Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cred flag to pull and push commands #95

Merged
merged 3 commits into from
Jun 8, 2024
Merged

Add cred flag to pull and push commands #95

merged 3 commits into from
Jun 8, 2024

Conversation

santoshkal
Copy link
Collaborator

This PR Adds creds flag to push and pull commands. Now Push/pull commands accept creds in the form of ARTIFACT_REGISTRY_USERNAME, ARTIFACT_REGISTRY_PASSWORD env vars or REgistry PAT as ARTIFACT_REGISTRY_TOKEN or provide the PAT as string.
If none of these are provided. the creds will default to defaultKeyChain of looking up to $HOME/.docker/config.json for authentication.

Signed-off-by: Santosh <ksantosh@intelops.dev>
Signed-off-by: Santosh <ksantosh@intelops.dev>
Copy link

dryrunsecurity bot commented Jun 8, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Authn/Authz Analyzer 4 findings
Sensitive Files Analyzer 0 findings
AppSec Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on improving the security and maintainability of the OCI (Open Container Initiative) client functionality in the genval project. The key changes include:

  1. OCI Client Authentication: The ociClient.go file now supports token-based authentication in addition to the existing username and password authentication. This is a positive security enhancement, as token-based authentication is generally considered more secure than traditional username and password authentication.

  2. Artifact Pulling: The artifact_pull.go file introduces a new creds flag that allows users to provide credentials to authenticate with OCI registries when pulling artifacts. This provides more flexibility and control over the authentication process, which is an important security consideration. The code also includes robust error handling and signature verification using Cosign, further strengthening the security of the artifact pulling process.

  3. Artifact Pushing: The artifact_push.go file has been updated to include a new "credentials" or "c" flag that allows users to provide credentials to authenticate with OCI registries when pushing artifacts. While this is a positive change, the implementation could be improved by handling the provided credentials directly in the runPushCmd() function, validating the credentials, and considering the use of a secure storage mechanism for sensitive credentials.

Overall, the changes in this pull request appear to be focused on improving the security and maintainability of the OCI client functionality, which is an important aspect of the genval project. The application security engineer has provided several recommendations to further enhance the security of the implementation.

Files Changed:

  1. pkg/oci/ociClient.go: The changes introduce support for token-based authentication in addition to the existing username and password authentication, which is a positive security enhancement. The removal of a commented-out TODO item related to the user-agent header is also a good practice.

  2. cmd/artifact_pull.go: The changes introduce a new creds flag that allows users to provide credentials to authenticate with OCI registries when pulling artifacts. This provides more flexibility and control over the authentication process, and the code includes robust error handling and signature verification using Cosign.

  3. cmd/artifact_push.go: The changes introduce a new "credentials" or "c" flag that allows users to provide credentials to authenticate with OCI registries when pushing artifacts. While this is a positive change, the implementation could be improved by handling the provided credentials directly in the runPushCmd() function, validating the credentials, and considering the use of a secure storage mechanism for sensitive credentials.

Powered by DryRun Security

Signed-off-by: Santosh <ksantosh@intelops.dev>
@santoshkal santoshkal merged commit 7e8d14c into main Jun 8, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant