Extend GitOps Security With Terrascan
Sangam Biradar,
Principle Security Advocate ,Tenable
Is GitOps An Old Idea?
code commit
(multiple developer)
Build
Unit and Integration test
Create Application or
Service image
Functional Testing
user acceptance
test
Configuration automation
Load
testing
Deployement
write code
version control Repository
automated testing
Image Repository
Deploy
Kubernetes
DevOps Pipeline VS GitOps Pipeline
GitOps Tooling Categories
● ‘Push’ GitOps deployment tools
● ‘Pull’ GitOps deployment tools
● Curated GitOps products
● Infrastructure-provisioning tools
● GitLab CI/CD (+ kubectl / Helm)
● GitHub Actions (+ kubectl / Helm)
● Kubestack
● ArgoCD
● Flux
● JenkinsX
Secrets Management
● Sealed secrets
○ Bitnami implementation
● Storing encrypted secrets directly
in your source repository
○ git-secret
○ git-crypt
○ BlackBox
● Storing secrets with source control
separately from source
○ GitLab protected variables
● Storing encrypted secrets with your source-control tool separately from
source
○ GitHub encrypted secrets
● Storing secrets with your cloud vendor in a secrets-management
system
○ AWS Secrets Manager
○ Google Cloud Secrets Manager
○ Azure Key Vault
● Integrating with a third party secrets-management tool
○ Hashicorp Vault
○ Mozilla SOPS
Moving to DevSecOps
Install Terrascan
$ curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o
-E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
$ install terrascan /usr/local/bin && rm terrascan
$ terrascan
Install terrascan via brew
$ brew install terrascan
Docker Image
$ docker run tenable/terrascan
Command Line Options
$ terrascan
Terrascan
Detect compliance and security violations across Infrastructure as Code to
mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://runterrascan.io
Usage:
terrascan [command]
Available Commands:
help Provides usage info about any command
init Initialize Terrascan
scan Start scan to detect compliance and security violations across Iac.
server Run Terrascan as an API server
version Shows the Terrascan version you are currently using.
Flags:
-c, --config-path string config file path
-h, --help help for terrascan
-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
-x, --log-type string log output type (console, json) (default "console")
-o, --output string output type (human, json, yaml, xml) (default "human")
Use "terrascan [command] --help" for more information about a command.
push images
Source Code Repository
CI/CD pipeline
git action
pre-commit
Container Registry
Atlantis
GitOps repo
Sync changes
test
Dev
Prod
commit code
GitOps namespace
Kubernetes Cluster
pull images
Pre-Sync Hook
Terraform Pull Request Automation
Kubernetes API
etcd
persistent to database ( if valid)
Custom Security Policies
Kubernetes API Response
Deployment Creation Request
Webhook
validation decision
validating
Admission
admission Controller
terrascan CLI
terrascan as Server
DockerFile
Kubernetes
Helm
terraform
Github
Slack Notification
$ terrascan scan -i <IaC provider> --find-vuln
kustomize
https://github.com/tenable/terrascan
Demo Time
https://github.com/tenable/terrascan
Extend GitOps Security With TerraScan
By Sangam Biradar
Extend GitOps Security With TerraScan
add terrascan into your GitOps pipeline :- https://github.com/sangam14/terrascan-argocd
- 1,460