Extend GitOps Security With Terrascan

Sangam Biradar,

Principle Security Advocate ,Tenable

Is GitOps An Old Idea?

code commit

(multiple developer)

Build

Unit and Integration test

Create Application or

Service image

Functional Testing

user acceptance

test

Configuration automation

Load

testing

Deployement

write code

version control Repository

automated testing

Image Repository

Deploy

Kubernetes

DevOps Pipeline VS GitOps Pipeline

GitOps Tooling Categories

● ‘Push’ GitOps deployment tools

● ‘Pull’ GitOps deployment tools

● Curated GitOps products

● Infrastructure-provisioning tools

● GitLab CI/CD (+ kubectl / Helm)

● GitHub Actions (+ kubectl / Helm)

● Kubestack

● ArgoCD

● Flux

● JenkinsX

Secrets Management

● Sealed secrets
○ Bitnami implementation

● Storing encrypted secrets directly

in your source repository

○ git-secret

○ git-crypt

○ BlackBox

● Storing secrets with source control

separately from source

○ GitLab protected variables
● Storing encrypted secrets with your source-control tool separately from

source

○ GitHub encrypted secrets

● Storing secrets with your cloud vendor in a secrets-management

system

○ AWS Secrets Manager

○ Google Cloud Secrets Manager

○ Azure Key Vault

● Integrating with a third party secrets-management tool

○ Hashicorp Vault

○ Mozilla SOPS

Moving to DevSecOps

https://cloud.redhat.com/blog/top-open-source-kubernetes-security-tools-of-2021

Install Terrascan

 $ curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o 
-E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
$ install terrascan /usr/local/bin && rm terrascan
$ terrascan

Install terrascan via brew

 $ brew install terrascan

Docker Image

 $ docker run tenable/terrascan

Command Line Options

 $ terrascan
Terrascan
 
Detect compliance and security violations across Infrastructure as Code to 
mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://runterrascan.io
 
Usage:
  terrascan [command]
 
Available Commands:
  help        Provides usage info about any command
  init        Initialize Terrascan
  scan        Start scan to detect compliance and security violations across Iac.
  server      Run Terrascan as an API server
  version     Shows the Terrascan version you are currently using.
 
Flags:
  -c, --config-path string   config file path
  -h, --help                 help for terrascan
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml) (default "human")
 
Use "terrascan [command] --help" for more information about a command.

	$ curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest \| grep -o
	-E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
	$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
	$ install terrascan /usr/local/bin && rm terrascan
	$ terrascan

	$ terrascan
	Terrascan

	Detect compliance and security violations across Infrastructure as Code to
	mitigate risk before provisioning cloud native infrastructure.
	For more information, please visit https://runterrascan.io

	Usage:
	terrascan [command]

	Available Commands:
	help Provides usage info about any command
	init Initialize Terrascan
	scan Start scan to detect compliance and security violations across Iac.
	server Run Terrascan as an API server
	version Shows the Terrascan version you are currently using.

	Flags:
	-c, --config-path string config file path
	-h, --help help for terrascan
	-l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info")
	-x, --log-type string log output type (console, json) (default "console")
	-o, --output string output type (human, json, yaml, xml) (default "human")

	Use "terrascan [command] --help" for more information about a command.