Closed raulcabello closed 1 year ago
I would have preferred to have a library (the programming language doesn't matter) that provides these regular expressions instead of relying on contents from readme files. I would just love to have the list of supported services increase in the future by just updating to a library maintained by someone :)
I searched a bit and I found:
+1 to rusty-hog!
All their regular expressions are defined in the default_rules.json which can be easily replaced with a custom json. Rusty-hog doesn't support scanning a string, so we would need to implement this (or create a temp file as they do support scanning files) I think it would be better to just reuse their json and allow users to override it in the settings.
Let's start by taking their regexps. I propose to copy their default_rules.json
file and add credits at the top of it.
We can setup a GitHub actions that detects changes done to this file and opens a PR with an updated version of the file. This can be done with the updatecli tool from @olblak.
As for the user-defined settings, let's leave them for later. I would ship an initial version of the policy that has a list of hard coded regexps.
tup a GitHub actions that detects changes done to this file and opens a PR with an updated version of the file. This can be done with the updatecli tool from @olblak.
Sure I can pair with someone, it shouldn't take long
environment variable with secrets
looks for confidential credentials in all container env variables. It is checking all the regex in the DefaultRulesCreate a policy that checks most common confidential credentials are not passed as environment variables. We can use the following projects instead of writing our own regular expressions:
https://github.com/neuvector/neuvector/blob/main/share/scan/secrets/secrets.go#L70-L245
How the policy works
This policy checks all environment variables in all containers, and rejects pods that passes confidential credentials as environment variables. This confidential credentials includes:
Settings
This policy has no configurable settings.
The user is responsible to configure the policy defining the resources targeted by the policy. Otherwise, the policy will not be able to run. The current supported resources are listed in the metadata.yml file. See more information about how to configure a policy in the Kubewarden documentation.
Examples
The following pod will be rejected by this policy