Initial SOC2 support - Githubissues

slashben commented 11 months ago

type:

enhancement

description:

This PR introduces SOC2 compliance controls for Kubernetes. It includes the following main changes:

Creation of a SOC2 framework with some of the existing controls.
Addition of two new controls:
- C-0263: Checks if ingress uses TLS.
- C-0264: Checks if PersistentVolumes are encrypted.
Each control has associated rules and tests to validate the implementation.

main_files_walkthrough:

files:

- `controls/C-0263-ingress-tls.json`: Added a new control to check if Ingress resources use TLS. - `controls/C-0264-pv-encrypted.json`: Added a new control to detect unencrypted PersistentVolumes. - `frameworks/soc2.json`: Created a SOC2 framework and added the new controls to it. - `rules/ingress-no-tls/raw.rego`: Added a rule to check if Ingress resources have TLS enabled. - `rules/pv-without-encryption/raw.rego`: Added a rule to check if PersistentVolumes are encrypted. - `rules/ingress-no-tls/test/failed_with_ingress/expected.json`: Added a test case for the scenario where Ingress does not have TLS enabled. - `rules/pv-without-encryption/test/eks/expected.json`: Added a test case for the scenario where PersistentVolume is not encrypted.

User Description:

Overview

Created the SOC2 framework with some of the existing controls
C-0263 - control to check if ingress uses TLS
C-0264 - control to check that PersistentVolumes are encrypted

codiumai-pr-agent-free[bot] commented 11 months ago

PR Analysis

🎯 Main theme: Adding SOC2 compliance controls for Kubernetes
📝 PR summary: This PR introduces SOC2 compliance controls for Kubernetes. It includes the creation of a SOC2 framework with some of the existing controls and the addition of two new controls: C-0263, which checks if ingress uses TLS, and C-0264, which checks if PersistentVolumes are encrypted. Each control has associated rules and tests to validate the implementation.
📌 Type of PR: Enhancement
🧪 Relevant tests added: Yes
⏱️ Estimated effort to review [1-5]: 4, because the PR involves complex security controls and requires a deep understanding of Kubernetes and SOC2 compliance.
🔒 Security concerns: No security concerns found

PR Feedback
💡 General suggestions: The PR is well-structured and the new controls seem to be well-implemented. However, it would be beneficial to include more detailed comments in the code to explain the logic behind the checks, especially for developers who may not be familiar with SOC2 compliance.
🤖 Code feedback:
- **relevant file:** ``rules/ingress-no-tls/raw.rego`` **suggestion:** It would be beneficial to add a check for the existence of the 'spec' field before checking 'spec.tls' to avoid potential null pointer exceptions. [important] **relevant line:** ["+ not ingress.spec.tls"](https://github.com/kubescape/regolibrary/pull/552/files#diff-0550978f1217a740184ec42fff11561cf8c22f579f94675048753d6deb532dc1R9) - **relevant file:** ``rules/pv-without-encryption/raw.rego`` **suggestion:** Similar to the previous suggestion, it would be beneficial to add a check for the existence of the 'spec' field before checking 'spec.storageClassName' to avoid potential null pointer exceptions. [important] **relevant line:** ["+ pv.spec.storageClassName == storageclass.metadata.name"](https://github.com/kubescape/regolibrary/pull/552/files#diff-6a8b6c7d3085856c337cad8d49358e2de39e0bdf056f1332f48bd519403bf763R11) - **relevant file:** ``rules/ingress-no-tls/raw.rego`` **suggestion:** It would be beneficial to add a check for the existence of the 'metadata' field before checking 'metadata.name' to avoid potential null pointer exceptions. [important] **relevant line:** ["+ \"alertMessage\": sprintf(\"Ingress '%v' has not TLS definition\", [ingress.metadata.name]),"](https://github.com/kubescape/regolibrary/pull/552/files#diff-0550978f1217a740184ec42fff11561cf8c22f579f94675048753d6deb532dc1R12) - **relevant file:** ``rules/pv-without-encryption/raw.rego`` **suggestion:** Similar to the previous suggestion, it would be beneficial to add a check for the existence of the 'metadata' field before checking 'metadata.name' to avoid potential null pointer exceptions. [important] **relevant line:** ["+ \"alertMessage\": sprintf(\"Volume '%v' has is using a storage class that does not use encryption\", [pv.metadata.name]),"](https://github.com/kubescape/regolibrary/pull/552/files#diff-6a8b6c7d3085856c337cad8d49358e2de39e0bdf056f1332f48bd519403bf763R17)

How to use

Instructions

> To invoke the PR-Agent, add a comment using one of the following commands: > **/review**: Request a review of your Pull Request. > **/describe**: Update the PR title and description based on the contents of the PR. > **/improve [--extended]**: Suggest code improvements. Extended mode provides a higher quality feedback. > **/ask \**: Ask a question about the PR. > **/update_changelog**: Update the changelog based on the PR's contents. > **/add_docs**: Generate docstring for new components introduced in the PR. > **/generate_labels**: Generate labels for the PR based on the PR's contents. > see the [tools guide](https://github.com/Codium-ai/pr-agent/blob/main/docs/TOOLS_GUIDE.md) for more details. >To edit any configuration parameter from the [configuration.toml](https://github.com/Codium-ai/pr-agent/blob/main/pr_agent/settings/configuration.toml), add --config_path=new_value. >For example: /review --pr_reviewer.extra_instructions="focus on the file: ..." >To list the possible configuration parameters, add a **/config** comment.

github-actions[bot] commented 11 months ago

Summary:

License scan: failure
Credentials scan: success
Vulnerabilities scan: failure
Unit test: success
Go linting: success

kubescape / regolibrary

Initial SOC2 support #552