Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tasks need hardening #227

Open
sudo-bmitch opened this issue May 26, 2022 · 1 comment
Open

Tasks need hardening #227

sudo-bmitch opened this issue May 26, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@sudo-bmitch
Copy link
Contributor

Current Behavior

Current tasks allow lots of parameters that could be useful for attackers. E.g. the image being run for these is a parameter in most Task definitions.

Expected Behavior

Tasks and Pipelines should be hardened to run builds securely.

Possible Solution or Alternative

Tasks should have their parameters limited to content that is safe for an untrusted user to provide.

Context
@sudo-bmitch sudo-bmitch added the enhancement New feature or request label May 26, 2022
@yfolias
Copy link

yfolias commented Sep 9, 2022
edited
Loading

After reviewing the tasks and the pipelines included in the example section, I concluded that there are two potential solutions, either hardcode part or the entire param values or implement an OPA policy. There is already an ongoing piece of work related to enforcing the use of signed images via an OPA policy, so unless otherwise stated, there is no additional work to be done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sudo-bmitch @yfolias