Enabling Developer-Friendly Security in Kubernetes for GitOps

This blog is co-authored by Prabhu Subramanian, Lead Architect at ShiftLeft, and Seth Mason, Product Manager at D2iQ

DevOps. GitOps. DevSecOps. Developers are doing more builds of microservices, and therefore have more surface area prone to security threats. Rather than blindly throwing processes at the problems, you should be increasing the automation of these processes to improve application quality. Therefore, start by keeping the automation simple, shift an increasing number of tests to the left so that developers are empowered to detect issues early in the development cycle.

With D2iQ’s Dispatch, you have easy access to a cloud-native, declarative method for building your CI pipelines. By using Dispatch and leveraging its inherent GitOps methodologies, you can manage your CI/CD configuration the same way that you’d manage and deploy your applications. However, a CI pipeline is only as good as the tasks that it executes, including tools that examine your code for security flaws, such as:

  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Software composition analysis (SCA)
  • Credentials scanning to detect accidental secret leaks
  • Open-source dependencies audits
  • License violation checks

And this is exactly where ShiftLeft Scan platform fits in. ShiftLeft Scan is an easy to deploy, and thorough analysis tool that when paired with Dispatch enables you to perform early security analyses for any build, pull-request, or pipeline run. It’s workflow integrates SAST, hard-coded secret detection, SCA for CVEs in open source libraries, and open source licensing checks directly into your existing workflow.

To automate the vulnerability scanning of a basic Hello-World application, your CI pipeline can be defined using a Dispatchfile. Dispatchfiles can be written in Starlark (Python-like), CUE (JSON-like), JSON, or YAML. A Dispatchfile contains:

  • Resources: Objects, artifacts, or locations that are produced and consumed as a part of the pipeline (images, git repositories, S3 artifacts, etc).
  • Tasks: Procedures that are executed against the resources
  • Actions: Triggers that determine when the pipeline should be executed

For this example, we chose Starlark (Starlark reference) as the declarative front-end language due to its Python derived nature which is familiar to many developers. You’ll notice that it’s brief, not because what we’re doing is simple, but because the pipeline leverages a few features built into Dispatch’s Starlark frontend, namely inheritance to remotely loaded libraries.

The declarative pipeline should look like this:

#!mesosphere/dispatch-starlark:v0.5
# vi:syntax=python
#Load library to define a git resource and process a pull request
load(“github.com/mesosphere/dispatch-catalog/starlark/stable/pipeline@master”, “git_resource”, “pull_request”)
#Load library to execute ShiftLeft Scan
load(“github.com/ShiftLeftSecurity/sast-scan/starlark/scan@master”, “sast_scan”)
#Resources Define the git repo as a resource
git = git_resource(“helloworld-git”)
#Tasks that performs a ShiftLeft Scan against the Resource
sast_scan(“sastscan-check”, git)
#Actions that trigger against any pull request or the chatops command /build
action(tasks=[“sastscan-check”], on=pull_request())
action(tasks=[“sastscan-check”], on=pull_request(chatops=[“build”]))

While being brief, the pipeline, which is also stored in the application’s repo, will perform a ShiftLeft scan against the repository where the Dispatchfile resides. The libraries with the three functions “git_resource”, “pull_request”, and “sast_scan” are loaded at runtime. The pipeline can be triggered either by a pull request against the repository or by executing the ChatOps command “/build” against a pull request.

Next, open up a PR against the application repo and a webhook will be subsequently generated. This will trigger the pipeline to kick off on your running instance of Dispatch.

Finally, grab the output of the ShiftLeft scan to view the detailed results of the security scan. With the output being available via HTML, JSON, and SARIF, you have the choice to either view the analysis in a human-readable format (HTML) or have it analyzed programmatically by another system. For example, you can have another task process the output and open engineering tickets to be worked on in a subsequent sprint.

ShiftLeft Scan performs multiple security analysis runs on the code, including source code analysis, class file analyzer, and license compliance. There are multiple ways to view the results of the pipeline via your Git provider or the Dispatch UI. For example, in the Dispatch UI, you can see that Dispatch failed the pipeline run due to ShiftLeft Scan determining that there were security flaws in the application.

Selecting the pipeline run takes you to the results of the Scan where it becomes immediately obvious that the Scan task failed due to security issues with the Class File Analyzer and Source Code Analyzer for Java tools.

Viewing the source code analysis via HTML provides a quick breakdown of the discovered issues:

And the Class File Analyzer:

CLICK TO EXPAND IMAGE

With each PR or chatops build triggering a scan, you’ll be able to ensure that your application is scanned for security flaws early in the development cycle. Thanks to native Dispatch integration, Scan can prevent vulnerable applications from getting deployed. Because you’re using Git, you’ll also be able to provide an audit trail for this analysis, ensuring an open review process.

To learn more about how ShiftLeft and Dispatch works better together, join us at our upcoming webinar on May 27, 2020, at 10 am PDT.

You can also sign up for a 90-day free trial of Dispatch bundled with D2iQ’s Kubernetes distribution, Konvoy, so you have everything you need for enterprise-grade GitOps.


Enabling Developer-Friendly Security in Kubernetes for GitOps was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium authored by Arun Balakrishnan. Read the original post at: https://blog.shiftleft.io/enabling-developer-friendly-security-in-kubernetes-for-gitops-95217902c3aa?source=rss—-86a4f941c7da—4