doc: security feature doc #3622
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ashokdevtron
requested changes
Aug 7, 2023
docs/user-guide/security-features.md
Outdated
|
|
||
| We have created `Security features` to identify the vulnerabilities inside your code and to protect you from external attacks. | ||
| By enabling this option, the system automatically scans the container image after the image build stage. It then generates a report that highlights all the vulnerabilities present within the image. To access the scan report of all builds with enabled vulnerability scans, simply navigate to the 'Security' tab on the dashboard. You can conveniently view the build history and all the vulnerabilities found in the build image there. |
There was a problem hiding this comment.
By enabling this option, the system automatically scans the container image after the image build stage. It then generates a report that highlights all the vulnerabilities present within the image. To access the scan report of all builds with vulnerability scans enabled, simply navigate to the 'Security' tab on the dashboard. There you can conveniently view the build history and all the vulnerabilities detected in the build image.
docs/user-guide/security-features.md
Outdated
|
|
||
| The user gets informed in both cases if it finds any vulnerability or doesn't find any. | ||
| With this feature, users can specify their desired actions for each severity level. For example, they can choose to block any container image with Critical vulnerabilities, while allowing container images with Moderate or Low vulnerabilities to be deployed. |
There was a problem hiding this comment.
With this feature, users can specify their desired actions for each severity level. For example, they can choose to block any container image with Critical vulnerabilities, while allowing container images with Moderate or Low vulnerabilities to be deployed.
docs/user-guide/security-features.md
Outdated
|
|
||
| If any vulnerability is found which is blocked by the user, then it will not deploy the application. And if it finds any vulnerability which is whitelisted by the user, then the build image can be deployed. | ||
| Devtron's Security Policies feature allows users to define policies based on the severity levels of vulnerabilities, which include **Critical**, **Moderate**, and **Low**. Users have the flexibility to set policies that either block the deployment of container images with vulnerabilities or allow their deployment. |
There was a problem hiding this comment.
Devtron's Security Policies feature allows users to define policies based on the severity levels of vulnerabilities, which include Critical, Moderate, and Low. Users have the flexibility to set policies that either block the deployment of container images with vulnerabilities or allow their deployment.
docs/user-guide/security-features.md
Outdated
|
|
||
| Your Application-> Build History-> Select pipeline-> Go to Security Tab. | ||
| 1. Navigate to the Security tab within Devtron. |
There was a problem hiding this comment.
Navigate to the Security tab within Devtron.
docs/user-guide/security-features.md
Outdated
|
|
||
| See the below image. | ||
| **NOTE:** Vulnerabilities will only be displayed if a vulnerability scan has been enabled for that specific image. If no vulnerabilities are visible, it indicates that a vulnerability scan has not been performed for the image. |
There was a problem hiding this comment.
NOTE:
(colon should not be bold)
docs/user-guide/security-features.md
Outdated
|
|
||
| Again we have three options to define a policy- Block, Allow, and Inherit. | ||
| The Application Security Policy operates on a similar principle as other policies. However, in the Application Security Policy, the policy is determined by both the Environment option and the Application option. |
There was a problem hiding this comment.
The Application Security Policy operates on a similar principle as other policies. However, in the Application Security Policy, the policy is determined by both the Environment option and the Application option.
docs/user-guide/security-features.md
Outdated
|
|
||
|  | ||
| In Global Security Policies, there are two options: `Block` and `Allow`. Cluster Security Policies have an additional option called `Inherit`. |
There was a problem hiding this comment.
In Global Security Policies, there are two options: Block and Allow. Cluster Security Policies have an additional option called Inherit.
docs/user-guide/security-features.md
Outdated
| * Environment | ||
| * Application | ||
| Within the Global Security Policies, there are two options available: Block and Allow. | ||
| If critical severity levels are blocked in the Global Security Policy, the same blocking will be applied to the Cluster Security Policy. Similarly, if the global policy is modified to allow critical levels, it will also allow them in Cluster Security Policies. |
There was a problem hiding this comment.
If critical severity levels are blocked in the Global Security Policy, the same blocking will be applied to the Cluster Security Policy. Similarly, if the global policy is modified to allow critical levels, it will also allow them in Cluster Security Policies.
docs/user-guide/security-features.md
Outdated
| * Cluster | ||
| * Environment | ||
| * Application | ||
| Within the Global Security Policies, there are two options available: Block and Allow. |
There was a problem hiding this comment.
Within the Global Security Policies, there are two options available: Block and Allow.
docs/user-guide/security-features.md
Outdated
|
|
||
| Home Page-> Security - > Security Policies | ||
| Users can block all the critical vulnerabilities and allow the moderate and low vulnerabilities or Users can block all vulnerabilities or users can block all vulnerabilities for one application and can block only Critical vulnerabilities for other applications. |
There was a problem hiding this comment.
Users can block all the critical vulnerabilities and allow the moderate and low vulnerabilities
or
Users can block all vulnerabilities
or
Users can block all vulnerabilities for one application and can block only critical vulnerabilities for other applications
|
Kudos, SonarCloud Quality Gate passed!
|
prakarsh-dt
approved these changes
Aug 17, 2023
Ash-exp
pushed a commit
that referenced
this pull request
Aug 21, 2023
* security feature doc rewrite * Proofread security-features.md --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com>
iamayushm
added a commit
that referenced
this pull request
Sep 4, 2023
* fix: updated ValidateRegistryStorageType for OCI registry configs * feat: added pull support for registry * feat: fetch the updated struct for registry * fix: fetch registry list * fix: fetch registry list * updated: migration script * updated: migration comments * added APIs: chart provider list, update enable/disable * feat: chart sync support with oci registry * AppStore repository structure * feat: updated FindWithFilter api for chart store * feat: updated FindChartDetailsById api for chart store * feat: query error on updateFindWithFilterQuery * feat: Service extraction for EA mode * fix: FindWithFilter query * fix: fetching registry OCI config nil * fix: registry validation added * feat: chart sync on registry update and toggle chart repo feature * fix: FindWithFilter query for chart store list * fixed: join query for FindWithFilter * fixed: registry validation * feat: modified helm apps query * feat: helm apps list query * oci chart installation changes and api fixes * fixing sql queries * update code * fixing query * chart group api installation * chart group list api * app group installation detail api * bulk chart group fix * adding app store active flag * feat: registry support for virtual cluster v3 (#3702) * feat: added pull support for registry * feat: fetch the updated struct for registry * fix: fetch registry list * updated: migration script * updated: migration comments * fix: fetching registry OCI config nil * feat: chart provider APIs and registry validation (#3703) * fix: updated ValidateRegistryStorageType for OCI registry configs * feat: added pull support for registry * feat: fetch the updated struct for registry * fix: fetch registry list * fix: fetch registry list * updated: migration script * updated: migration comments * added APIs: chart provider list, update enable/disable * feat: chart sync support with oci registry * AppStore repository structure * feat: updated FindWithFilter api for chart store * feat: updated FindChartDetailsById api for chart store * feat: query error on updateFindWithFilterQuery * feat: Service extraction for EA mode * fix: FindWithFilter query * fix: fetching registry OCI config nil * fix: registry validation added * feat: chart sync on registry update and toggle chart repo feature * fix: FindWithFilter query for chart store list * fixed: join query for FindWithFilter * fixed: registry validation * feat: modified helm apps query * feat: helm apps list query * feat: wire integration, registry delete validation (#3720) * fix: updated ValidateRegistryStorageType for OCI registry configs * feat: added pull support for registry * feat: fetch the updated struct for registry * fix: fetch registry list * fix: fetch registry list * updated: migration script * updated: migration comments * added APIs: chart provider list, update enable/disable * feat: chart sync support with oci registry * AppStore repository structure * feat: updated FindWithFilter api for chart store * feat: updated FindChartDetailsById api for chart store * feat: query error on updateFindWithFilterQuery * feat: Service extraction for EA mode * fix: FindWithFilter query * fix: fetching registry OCI config nil * fix: registry validation added * feat: chart sync on registry update and toggle chart repo feature * fix: FindWithFilter query for chart store list * fixed: join query for FindWithFilter * fixed: registry validation * feat: modified helm apps query * feat: helm apps list query * feat: integrated docker registry to EA mod * feat: delete validation for registry * fix: updated is_pull_active and deleted condition to the query * fix: interface injection for chart providers * updated: app store list issues * fix: chart provider list query fixed * feat: public registry url handling * feat: added validation registry API * feat: added IsOCICompliantChart flag to chart details API * feat: added IsOCICompliantChart flag to chart details API * feat: registry disabled action list added * feat: disabled registry action list added * feat: Refactored docker registry IP config and added integration test cases (#3728) * fix: updated ValidateRegistryStorageType for OCI registry configs * feat: added pull support for registry * feat: fetch the updated struct for registry * fix: fetch registry list * fix: fetch registry list * updated: migration script * updated: migration comments * added APIs: chart provider list, update enable/disable * feat: chart sync support with oci registry * AppStore repository structure * feat: updated FindWithFilter api for chart store * feat: updated FindChartDetailsById api for chart store * feat: query error on updateFindWithFilterQuery * feat: Service extraction for EA mode * fix: FindWithFilter query * fix: fetching registry OCI config nil * fix: registry validation added * feat: chart sync on registry update and toggle chart repo feature * fix: FindWithFilter query for chart store list * fixed: join query for FindWithFilter * fixed: registry validation * feat: modified helm apps query * feat: helm apps list query * feat: integrated docker registry to EA mod * feat: delete validation for registry * fix: updated is_pull_active and deleted condition to the query * fix: interface injection for chart providers * updated: app store list issues * fix: chart provider list query fixed * feat: public registry url handling * feat: added validation registry API * feat: added IsOCICompliantChart flag to chart details API * feat: added IsOCICompliantChart flag to chart details API * feat: registry disabled action list added * feat: disabled registry action list added * feat: registry ip config updated * feat: updated integration test cases * feat: updated registry update test cases * feat: fixed Ip Config Query and integration test cases * feat: fixed IpConfig Join query * feat: added validation and removed app_store.active condition * updated: RegistryBean request obj, FindDeploymentCount query * feat: chart provider service test cases updated * feat: added registry update validation * feat: updated chart sync order * feat: validation api update * migration script fix * updated migration * fixed: ip config update * feat: removed super admin RBAC for chart provider list * feat: removed GCR and GAR validation * fix: FindWithFilter query * fix: FindWithFilter query with delete condition * fix: FindWithFilter query with delete condition * fix: LinkHelmApplicationToChartStore nil pointer handled * fix: ipconfig inject skipped for virtual env * feat: removed validation for other type registry * wip: modifying search api * panic fix: hibernation * updated unlock condition (#3770) * remove use-buildx flag to use k8s buildx driver (#3773) * fix: resource tree panic fix (#3775) * resource tree panic fix * panic fix * chore: Addition of K9s image in cluster terminal (#3779) * k9s image added * k9s image changes --------- Co-authored-by: Kamal Acharya <kamalacharya@Kamals-MacBook-Pro.local> * release: PR for v0.6.20 (#3620) * Updated release-notes files * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated latest image of ci-runner in installer * Updated release notes * Updated release notes * Updated release notes * Updated latest image of ci-runner in installer * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated latest image of ci-runner in installer * Updated latest image of ci-runner in installer * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated latest image of hyperion in installer * Updated latest image of lens in installer * Updated latest image of git-sensor in installer * Updated latest image of devtron in installer * Updated latest image of kubelink in installer * Updated latest image of kubewatch in installer * Updated release notes * Updated release notes * Updated latest image of dashboard in installer * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated pending release-notes * enabled file stats in gitsensor * Updated release notes * Updated release notes * Updated release notes * Updated release notes * Updated latest image of ci-runner in installer * Updated release notes * Updated release notes * Updated latest image of git-sensor in installer * Updated latest image of kubelink in installer * Updated latest image of dashboard in installer * Updated latest image of kubelink in installer * Updated release notes * Updated latest image of kubelink in installer * Updated latest image of devtron in installer * Updated latest image of dashboard in installer * Updated latest image of dashboard in installer * Updated latest image of dashboard in installer * Update release.txt * Updated release notes * Updated latest image of devtron in installer * Updated latest image of kubewatch in installer * Updated latest image of dashboard in installer * Updated release notes * Updated latest image of devtron in installer * Updated latest image of dashboard in installer * Updated latest image of dashboard in installer * Updated release notes * Updated latest image of devtron in installer * Updated release notes * Updated latest image of devtron in installer * Updated latest image of kubelink in installer * Updated latest image of dashboard in installer * Updated latest image of dashboard in installer * Updated release notes * Updated release notes * Updated latest image of devtron in installer * Updated latest image of devtron in installer * Updated latest image of ci-runner in installer * Updated latest image of kubewatch in installer * Updated release notes * Updated latest image of devtron in installer * Updated latest image of dashboard in installer * Updated latest image of dashboard in installer * Updated release notes * Updated latest image of ci-runner in installer * Update Chart.yaml * Update values.yaml * Updated latest image of devtron in installer * Updated release notes * Updated latest image of hyperion in installer * Updated latest image of devtron in installer * Updated latest image of hyperion in installer * Updated latest image of ci-runner in installer * Updated release notes * Updated latest image of hyperion in installer * Updated latest image of devtron in installer * Updated latest image of dashboard in installer * Updated release notes * Updated latest image of hyperion in installer * Updated latest image of devtron in installer * Updated latest image of devtron in installer * Updated latest image of hyperion in installer * Updated latest image of devtron in installer * Updated latest image of devtron in installer * Updated latest image of hyperion in installer * Updated latest image of hyperion in installer * Updated latest image of devtron in installer * Updated latest image of dashboard in installer * Updated release notes * Updated latest image of hyperion in installer * Updated latest image of devtron in installer * Enabled file include exclude feature * Enabled file include exclude feature in devtron-bom * Updated release-notes files --------- Co-authored-by: ReleaseBot <systems@devtron.ai> Co-authored-by: Pawan Mehta <117346502+pawan-mehta-dt@users.noreply.github.com> * delete all pre-post cd at one time (#3786) * perf: hibernate check optimisation (#3788) * check for kind * hibernation replica parallelism * clean dead code * refactoring --------- Co-authored-by: Ashish-devtron <ashish.kumar@devtron.ai> * doc: HashiCorp external secret operator (#3608) * doc for hashicorp eso * edited summary.md * Proofread aws-eso.md * Proofread hashicorp-eso.md --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> * doc: security feature doc (#3622) * security feature doc rewrite * Proofread security-features.md --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> * docs: container lifecycle (#3623) * container lifecycle doc * minor corrections * Proofread deployment.md --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> * doc: ci-trigger documentation update (#3629) * updated ci-trigger documentation * Proofread triggering-ci.md --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> * doc: mandatory tags feature (#3630) * added doc for mandatory tags feature * changed title from mandatory tags to tags policy * minor correction * Proofread SUMMARY.md Replaced mandatory-tags.md with tags-policy.md * Proofread tags-policy.md --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> * doc: manual image approval (#3649) * image manual approval doc * Proofread cd-pipeline.md * Proofread triggering-cd.md * Proofread user-access.md * doc-images moved to s3 + fixes --------- Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com> * Added purpose of admin login (#3790) * chore: Config approval scripts and refactoring (#3762) * config approval scripts * approver role resource added * migration version updated * overriden flag introduced * down script commited * cm fetch for edit * app level fetch instead of env level * cm bean refactoring * clean dead code * env props bean refactoring * refactoring * script version updated * config approval down sql * table deletion order fix * script number update * chore: updated migration number * migration script updated --------- Co-authored-by: ayushmaheshwari <ayush@devtron.ai> Co-authored-by: kartik-579 <84493919+kartik-579@users.noreply.github.com> Co-authored-by: Gireesh Naidu <111440205+gireesh-devtron@users.noreply.github.com> Co-authored-by: iamayushm <32041961+iamayushm@users.noreply.github.com> Co-authored-by: kamal-devtron <128121299+kamal-devtron@users.noreply.github.com> Co-authored-by: Kamal Acharya <kamalacharya@Kamals-MacBook-Pro.local> Co-authored-by: Prakarsh <71125043+prakarsh-dt@users.noreply.github.com> Co-authored-by: ReleaseBot <systems@devtron.ai> Co-authored-by: Pawan Mehta <117346502+pawan-mehta-dt@users.noreply.github.com> Co-authored-by: Prakash <prakash.kumar@devtron.ai> Co-authored-by: kripanshdevtron <107392309+kripanshdevtron@users.noreply.github.com> Co-authored-by: Ashish-devtron <ashish.kumar@devtron.ai> Co-authored-by: Shubham Kumar <87755583+Shubham9t9@users.noreply.github.com> Co-authored-by: Shubham9t9 <shubhamkumar47022@gmai.com> Co-authored-by: ashokdevtron <141001279+ashokdevtron@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.