ||
USER $APP_USER | ||
ENTRYPOINT ["./myapp"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,22 @@ | ||
# security-policies | ||
repo to maintain policies to enforce security and best practices using CEL and Rego | ||
# Security Policies for Genval | ||
|
||
Welcome to the **security-policies** repository! Here, we house a comprehensive collection of policies designed to enforce security and best practices using Rego, CEL, and CUELANG policies, specifically crafted for use with the **Genval** tool. Our goal is to provide a centralized resource for maintaining security standards across various Infrastructure as Code (IaC) technologies. | ||
|
||
## What's Inside? | ||
|
||
In this repository, you'll find security policies and best practices tailored for Dockerfiles, Kubernetes, and related technologies. These policies are neatly organized within the `default-policies` directory, with language-specific policies for different technologies nested underneath. You can explore policies written in **Rego**, **CEL**, and **CUELANG** within their respective directories. | ||
|
||
|
||
Additionally, we've included input templates designed to work seamlessly with **Genval**. These templates are intended for informational purposes, showcasing the required input format and demonstrating various use cases across different `modes` supported by Genval. You can find these input templates in the `input-templates` directory, covering technologies such as **CUE**, **Dockerfiles**, **Kubernetes (k8s)**, and **Terraform**. | ||
|
||
## Contributing to Security Policies | ||
|
||
We believe in the power of community collaboration. If you identify specific security policies that are missing from our current collection or have ideas for improvements, we invite you to get involved. Here's how you can contribute: | ||
|
||
1. **Raise an Issue**: If you have a proposal or wish to discuss potential security policies, please open an issue. This provides a platform for community input and feedback. | ||
|
||
2. **Submit a Pull Request (PR)**: To directly contribute your suggested security policies, submit a pull request. Our community values your expertise and insights, which will further enhance our security measures. | ||
|
||
Your contributions play a pivotal role in maintaining the integrity and effectiveness of our security policies. Together, we can make a meaningful impact on the security landscape of IaC technologies. | ||
|
||
Thank you for being part of our security-focused community! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
policies: | ||
- apiVersion: v1alpha1 | ||
kind: CELPolicy | ||
metadata: | ||
name: Check image with latest tag | ||
description: Deny Images with latest tag | ||
severity: Critical | ||
benchmark: XYZ | ||
rule: | | ||
!input.spec.template.spec.containers[0].image.endsWith('latest') | ||
- apiVersion: v1alpha1 | ||
kind: CELPolicy | ||
metadata: | ||
name: Check replicas in a Deployment | ||
description: Ensure that Deployment has at most 3 replicas | ||
severity: High | ||
benchmark: ABC | ||
rule: | | ||
input.kind == 'Deployment' ? input.spec.replicas >= 3 : true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
policies: | ||
- apiVersion: v1alpha1 | ||
kind: CELPolicy | ||
metadata: | ||
name: Deny global ingress | ||
description: Deny global ingress in AWS security groups | ||
severity: Critical | ||
benchmark: TEST | ||
rule: | | ||
input.resource.all(res,!has(res.aws_security_group.allow_tls.ingress) && res.aws_security_group.allow_tls.ingress.all(ing,ing.cidr_blocks.all(cb,cb != '0.0.0.0/0'))) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package argo | ||
|
||
import "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" | ||
|
||
#Application: v1alpha1.#Application & { | ||
apiVersion: string | *"argoproj.io/v1alpha1" | ||
kind: string | *"Application" | ||
metadata: _Metadata | ||
spec: v1alpha.#AppicationSpec & { | ||
source: { | ||
repoURL: string // requires a URL to your manifest repo | ||
targetRevision: string // requires to track the commit/branch/tag | ||
path: string // requires the path to the manifest in the repo | ||
chart: string // requires if your app uses Helm | ||
helm: { | ||
// All your Helm file values go here | ||
... | ||
} | ||
// If your app uses Kustomize overlays, they go here | ||
kustomize: { | ||
... | ||
} | ||
directory: { | ||
... | ||
} | ||
plugin: { | ||
... | ||
} | ||
} | ||
|
||
syncPolicy: { | ||
automated: { | ||
... | ||
} | ||
syncOptions: [...string] | ||
retry: { | ||
... | ||
} | ||
... | ||
} | ||
... | ||
revisionHistoryLimit: int | ||
} | ||
} | ||
|
||
_Metadata: { | ||
name: *"genval" | string | ||
namespace: *"genval" | string | ||
labels: { | ||
app: string | *"genval" | ||
env: *"mytest" | string | ||
} | ||
... | ||
} |
Oops, something went wrong.