-
-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support restricting registries and packages globally for security #1306
Labels
Milestone
Comments
packages: # OR condition
- registry:
id: standard # Allow standard registry
- registry:
id: github_content/github.com/aquaproj/aqua-registry/v3.17.0/registry.yaml # Allow custom registry
id_format: equal
packages:
- name: suzuki-shunsuke/tfcmt # If local registry is used, name can't be used for security
name_format: equal
- packages:
- id: github_release/github.com/suzuki-shunsuke/tfcmt/.*
id_format: regexp
version: >= v3.0.0 # Version Constraint |
aqua-policy.yaml registries:
- type: standard
ref: semVer(">= 3.0.0") || Version == "xxx"
- type: standard
ref: xxx
name: standard-xxx
- type: local
name: local
path: registry.yaml # relative path from aqua-policy.yaml
- type: github_content
name: aqua-registry
repo_owner: aquaproj
repo_name: aqua-registry
ref: semVer(">= v3.0.0")
path: registry.yaml
packages:
- name: cli/cli
version: semVer(">= v2.0.0")
- name: gohugoio/hugo
registry: aqua-registry |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Overview
Support restricting registries and packages globally for security.
Why is the feature needed?
This is useful to prevent from malicious tools being installed and executed.
Does the feature include Breaking Changes?
No.
Example Code
$ export AQUA_SECURITY_CONFIG=$HOME/.config/aquaproj-aqua/security.yaml # You can change the file path freely
security.yaml
By default, all registries and packages are forbidden.
We assume that the environment variable can't be changed easily.In some CI Platform such as GitHub Actions people can change the environment variable easily, so this feature doesn't work well. This means this feature assumes CI runs in secure platform.
For example, in Mercari's Terraform CI platform people can't change the environment variable easily.
https://engineering.mercari.com/en/blog/entry/20220121-securing-terraform-monorepo-ci/
Or we should consider to sign the configuration file.
registry id format
package id format
Reference
The text was updated successfully, but these errors were encountered: