Skip to content

Validate with ai#252

Merged
devopstoday11 merged 17 commits intopre-mainfrom
validate-with-ai
Jan 24, 2025
Merged

Validate with ai#252
devopstoday11 merged 17 commits intopre-mainfrom
validate-with-ai

Conversation

@santoshkal
Copy link
Copy Markdown
Collaborator

@santoshkal santoshkal commented Jan 24, 2025

This PR Implements remediations to failed results while validating resources with different techs available with Genval like, Rego, CEL, and Regex.
Genval can now accept parameters from YAML file by passing --config flag.

@santoshkal
WIP: on integrating Ai with validation workflow for remediation actions:
75dde5d 
- Extracted passed and failed result counts from ValidateWithRego()
- Added a new bool flag --takeaction, if set to true will skip printing results and pass the results to cfg.GenerateOpenAIResponse()
- Extracted []Results from ValidateWithRego() for passing it to cfg.GenrerateOpenAIResponse() as userPrompt combining it with reqinput
@santoshkal
WIP: All required parameters for GenerateChatResponse extracted.
5c1ac79 
- Need to integrate the LLM Config with other Genval Commands when interadcting with AI
@santoshkal
WIP: First working code for remediating Dockerfiles for errors thrown…
3808123 
… by genval Rego workflow.

- As there is no config passed by the user currently, the config for AI is included in the cmd func.
- Need to only extract Dockerfile from the LLM response, so that it be passed back to Validator for final validation with Rego
@santoshkal
WIP: First working code for remediating Dockerfiles for errors thrown…
4dbfea8 
… by genval Rego workflow.

- As there is no config passed by the user currently, the config for AI is included in the cmd func.
- Now, the Final Dockerfile is written to the pre-defined path provided in
@santoshkal
WIP: First cut with reading config file with viper
470baa4 
- TODO: provide the updated Dockerfile and only the failed results as userPromt at each iteration.
- Print Final Dockerfile on the terminal in addition to writing that to the output path provided
- Print the diff of original and the Final Dockerfile
@santoshkal
WIP: Updated to pass only the failed results and updated Dockerfile
baa4ade
@santoshkal
WIP: Now every iteration get updated Dockerfile with resultsFailed --…
eb6b12c 
…no-verify
@santoshkal
WIP: Only Failed results are passed to LLM
b64c540
@santoshkal
WIP: passing args by flags bug fixed. Add LLM integration for infrafi…
d8631dc 
…le validation
@santoshkal
Refactor to move all the LLM logic to LLM package.
7ca9898 
TODO: Remove all the debug print lines of traces in rego.Evan()
TODO: Refactor the flag parsing with viper.BindFlg wrapper funcs
@santoshkal
WIP: Validation remediated implemented in all regoval commands.
00c7e98 
TODO: Merege the YAML config from CEL and Regex polcy to the existing for consistancy
TODO: Make PrintResults func consistant across all techs validation
TODO: Impletement validation remediation for regex and CEL
@santoshkal
remediation changes
34f56c0
@santoshkal
WIP: remediation implemented on CEL dockerfileval cmd.
a11026a 
TODO: Add remediation to Infrafile and TErrqaform
@santoshkal
Add printing errors and verbose success logs for successful validatio…
26ca29b 
…n of Cue validation and generation Update examples in Cmds
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jan 24, 2025
edited
Loading

DryRun Security Summary

The pull request enhances the genval application's security and functionality by introducing AI-powered remediation, secure policy management, improved configuration handling, robust error logging, and input validation for infrastructure files like Dockerfiles, Terraform configurations, and Kubernetes manifests.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the security and functionality of the genval application, which is used for validating and remediating various types of infrastructure files, including Dockerfiles, Terraform configurations, and Kubernetes manifests.

The key security-related changes include:

  1. Automated Remediation: The introduction of an AI-powered remediation functionality that can automatically address security issues identified during the validation process. This feature aims to simplify the process of fixing security-related problems in infrastructure files.

  2. Secure Policy Management: The ability to use Rego policies stored in OCI-compliant registries for validation, which allows for centralized and potentially more secure policy management.

  3. Improved Configuration Management: The addition of YAML-based configuration support, which enables users to centralize and manage the application's settings, including security-related parameters.

  4. Robust Error Handling and Logging: Enhancements to the error handling and logging mechanisms, which can aid in debugging and troubleshooting potential security issues.

  5. Secure Input Validation: Efforts to ensure that user-provided input, such as Dockerfiles, Terraform configurations, and Kubernetes manifests, are properly validated and sanitized to prevent potential security vulnerabilities.

Overall, these changes demonstrate a strong focus on improving the security and usability of the genval application, which can be beneficial for organizations looking to maintain secure infrastructure as code practices.

Files Changed:

  • cmd/container.go: Introduces a takeAction flag and updates the validation functions to support OCI-based policy validation.
  • cmd/celval_terraform.go: Adds remediation functionality, configuration file support, and parsing/evaluation improvements.
  • cmd/celval_dockerfileval.go: Introduces new flags, remediation loop, and output handling.
  • cmd/celval_infrafile.go: Updates the validation and remediation process for Kubernetes manifests.
  • cmd/opts.go: Adds utility functions and YAML configuration loading.
  • cmd/genai.go: Refactors the configuration loading process.
  • cmd/regex.go: Removes the requirement for the reqinput flag in the regex command.
  • cmd/cue.go: Enhances the cue command with new flags and improved validation/generation functionality.
  • go.mod and go.sum: Update dependencies, including the cuelang.org/go package.
  • cmd/regoval_dockerfileval.go: Adds remediation capabilities and configuration file support.
  • cmd/regoval_infrafile.go: Introduces remediation functionality and OCI registry support.
  • cmd/regoval_terraform.go: Adds remediation capabilities and configuration file support.
  • llm/assistant.go: Improves the system prompt loading functionality.
  • llm/README.md: Updates the configuration file for the language model used in the application.
  • llm/takeaction.go: Implements the RemediateResource() function for LLM-based remediation.
  • llm/types.go: Adds new fields to the CommonSpec struct, including OCICredentials and Takeaction.
  • pkg/cuecore/printresults.go: Introduces functions to print errors and validation success in a tabular format.
  • pkg/cuecore/cuecore.go: Refactors the existing code, with minor changes in the import statements.
  • pkg/parser/dockerfile_parser.go: Adds a new Location field to the DockerfileInstruction struct.
  • pkg/validate/regoval.go: Improves the error handling and logging, and adds support for tracing the Rego policy evaluation process.
  • pkg/validate/printresults.go: Enhances the PrintResults function to improve error handling and extract failed policies.
  • pkg/validate/celval.go: Updates the EvaluateCELPolicies function to return more information about the evaluation process.
  • templates/defaultpolicies/rego/dockerfile_policies/check_cmd/check_cmd.json: Introduces a new policy to ensure that there is only one CMD instruction in a Dockerfile.
  • templates/defaultpolicies/rego/dockerfile_policies/check_cmd/check_cmd.rego: Defines the Rego policy to enforce the single

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings
Authn/Authz Analyzer 3 findings

View PR in the DryRun Dashboard.

@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Jan 24, 2025

DryRun Security Summary

The pull request enhances the Genval application's security and usability by introducing automated remediation, centralized configuration management, improved error handling, support for OCI registry-based policies, and robust input validation for infrastructure-as-code file validation.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the security and usability of the Genval application, which is a tool used for validating and remediating infrastructure-as-code (IaC) files, such as Dockerfiles and Kubernetes manifests, using various policy frameworks (e.g., Rego, CEL).

The key security-related improvements include:

  1. Automated Remediation: The addition of the --takeaction and --model flags, which enable the application to automatically remediate failed validation results using an AI/LLM-based approach. This feature can help users quickly address security issues in their IaC files.

  2. Centralized Configuration Management: The introduction of YAML-based configuration files, which allow users to centralize and manage various settings, including input files, policies, and credentials, improving the overall security and maintainability of the application.

  3. Improved Error Handling and Logging: The code changes include enhancements to error handling and logging, providing more detailed information to users and security teams, which can aid in troubleshooting and incident response.

  4. Support for OCI Registry-based Policies: The ability to fetch security policies from OCI-compliant registries, such as GitHub Container Registry, enables a more centralized and secure policy management approach.

  5. Validation of User Input: The code includes various input validation checks to ensure that user-provided data, such as file paths and URLs, are properly sanitized and validated, reducing the risk of injection vulnerabilities.

Overall, the changes in this pull request demonstrate a strong focus on improving the security and usability of the Genval application, which is a crucial tool for securing infrastructure-as-code in modern software development and deployment practices.

Files Changed:

  1. cmd/celval_terraform.go: Adds new flags and functionality to the "celval terraform" command, including automated remediation using an AI model and support for configuration files.
  2. cmd/celval_dockerfileval.go: Introduces similar remediation and configuration management capabilities for the "celval dockerfileval" command.
  3. cmd/container.go: Enhances the "dockerfile" command with input validation and policy-based validation features.
  4. cmd/celval_infrafile.go: Adds a new "infrafile" command to validate Kubernetes and related manifests using CEL policies and AI-powered remediation.
  5. cmd/genai.go: Improves the handling of system prompts and user prompts for the "genai" command.
  6. cmd/opts.go: Introduces helper functions for parsing and validating configuration options.
  7. cmd/regex.go: Removes the requirement for the --reqinput flag, which could potentially introduce security risks.
  8. cmd/cue.go: Enhances the "cue" command with verbose logging, output directory control, and improved error handling.
  9. cmd/regoval_dockerfileval.go: Adds remediation capabilities and configuration management to the "dockerfileval" command.
  10. cmd/regoval_infrafile.go: Introduces similar remediation and configuration features for the "infrafile" command.
  11. go.mod and go.sum: Updates various dependencies, including Cue, AWS SDK, and Charmbracelet libraries.
  12. llm/assistant.go: Improves the handling of system prompt files and their organization.
  13. llm/README.md: Updates the configuration file for the Dockerfile validation process, including changes to the AI model and remediation settings.
  14. llm/takeaction.go: Implements the remediation functionality using an LLM-based approach.
  15. llm/types.go: Adds new fields to the configuration structure, including OCI credentials and the Takeaction flag.
  16. pkg/cuecore/printresults.go: Enhances the presentation of validation results.
  17. pkg/cuecore/cuecore.go: Reorganizes the import statements.
  18. pkg/parser/dockerfile_parser.go: Adds line number information to the parsed Dockerfile instructions.
  19. pkg/validate/celval.go: Improves the handling of failed CEL policy evaluations.
  20. pkg/validate/printresults.go: Enhances the output formatting and reporting of policy evaluation results.
  21. pkg/validate/regoval.go: Refactors the Rego policy validation

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 3 findings
Sensitive Files Analyzer 2 findings

View PR in the DryRun Dashboard.

@devopstoday11 devopstoday11 merged commit da83e0b into pre-main Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@santoshkal @devopstoday11