Compliance as Code
Compliance as Code
Building an IaC Program
For a technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down:
OPA
| |
| Documentation | |
| conftest | |
| k8s gatekeeper | - Tutorials:
- Integrations:
- konstraint: assist with the creation and management of constraints when using Gatekeeper
- opa-image-scanner: Admission Controller for Image Scanning using OPA, to check if the image you scan is the image you deploy in your K8S cluster
|
Static Analysis
Exploration
For an experimentation with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code, please refer to:
| Tool | Description |
| Sentinel | Terraform Foundational Policies Library: library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform |
| tfsec | Static analysis of TF templates to spot potential security issues |
| checkov | Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework |
| terrascan | Collection of security and best practice test for static code analysis of terraform templates |
| tf-parliament | Run Parliament AWS IAM Checker on Terraform Files |
| regula | Checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego |
| Tool | Description |
| cfripper | |
| checkov | - Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework
|
Docker
| Tool | Description |
| trivy | - A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
|
| clair | |
| tern | - Software package inspection tool for containers
|
| grype | - Vulnerability scanner for container images and filesystems
|
| dockle | - Container Image Linter for Security, Helping build the Best-Practice Docker Image
|
| container-scan | - A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle
|
| dagda | - Static analysis of known vulnerabilities, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
|
Kubernetes
| Tool | Description |
| kube-score | - Performs static code analysis of your Kubernetes object definitions
- The output is a list of recommendations
|
| Kubei | - Vulnerabilities scanning tool that allows to get a risk assessment of a cluster
- Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods
|
| version-checker | - Utility for observing the current versions of images running in the cluster, as well as the latest available upstream
|
| chart-testing | - CLI tool for linting and testing Helm charts
|
Pipeline / Supply Chain
| Tool | Description |
| TUF | - TUF
- The CI/CD system uses TUF to sign new integrations
- Provides with a compromise-resilient mechanism by adding a higher layer of signed metadata to the repository
|
| in-toto | - in-toto
- Provides end-to-end verification of a software supply chain
- Guarantees that the CI/CD system packaged exactly the source code that one of the developers signed
|
| Providence | - Providence is a system for code commit & bug system monitoring
- It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins
|
| rode | - Rode provides the collection, attestation and enforcement of policies in your software supply chain with Grafeas and OPA
|