Vault Init script #4
Conversation
…to curl API requests
Signed-off-by: Volodymyr Starodubov <[email protected]>
Signed-off-by: Volodymyr Starodubov <[email protected]>
|
Currently this branch is not fully tested and can contain some errors during run. |
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
force-pushed
the
feature/vault-rework
branch
from
1628e0a to
767ec67
Compare
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
force-pushed
the
feature/vault-rework
branch
from
2682fa7 to
cc53e27
Compare
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
force-pushed
the
feature/vault-rework
branch
from
d13d149 to
d124341
Compare
|
@jradikk ready to review. |
| ignore-unfixed: true | ||
| severity: 'CRITICAL,HIGH' | ||
| exit-code: '1' | ||
| format: 'table' |
There was a problem hiding this comment.
I think Github supports using nice reports for security findings. Although, it might require a subscription. Can you check that please? If it's not an option, let's think about maybe using badges in README or anything else that comes with a nicer UI than a log
There was a problem hiding this comment.
There two possible ways:
- SBOM report to Github Dependency Graph.
- SARIF report to Github Code Scanning.
I don't know which is better, so I'll test both.
There was a problem hiding this comment.
Choosed SARIF code scanning, because SBOM not working with non-default branches and tags. Example of medium severity report: https://github.com/Alpacked/security-hardening-helm/security/code-scanning/1
Another question about severity of reports, we can have all types in Security tab and GitHub will create alerts only for high and higher thresholds.
Or left or mechanism as is, create security findings only for HIGH and CRITICAL vulnerabilities?
There was a problem hiding this comment.
Let's capture all of them, but fail the build and alert for high and critical only
There was a problem hiding this comment.
If we want use SARIF/Code scanning reports, we can't fail our pipeline during scan action because it will prevent results from uploading. I'm thinking on two options:
- (Lame) Make second scan right before pushing to Docker Hub.
- Build and scan at (master) branch push (restrict to paths: scripts/*.sh and Dockerfile), build and push at tag push (will be restricted by ruleset if there high or higher errors not resolved).
What do you think?
There was a problem hiding this comment.
Is there an option to create a some sort of an artifact or a variable that would contain a boolean value, based on which a push job is triggered?
There was a problem hiding this comment.
Found a workaround for how to run the upload step even if 'scan' found some vulnerabilities, but if SARIF isn't limited by our rule (we can upload a full file with 'limit-severities-for-sarif' parameter) it will always fail if some vulnerabilities are found.
So in that case we need to limit SARIF output to our HIGH and CRITICAL, until trivy-action change something.
There was a problem hiding this comment.
Created issue in trivy-action repository: aquasecurity/trivy-action#309
For now, security findings will be limited by high and critical vulnerabilities.
- Removing vaultInit.serviceAccount - Moving image values to values root - Iterating for enabled inits for manifests: jobs, roles, rolebindings Signed-off-by: Volodymyr Starodubov <[email protected]>
Signed-off-by: Volodymyr Starodubov <[email protected]>
Signed-off-by: Volodymyr Starodubov <[email protected]>
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
Signed-off-by: Volodymyr Starodubov <[email protected]>
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
had a problem deploying
to
vault-init
GitHub Actions
Error
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
force-pushed
the
feature/vault-rework
branch
from
597a3d4 to
91da4b9
Compare
Signed-off-by: Volodymyr Starodubov <[email protected]>
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
v-starodubov
temporarily deployed
to
vault-init
GitHub Actions
Inactive
Signed-off-by: Volodymyr Starodubov <[email protected]>
Signed-off-by: Volodymyr Starodubov <[email protected]>
This is small rework of #3 request, related to #2
Changes:
external-secretsdependency, because right now it don't have required namespace label for umbrella chart deployment (Changes requested)helm testruns (requires installed ESO)helm-repobranch.vault/Chart.yaml.