Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Blueprint] DOKS Supply Chain Security #41

Open
10 of 15 tasks
v-ctiutiu opened this issue Jul 19, 2022 · 0 comments
Open
10 of 15 tasks

[Blueprint] DOKS Supply Chain Security #41

v-ctiutiu opened this issue Jul 19, 2022 · 0 comments
Assignees

Comments

@v-ctiutiu
Copy link
Contributor

v-ctiutiu commented Jul 19, 2022

Overview

Because Kubernetes is such popular nowadays, security plays a vital role. The DOKS Supply Chain Security blueprint main idea is to provide a starting point for developers to set up a CI/CD pipeline with integrated vulnerability scanning support. The main topic and ideas discussed is around supply chain security in the Kubernetes ecosystem.

In terms of tooling, we focus around Kubescape and Snyk. Then, we use two separate guides describing the two. The accompanying examples show the user how to create a standard CI/CD workflow using GitHub actions.

Main topics:

  • Short introduction about each tool and features.
  • Operation examples.
  • GitHub workflow implementation of a typical CI/CD pipeline for both tools (Snyk, Kubescape).
  • Export scan results to dashboards for later investigation (cloud portal, as well as GitHub Security).
  • Scan results investigation and how to fix reported issues.
  • Continuous monitoring for newly disclosed vulnerabilities.
  • Basic Slack notification support.
  • IDE support.

Additional topics to cover:

  • Scan container images in the CI/CD pipeline (or GitHub workflow). Only Snyk supports this feature for now.
  • Image signing.
  • Admission controllers to allow or deny containers to run based on trust (works in conjunction with image signing).

Other enhancements and nice to haves:

  • Slack notifications sent from the GitHub workflow should include the desired and current risk score information for Kubescape (or security level for Snyk).
  • If possible, Slack notifications should present a cloud portal link which redirects to the application being scanned.
  • Export scan results using GitHub SARIF format. Main benefit is that scan results can be viewed in the Security tab of the GitHub repo.
  • Run pipeline build steps only if source code changes - e.g. build and push app docker image only if the Dockerfile has changed and the image needs a rebuild.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant