Skip to content

Commit

Permalink
Merge pull request #2 from intelops/patch-1
Browse files Browse the repository at this point in the history
Add Input templates and Default polcies for Genval
santoshkal authored Jun 5, 2024
2 parents 5b73918 + 99b2215 commit c9e1756
Showing 52 changed files with 3,663 additions and 2 deletions.
31 changes: 31 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: ci
on:
push:
branches:
- main

permissions:
contents: write
security-events: write
# Optional: allow read access to pull request. Use with `only-new-issues` option.
pull-requests: read

jobs:
push-artifact:
name: CI
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '1.22'
cache: false

- name: inetall genval
run: go install github.com/intelops/genval@latest

- name: push-rego-policies
run: |
genval artifact push --reqinput ./defaultpolicies/rego/docker_policies \
--dest ghcr.io/intelops/genval-security-policies/dockerfile-policies:v0.0.1 \
--annotations="authors=intelops Inc."
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
.todo
modules/go.*
genval
3 changes: 3 additions & 0 deletions .todo
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# TODO
- Add Rego policy for checking if a Dockefile has ENTRYPOINT instruction
- Add Rego policy to Check and Secrets or sensitive data in Dockerfile ARG,RUN COPY instructions
21 changes: 21 additions & 0 deletions Dockerfile-sample
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# STAGE 0
FROM cgr.dev/chainguard/clang:latest-dev as builder
ENV APP_HOME=/app
RUN useradd -m -s /bin/bash -d $APP_HOME myappuser
WORKDIR $APP_HOME
RUN apk add --no-cache clang clang-dev alpine-sdk dpkg \
&& apk add --update --no-cache cmake \
&& apk add --update --no-cache ccache
COPY src/ $APP_HOME/src/ \
&& Makefile $APP_HOME/
RUN make -C $APP_HOME

# STAGE 1
FROM cgr.dev/chainguard/static:latest
ENV APP_USER=myappuser
ENV APP_HOME=/app
RUN useradd -m -s /bin/bash -d $APP_HOME $APP_USER
WORKDIR $APP_HOME
COPY --from=builder $APP_HOME/myapp $APP_HOME/myapp
USER $APP_USER
ENTRYPOINT ["./myapp"]
24 changes: 22 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,2 +1,22 @@
# security-policies
repo to maintain policies to enforce security and best practices using CEL and Rego
# Security Policies for Genval

Welcome to the **security-policies** repository! Here, we house a comprehensive collection of policies designed to enforce security and best practices using Rego, CEL, and CUELANG policies, specifically crafted for use with the **Genval** tool. Our goal is to provide a centralized resource for maintaining security standards across various Infrastructure as Code (IaC) technologies.

## What's Inside?

In this repository, you'll find security policies and best practices tailored for Dockerfiles, Kubernetes, and related technologies. These policies are neatly organized within the `default-policies` directory, with language-specific policies for different technologies nested underneath. You can explore policies written in **Rego**, **CEL**, and **CUELANG** within their respective directories.


Additionally, we've included input templates designed to work seamlessly with **Genval**. These templates are intended for informational purposes, showcasing the required input format and demonstrating various use cases across different `modes` supported by Genval. You can find these input templates in the `input-templates` directory, covering technologies such as **CUE**, **Dockerfiles**, **Kubernetes (k8s)**, and **Terraform**.

## Contributing to Security Policies

We believe in the power of community collaboration. If you identify specific security policies that are missing from our current collection or have ideas for improvements, we invite you to get involved. Here's how you can contribute:

1. **Raise an Issue**: If you have a proposal or wish to discuss potential security policies, please open an issue. This provides a platform for community input and feedback.

2. **Submit a Pull Request (PR)**: To directly contribute your suggested security policies, submit a pull request. Our community values your expertise and insights, which will further enhance our security measures.

Your contributions play a pivotal role in maintaining the integrity and effectiveness of our security policies. Together, we can make a meaningful impact on the security landscape of IaC technologies.

Thank you for being part of our security-focused community!
19 changes: 19 additions & 0 deletions default-policies/cel/k8s_cel.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
policies:
- apiVersion: v1alpha1
kind: CELPolicy
metadata:
name: Check image with latest tag
description: Deny Images with latest tag
severity: Critical
benchmark: XYZ
rule: |
!input.spec.template.spec.containers[0].image.endsWith('latest')
- apiVersion: v1alpha1
kind: CELPolicy
metadata:
name: Check replicas in a Deployment
description: Ensure that Deployment has at most 3 replicas
severity: High
benchmark: ABC
rule: |
input.kind == 'Deployment' ? input.spec.replicas >= 3 : true
10 changes: 10 additions & 0 deletions default-policies/cel/terraform_cel
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
policies:
- apiVersion: v1alpha1
kind: CELPolicy
metadata:
name: Deny global ingress
description: Deny global ingress in AWS security groups
severity: Critical
benchmark: TEST
rule: |
input.resource.all(res,!has(res.aws_security_group.allow_tls.ingress) && res.aws_security_group.allow_tls.ingress.all(ing,ing.cidr_blocks.all(cb,cb != '0.0.0.0/0')))
54 changes: 54 additions & 0 deletions default-policies/cuelang/application.cue
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
package argo

import "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"

#Application: v1alpha1.#Application & {
apiVersion: string | *"argoproj.io/v1alpha1"
kind: string | *"Application"
metadata: _Metadata
spec: v1alpha.#AppicationSpec & {
source: {
repoURL: string // requires a URL to your manifest repo
targetRevision: string // requires to track the commit/branch/tag
path: string // requires the path to the manifest in the repo
chart: string // requires if your app uses Helm
helm: {
// All your Helm file values go here
...
}
// If your app uses Kustomize overlays, they go here
kustomize: {
...
}
directory: {
...
}
plugin: {
...
}
}

syncPolicy: {
automated: {
...
}
syncOptions: [...string]
retry: {
...
}
...
}
...
revisionHistoryLimit: int
}
}

_Metadata: {
name: *"genval" | string
namespace: *"genval" | string
labels: {
app: string | *"genval"
env: *"mytest" | string
}
...
}
Loading

0 comments on commit c9e1756

Please sign in to comment.