Compliance as Code
Compliance as Code
Building an IaC Program
For a technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down:
OPA
| |
Documentation | |
conftest | |
k8s gatekeeper | - Tutorials:
- Integrations:
- konstraint: assist with the creation and management of constraints when using Gatekeeper
- opa-image-scanner: Admission Controller for Image Scanning using OPA, to check if the image you scan is the image you deploy in your K8S cluster
|
Static Analysis
Exploration
For an experimentation with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code, please refer to:
Tool | Description |
Sentinel | Terraform Foundational Policies Library: library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform |
tfsec | Static analysis of TF templates to spot potential security issues |
checkov | Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework |
terrascan | Collection of security and best practice test for static code analysis of terraform templates |
tf-parliament | Run Parliament AWS IAM Checker on Terraform Files |
regula | Checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego |
Tool | Description |
cfripper | |
checkov | - Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework
|
Docker
Tool | Description |
trivy | - A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
|
clair | |
tern | - Software package inspection tool for containers
|
grype | - Vulnerability scanner for container images and filesystems
|
dockle | - Container Image Linter for Security, Helping build the Best-Practice Docker Image
|
container-scan | - A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle
|
dagda | - Static analysis of known vulnerabilities, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
|
Kubernetes
Tool | Description |
kube-score | - Performs static code analysis of your Kubernetes object definitions
- The output is a list of recommendations
|
Kubei | - Vulnerabilities scanning tool that allows to get a risk assessment of a cluster
- Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods
|
version-checker | - Utility for observing the current versions of images running in the cluster, as well as the latest available upstream
|
chart-testing | - CLI tool for linting and testing Helm charts
|
Pipeline / Supply Chain
Tool | Description |
TUF | - TUF
- The CI/CD system uses TUF to sign new integrations
- Provides with a compromise-resilient mechanism by adding a higher layer of signed metadata to the repository
|
in-toto | - in-toto
- Provides end-to-end verification of a software supply chain
- Guarantees that the CI/CD system packaged exactly the source code that one of the developers signed
|
Providence | - Providence is a system for code commit & bug system monitoring
- It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins
|
rode | - Rode provides the collection, attestation and enforcement of policies in your software supply chain with Grafeas and OPA
|