{Secure Infrastructure as code/ K8s / Helm / Docker with Github Action}

Sangam Biradar 

Technical Advocate 

Tenable 

# Github Action
# Github Repository 
- Push  

-   Pull Request ( open , merged )

- issue ( created , closed...)

- schedule ( every 10 pm)

- external event

Workflow

# Github Server
Virtual Machine Instance 
- Linux , windows , MacOS with Tools Installed or Docker Container

Job

Step 1 

(action)

Step 2

(action)

Step 3 

(CMD)

- Linux , windows , MacOS with Tools Installed or Docker Container
Step 2

(action)

Step 3 

(CMD)

Step 1 

(action)

Job

# Multiple Jobs in Github Action

Job

Virtual Machine Instance 
- Linux , windows , MacOS with Tools Installed or Docker Container

Job

Step 1 

(action)

Step 2

(action)

Step 3 

(CMD)

- Linux , windows , MacOS with Tools Installed or Docker Container
Step 2

(action)

Step 3 

(CMD)

Step 1 

(action)

Job

Virtual Machine Instance 
- Linux , windows , MacOS with Tools Installed or Docker Container
Step 1 

(action)

Step 2

(action)

Step 3 

(CMD)

# Github Hosted Runner

- Linux , window or MacOs virtual environments with Commonly-used pre-installed software 

- Maintained by Github

- You Cannot Customise the hardware configuration 

1. create git repo 

2. create directory  .git/workflow 

3.  write GitHub Action 

# Open Source at 

      Tenable

https://github.com/accurics/terrascan

Key features

500+ Policies for security best practices
Scanning of Terraform (HCL2)
Scanning of Kubernetes (JSON/YAML), Helm v3, and Kustomize
Scanning of Dockerfiles
Support for AWS, Azure, GCP, Kubernetes, Dockerfile, and GitHub
Integrates with docker image vulnerability scanning for AWS, Azure, GCP,
Harbor container registries.

Terrascan Github Action

Terraform

1.

2.

Kubernetes

3.

Helm Chart

# IAC

4.

Kustomize

5.

Docker

on: [push]

jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action-terraform
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Scan Terraform 
      id: terrascan
      uses: accurics/terrascan-action@main
      with:
        iac_type: 'terraform'
        iac_version: 'v14'
        policy_type: 'aws'
        only_warn: true
        sarif_upload: true
        iac_dir: 'test_dirs/fail/'
       
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
          sarif_file: terrascan.sarif

# Terraform

# Kubernetes
on: [push]

jobs:
  terrascan_job:
    runs-on: ubuntu-latest
    name: terrascan-action-terraform
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Scan Terraform 
      id: terrascan
      uses: accurics/terrascan-action@main
      with:
        iac_type: 'k8s'
        iac_version: 'v1'
        policy_type: 'k8s'
        only_warn: true
        sarif_upload: true
        iac_dir: 'test_dirs/k8s/'
       
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
          sarif_file: terrascan.sarif
# Custom Policies 
on: [push]

jobs:
  terrascan-docker:
    runs-on: ubuntu-latest
    name: terrascan-action-docker
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Scan docker custom
      id: terrascan-k8s
      uses: accurics/terrascan-action@main
      with:
        iac_type: 'docker'
        iac_version: 'v1'
        policy_type: 'docker'
        only_warn: true
        sarif_upload: true
        #non_recursive:
        iac_dir: 'test_dirs/custom-policies/'
        policy_path: 'test_dirs/custom-policies/'
        #skip_rules:
        #config_path:
        
    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: terrascan.sarif
  

   Input: iac_type
   Description: Required  IaC type (helm, k8s, kustomize, terraform).
 
   Input: iac_dir
   Description: Path to a directory containing one or more IaC files. Default   ".".


   Input: iac_version
   Description: IaC version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v14).
   : 

   Input: non_recursive
   Description: Do not scan directories and modules recursively
   : 

   Input: policy_path
   Description: Policy path directory for custom policies.
   : 

   Input: policy_type
   Description: Policy type (all, aws, azure, gcp, github, k8s). Default   all.
   : 

   Input: skip_rules
   Description: One or more rules to skip while scanning (example: "ruleID1,ruleID2").
   : 

   Input: config_path
   Description: Config file path.
   : 

   Input: sarif_upload
   Description: If this variable is included, a sarif file named terrascan.sarif will be generated with the results of the scan.
   : 

   Input: verbose
   Description: If this variable is included, the scan will show violations with additional details (Rule Name/ID, Resource Name/Type, Violation Category)
   : 

   Input: iac_version
   Description: IaC version (helm: v3, k8s: v1, kustomize: v3, terraform: v12, v14).
   : 

   Input: find_vulnerabilities
   Description: If provided, the scan output will display vulnerabilities for Docker images present in the IaC files.
   : 

   Input: scm_token
   Description: If provided, Terrascan will use the provided access token to retrieve private repositories from your source code management system.
   : 

   Input: webhook_url
   Description: If this variable is included, the scan results and the normalized config will be sent to the specified URL. If the variable is set along with config_path, then configs from the config path will be ignored.
   : 

   Input: webhook_token
   Description: Included this variable if the notification webhook url requires authentication.
   : 
package accurics

{{.prefix}}{{.name}}{{.suffix}}[expose.id]{
	expose := input.docker_expose[_]
	is_string(expose.config)
    config := expose.config
    checkPort(config)
}

{{.prefix}}{{.name}}{{.suffix}}[expose.id] {
    expose := input.docker_expose[_]
    is_array(expose.config)
    config := expose.config
    checkPortList(config)
}

checkPort(config) {
    contains(config, "22")
}
checkPortList(config) {
    contains(config[_], "22")
}  
package accurics

{{.prefix}}{{.name}}{{.suffix}}[apt.id]{
	apt := input.docker_expose[_]
	conval := apt.config
    port := split(conval, "/")
    containsPortOutOfRange(port)
}
containsPortOutOfRange(ports) {
	some i
	port := ports[i]
	to_number(port) > 65535
}
# Docker Expose
FROM ubuntu:latest
LABEL MAINTAINER "sangam"

ENV SECRET AKIGG23244GN2344GHG
ENV GITLAB_API_ID gig32oig3bgi34gb43gb43uigb43i 

WORKDIR /app

ADD app /app
COPY README.md /app/README.md
ADD code /tmp/code
RUN apt-get udpate
EXPOSE 65539
RUN  apt-get update && apt-get install -y htop

CMD ["/bin/bash", "/app/entrypoint.sh"]
# Dockerfile

Demo Time

Give a Git star to Terrascan Repo