Compliance as Code

Compliance as Code¶

Building an IaC Program

For a technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down:

Building an IaC security and governance program step-by-step

Tool	Description
Open Policy Agent	Policy-based control for cloud native environments
Chef InSpec	Turn your compliance, security, and other policy requirements into automated tests
HashiCorp Sentinel	Policy As Code tool which can be run locally via Sentinel Simulator and be used to validate any sort of JSON, like the output from a terraform plan Using HashiCorp Sentinel to validate Terraform configuration/plan

OPA¶


Documentation	Introducing Policy As Code: The Open Policy Agent (OPA) The Rego Playground Styra Academy 5 tips for using the Rego language Fitness Validation For Your Kubernetes Apps: Policy As Code Enforce Ingress Best Practices Using OPA Authorizing Microservice APIs With OPA and Kuma
Conftest	Tutorials: Accelerated Feedback Loops when Developing for Kubernetes with Conftest Creating Exceptions Lists for Conftest in Rego Validate Kubernetes API Versions With Conftest Policies: Collection of rego policies Deprek8: check for deprecated API versions (blog) Helpers: action-conftest: a GitHub Action for using conftest in your CI
Gatekeeper	Tutorials: OPA Gatekeeper: Policy and Governance for Kubernetes How to monitor OPA Gatekeeper with Prometheus metrics Using Gatekeeper in Kubernetes Performing Image Scanning on Admission Controller with OPA Kubernetes Pod Security Policies with Open Policy Agent Enforce Custom Resource policies with Open Policy Agent Gatekeeper Policies: gatekeeper-library: the official Gatekeeper policy library sample apps: demo of Gatekeeper functionality k8s-security-policies: security policies created based on CIS Kubernetes benchmark and rules defined in Kubesec.io Integrations: konstraint: assist with the creation and management of constraints when using Gatekeeper opa-image-scanner: Admission Controller for Image Scanning using OPA, to check if the image you scan is the image you deploy in your K8S cluster
OPAL	Administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to your agents. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3^rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.

Static Analysis¶

Exploration

For an experimentation with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code, please refer to:

Semgrep for Cloud Security

Tool comparison

This repo provides a comparison of the capabilities of the main scanners currently available:

iacsecurity/tool-compare

Terraform¶

Tool	Description
Sentinel	Terraform Foundational Policies Library: library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform
tfsec	Static analysis of TF templates to spot potential security issues
checkov	Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework
terrascan	Collection of security and best practice test for static code analysis of terraform templates
tf-parliament	Run Parliament AWS IAM Checker on Terraform Files
regula	Checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego

CloudFormation¶

Tool	Description
cfripper	Library and CLI tool for analysing CloudFormation templates and check them for security compliance Cloud Governance with CFRipper
checkov	Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework

Docker¶

Tool	Description
trivy	A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
clair	Scan docker images for security vulnerabilities Usage: https://github.com/marco-lancini/offensive-infrastructure/tree/master/templates/docker/ops_clair
tern	Software package inspection tool for containers
grype	Vulnerability scanner for container images and filesystems
dockle	Container Image Linter for Security, Helping build the Best-Practice Docker Image
container-scan	A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle
dagda	Static analysis of known vulnerabilities, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
fossa-action	Scan images and finds license compliance and security issues

Kubernetes¶

Tool	Description
kube-score	Performs static code analysis of your Kubernetes object definitions The output is a list of recommendations
Kubei	Vulnerabilities scanning tool that allows to get a risk assessment of a cluster Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods
version-checker	Utility for observing the current versions of images running in the cluster, as well as the latest available upstream
chart-testing	CLI tool for linting and testing Helm charts

Pipeline / Supply Chain¶

Tool	Description
TUF	TUF The CI/CD system uses TUF to sign new integrations Provides with a compromise-resilient mechanism by adding a higher layer of signed metadata to the repository
in-toto	in-toto Provides end-to-end verification of a software supply chain Guarantees that the CI/CD system packaged exactly the source code that one of the developers signed
Providence	Providence is a system for code commit & bug system monitoring It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins
rode	Rode provides the collection, attestation and enforcement of policies in your software supply chain with Grafeas and OPA