Open zsims opened 5 years ago
Per https://buildkite.com/docs/agent/v3/securing#whitelisting some examples are given that check the repository, command, and plugins, against a list of "allowed items."
This is cumbersome when considering plugins and repositories, and must be repeated for all agents. It would be nice if the buildkite-agent (or similar) supported checking these whitelists, e.g.
buildkite-agent
environment hook
buildkite-agent whitelist check \ --allowed-plugins-file "allowed-plugins.txt" \ --allowed-repositories-file "allowed-repositories.txt" || exit 1
This means there's no need to copy/use scripts like https://github.com/buildkite/buildkite-plugin-whitelister but the "whitelists" themselves can still be shared (e.g. via S3)
Per https://buildkite.com/docs/agent/v3/securing#whitelisting some examples are given that check the repository, command, and plugins, against a list of "allowed items."
This is cumbersome when considering plugins and repositories, and must be repeated for all agents. It would be nice if the
buildkite-agent(or similar) supported checking these whitelists, e.g.environment hook
This means there's no need to copy/use scripts like https://github.com/buildkite/buildkite-plugin-whitelister but the "whitelists" themselves can still be shared (e.g. via S3)