As actions can potentially perform dangerous operations like sending confidential data to a 3rd-party system, deleting data from Fortify systems, and potentially in the future run arbitrary commands, security for (custom) actions is an important topic, and the primary reason for implementing signing capabilities to establish a trust relationship.
It would be good to provide an ability to generate some kind of security report that assigns a risk level to each step defined in a given action YAML file. Potentially we could have some Fortify rules, but that might be difficult for FoD customers unless we add such rules to the standard Fortify rule packs rather than providing custom rules. Probably easier is to have a dedicated fcli * action analyze or similar command that looks at action contents and outputs a simple text-based security report or even just a list of instructions with associated risk level.
For example, such a command would:
Check whether action performs only GET-operations on SSC/FoD
Check whether action (also) performs PUT/POST/DELETE operations on SSC/FoD
Check whether action connects to other URLs (through addRequestTargets: element)
Check whether action runs any fcli commands (potentially differentiate between get/list vs update/delete/other commands)
Check whether action runs any external commands (like rm -rf /), if we ever add support for a generic run: element.
Potentially allow for custom checks
Given the last point, potentially we could even implement a customizable action for performing security checks, i.e., fcli * action run action-security-report <action source>, with that action loading the YAML file of the action to be analyzed as JSON contents, and then for example use check instructions to perform security checks on the steps specified by that action.
As actions can potentially perform dangerous operations like sending confidential data to a 3rd-party system, deleting data from Fortify systems, and potentially in the future run arbitrary commands, security for (custom) actions is an important topic, and the primary reason for implementing signing capabilities to establish a trust relationship.
It would be good to provide an ability to generate some kind of security report that assigns a risk level to each step defined in a given action YAML file. Potentially we could have some Fortify rules, but that might be difficult for FoD customers unless we add such rules to the standard Fortify rule packs rather than providing custom rules. Probably easier is to have a dedicated
fcli * action analyze
or similar command that looks at action contents and outputs a simple text-based security report or even just a list of instructions with associated risk level.For example, such a command would:
addRequestTargets:
element)rm -rf /
), if we ever add support for a genericrun:
element.Given the last point, potentially we could even implement a customizable action for performing security checks, i.e.,
fcli * action run action-security-report <action source>
, with that action loading the YAML file of the action to be analyzed as JSON contents, and then for example usecheck
instructions to perform security checks on thesteps
specified by that action.