Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support restricting registries and packages globally for security #1306

Closed
suzuki-shunsuke opened this issue Oct 11, 2022 · 5 comments
Closed
Labels
enhancement New feature or request policy security
Milestone

Comments

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Oct 11, 2022

Feature Overview

Support restricting registries and packages globally for security.

Why is the feature needed?

Please explain the problem you want to solve.

This is useful to prevent from malicious tools being installed and executed.

Does the feature include Breaking Changes?

No.

Example Code

command and configuration

$ export AQUA_SECURITY_CONFIG=$HOME/.config/aquaproj-aqua/security.yaml # You can change the file path freely

security.yaml

By default, all registries and packages are forbidden.

{} # all registries and packages are forbidden
registries:
- id: standard # Allow the standard registry
- id: github_content/github.com/aquaproj/aqua-registry/v3.17.0/registry.yaml
- id: github_content/github.com/aquaproj/aqua-registry/.*
  id_format: regexp # glob
- id: local # Allow local registry
packages:
- id: github_release/github.com/suzuki-shunsuke/tfcmt/.*
  id_format: regexp # glob, equal, prefix, suffix
  version: >= v3.0.0 # Version Constraint

⚠️ Assumption

We assume that the environment variable can't be changed easily.
In some CI Platform such as GitHub Actions people can change the environment variable easily, so this feature doesn't work well. This means this feature assumes CI runs in secure platform.
For example, in Mercari's Terraform CI platform people can't change the environment variable easily.
https://engineering.mercari.com/en/blog/entry/20220121-securing-terraform-monorepo-ci/
Or we should consider to sign the configuration file.

registry id format

package id format

Reference

@suzuki-shunsuke
Copy link
Member Author

suzuki-shunsuke commented Oct 12, 2022

@suzuki-shunsuke
Copy link
Member Author

suzuki-shunsuke commented Oct 12, 2022

aqua.yaml
aqua-policy.yaml

AQUA_POLICY_CONFIG

packages: # OR condition
- registry:
    id: standard # Allow standard registry
- registry:
    id: github_content/github.com/aquaproj/aqua-registry/v3.17.0/registry.yaml # Allow custom registry
    id_format: equal
  packages:
  - name: suzuki-shunsuke/tfcmt # If local registry is used, name can't be used for security
    name_format: equal
- packages:
  - id: github_release/github.com/suzuki-shunsuke/tfcmt/.*
    id_format: regexp
    version: >= v3.0.0 # Version Constraint

@suzuki-shunsuke suzuki-shunsuke moved this to Todo in main Oct 31, 2022
@suzuki-shunsuke suzuki-shunsuke moved this from Todo to In Progress in main Oct 31, 2022
@suzuki-shunsuke suzuki-shunsuke pinned this issue Nov 4, 2022
@suzuki-shunsuke
Copy link
Member Author

aqua-policy.yaml

registries:
- type: standard
  ref: semVer(">= 3.0.0") || Version == "xxx"
- type: standard
  ref: xxx
  name: standard-xxx
- type: local
  name: local
  path: registry.yaml # relative path from aqua-policy.yaml
- type: github_content
  name: aqua-registry
  repo_owner: aquaproj
  repo_name: aqua-registry
  ref: semVer(">= v3.0.0")
  path: registry.yaml
packages:
- name: cli/cli
  version: semVer(">= v2.0.0")
- name: gohugoio/hugo
  registry: aqua-registry

@suzuki-shunsuke
Copy link
Member Author

Repository owner moved this from In Progress to Done in main Nov 15, 2022
@suzuki-shunsuke suzuki-shunsuke unpinned this issue Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request policy security
Projects
No open projects
Status: Done
Development

No branches or pull requests

1 participant