Extend GitOps Security With Terrascan

Sangam Biradar,

Principle Security Advocate ,Tenable

Is GitOps An Old Idea?

code commit

(multiple developer)

Build

Unit and Integration test

Create Application or

Service image

Functional Testing  

user acceptance  

test

Configuration automation

Load

testing

Deployement

write code

version control Repository

automated testing

Image Repository

Deploy

Kubernetes

DevOps Pipeline VS GitOps Pipeline

GitOps Tooling Categories

●  ‘Push’ GitOps deployment tools

●  ‘Pull’ GitOps deployment tools

●  Curated GitOps products

●  Infrastructure-provisioning tools

●  GitLab CI/CD​ (+ kubectl / Helm)

●  GitHub Actions​ (+ kubectl / Helm)

●  Kubestack

● ArgoCD

● Flux

JenkinsX

Secrets Management

● Sealed secrets
○ Bitnami implementation

●  Storing encrypted secrets directly

in your source repository

○ git-secret

○ git-crypt

○ BlackBox

●  Storing secrets with source control

separately from source

○ GitLab protected variables
● Storing encrypted secrets with your source-control tool separately from

source

○ GitHub encrypted secrets

 

●  Storing secrets with your cloud vendor in a secrets-management

system

○  AWS Secrets Manager

○  Google Cloud Secrets Manager

○  Azure Key Vault

●  Integrating with a third party secrets-management tool

○  Hashicorp Vault

○  Mozilla SOPS

Moving to DevSecOps

Install Terrascan  

$ curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o 
-E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
$ install terrascan /usr/local/bin && rm terrascan
$ terrascan

Install terrascan via brew

$ brew install terrascan

Docker Image

$ docker run tenable/terrascan

Command Line Options  

$ terrascan
Terrascan

Detect compliance and security violations across Infrastructure as Code to 
mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://runterrascan.io

Usage:
  terrascan [command]

Available Commands:
  help        Provides usage info about any command
  init        Initialize Terrascan
  scan        Start scan to detect compliance and security violations across Iac.
  server      Run Terrascan as an API server
  version     Shows the Terrascan version you are currently using.

Flags:
  -c, --config-path string   config file path
  -h, --help                 help for terrascan
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml) (default "human")

Use "terrascan [command] --help" for more information about a command.

push images

Source Code Repository

CI/CD pipeline

git action

pre-commit

Container Registry

Atlantis

GitOps repo

Sync changes

test

Dev

Prod

commit code

GitOps namespace

Kubernetes  Cluster

pull images

Pre-Sync Hook

Terraform Pull Request Automation

Kubernetes API

etcd

persistent to database ( if valid)

Custom Security Policies

Kubernetes API Response

 Deployment Creation Request

Webhook

validation decision

validating

Admission

admission Controller

terrascan CLI

terrascan as Server

DockerFile

Kubernetes

Helm

terraform

Github

Slack Notification

$ terrascan scan -i <IaC provider> --find-vuln

kustomize

https://github.com/tenable/terrascan

Demo Time 

https://github.com/tenable/terrascan

Made with Slides.com