-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to configure which hooks to run per scan #757
Conversation
Signed-off-by: Jop Zitman <jop.zitman@secura.com>
b33e4a6
to
0737120
Compare
Thank you very much for the pull request! I've done some local testing, so here's my thoughts on the current state of the PR and on the open questions that we need to answer before we can proceed with it (because I really want to proceed with it, I love the idea and it elegantly solves an issue I have been struggling with): Default BehaviorAt the moment, the new code seems to change the default behavior: If I do not provide any Both options seem a bit difficult:
Interactions with CascadingScansCascading Scans are implemented as a hook. Thus, we would have two distinct ways of enabling / disabling cascading scans for a single scan: Using the LabelsWhere are the labels for the selections coming from? By default, the defectDojo hook has the following labels: $ kubectl describe scancompletionhooks.execution.securecodebox.io dd-persistence-defectdojo
Name: dd-persistence-defectdojo
Namespace: default
Labels: app.kubernetes.io/instance=dd
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=persistence-defectdojo
app.kubernetes.io/version=1.12.0
helm.sh/chart=persistence-defectdojo-3.3.0
type=Unstructured What label do we base our selection on for the scans? At least for the documentation, we need to give some examples. Do we choose Also: Is there an easy way to add new labels to a hook? If so, we should document it somewhere so people can also have engagement- or scope-specific hooks etc., which brings me to... DocumentationA fairly obvious point, but at the moment, this PR does not update the docs and does not reference a PR in the docs repository that does so. It would be really helpful for reviewing the changes if there was some draft documentation that explicitly states the expected behavior of the code, so that it is easier both to discuss if this specified behavior is the one we want, and to compare it against the reality implemented in the code. Bonus points for including a couple of examples, which make testing a lot easier as well :). |
Hey @malexmave, thanks for the comments. Our eagerness for fixing this issue is shared 😃 .
Interesting, this seems to be another side-effect of including
Good question. I believe this problem stems from the fact that the Cascading Scans hook is implemented both as a Hook and in the Operator.. Notice that all other hooks only have deploy-time configurations (except some envs). I don't think there's an easy way to let the Cascading Scans hook always run. If a user adds a
User-defined. It's up to the users to add labels (or re-use labels added by tools like Helm) and select them. @malexmave If you'd like, we could add default labels to all secureCodeBox managed hooks that match their CI/directory names.
Yes, just like the default label selectors. Think of them like a filter instead of a selector.
Thanks for bringing this up. There are no public guidelines concerning documentation for contributions. I've brought this up earlier in secureCodeBox/documentation#122. Within Secura, we try to add requirements within the related issue and implementation details in the PR. The former is properly done in #728 and the latter could show improvements. However with such few changes and its common use on cli, I thought it unnecessary. We usually add documentation after the first review / merge to prevent writing documentation on unfinished/poc/controversial implementations, but I'd be happy to adhere to your methods of working. I'll fix the |
Thanks for the quick reply. :)
I think the pipeline should work, there were some issues with GitHub actions last friday if I recall correctly. It should run once you have pushed another commit.
I think it would be good to have some form of consistent default label that we can use in the documentation - I don't particularly mind if that label is autogenerated by helm (as long as helm does so in a consistent way). Additionally, we should at least have a specified, recommended way to add additional labels to hooks during the install / configuration of the hook. I don't have enough experience with k8s to recommend a specific way, so this is more of an open question to everyone how we can do this. A possible scenario for this: We have several different networks / deployments that we are scanning, and want to do different things with the data collected from each deployment (push them to different DefectDojos / notification hooks / cascading scans / ...). How do I configure the hooks and the scans to achieve this? Once the feature is merged and released, I'd be happy to write an article for the secureCodeBox blog about this that explains how to use this feature in practice (similar to my forthcoming semgrep article) - or you can of course also write the article yourself if you want, it's your feature after all, I don't want to steal your contributions, I just want to avoid giving you extra work :).
True! We've been discussing this internally as well during the last retro, but have not yet come to a conclusion on how we want to address this. My personal approach is to document as I go, but I completely understand your point about not spending a lot of time on documentation while it is still unclear what the final version is going to look like. I don't think that we (should) expect complete documentation on a PR that is in a state intended to serve as a basis for further discussions, so it's definitely not a problem that you submitted without docs, it's just something that, once the implementation is settled, should be added quickly and ideally before merging (but at least before releasing) the feature. But this has not always been true for our own code, either :). Perhaps a good compromise would be that PRs with new features should specify one complete example (in the PR or in the issue, I don't mind either way) on how to use the feature that can easily be tested and adapted locally, so that the reviewer has a basis to work on? And then the in-depth documentation can be added once the reviewers are satisfied and it is clear that the feature is not going to require basic changes? But this is getting a bit off topic for this pull request, and may also be a bit controversial inside the team, so don't take this as any kind of policy :). |
Not unfortunately not, pipelines are still disabled for forks as the hooks build / tests are not completly migrated yet :(
Interesting questions, never thought about that before 😕 I dont think we should develop some special exception for that. I'd add a specific label to that hook maybe |
Signed-off-by: Jop Zitman <jop.zitman@secura.com>
Signed-off-by: Jop Zitman <jop.zitman@secura.com>
Signed-off-by: Jop Zitman <jop.zitman@secura.com>
Signed-off-by: Jop Zitman <jop.zitman@secura.com>
955d101
to
b6de891
Compare
@J12934 @malexmave I've updated this PR. See commit log for specific changes. Some specifics:
Unlike I expected, it actually is autogenerated in each hook's
I've added loads of examples and context in this PR body. Once this PR is approved I'll add a related PR in the docs repo to update the CRDs. It would be nice if @malexmave could write a blog-post with your specific use case. You can always use the example given in #728 😄. Can someone run helm-docs and trigger the pipeline? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can confirm that the changes lead to hooks running normally if no selectors are provided, as expected. I added two comments (see below), both once again in the area of system behavior vs. user expectations.
Signed-off-by: Jop Zitman <jop.zitman@secura.com>
…nd volumes) Signed-off-by: Jop Zitman <jop.zitman@secura.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you again for your work on this. I think that this state is ready to merge. For documentation, I think we will need doc changes in the following places:
- Explanations of the CRDs (API reference)
- Explanations of how a scan is created (adding the selectors)
- Explanations for the different hooks (adding labels)
- Explanations for contributing a new hook (updating the examples given in the docs for values.yaml and the template)
- Explanations of cascading scans (new inheritance fields, behavior as discussed)
- Ideally, we could add another article in the "How to" section on "Select which hooks to run", which explains the whole process in an end-to-end way (installing hooks with custom labels, selecting which labels to run, ...).
Since #695 will require significant documentation changes in very similar areas as well, it may be easier to combine the documentation updates for both features. In that case, you could also make a more general how-to on "controlling hook execution" which covers the features introduced in both PRs together.
But this can be done in a separate PR (or two, if it covers both repos).
@J12934 is there an easy way to get the CI to run on this, or do we merge through the warning (I don't have the necessary rights for this at the moment). Also, at the moment CodeClimate seems a bit miffed about the new code. I don't really see an easier way to implement the part it complains about though.
@malexmave see the new documentation PR secureCodeBox/documentation#152. Feel free to add/correct wherever necessary. Did you want to make a new blogpost too? |
Thanks! I'll take a look at the PR later today or tomorrow at the latest. For the blog post: I understood that you aren't eager to write the blogpost yourself? Because if you want, you can definitely do so (they are your features, after all :). If you don't want to write the post, I will see if I can find time to write one, but I don't consider it an absolute requirement to have a blog post, especially if we have a good documentation article (I see that you wrote one, I just haven't read it in detail yet). In general: I consider this PR ready to merge, I'm just holding off on pressing the button until I've had time to also read the documentation PR, in case anything comes up while going through it. |
Indeed. I'm personally not a big fan of writing blog-posts (or documentation in general 😬 ), and we don't really have the capacity to work on these, also considering their value for Secura. Though, feel free to write any blog posts about anything we contribute, especially if you're so closely involved in the review process. |
Description
This PR, if applied, closes #728, mainly by adding the field
hookSelector
in the scan spec. Besides, this PR adds the cascading scans fieldinheritHookSelector
(defaultfalse
) for more control over thehookSelector
field in cascading scans.Related documentation PR secureCodeBox/documentation#152
Example usage
To select all hooks, leave the
hookSelector
field undefined or specify:To select specific hooks:
To ignore certain hooks:
Available operators are:
In
,NotIn
,Exists
,DoesNotExist
You may also use
matchLabels
for exact matches on labels:matchLabels
andmatchExpressions
may be used simultaneously.Default Hook labels
To select a certain hook deployment, use the label
app.kubernetes.io/instance
(e.g.update-severity
for theupdate-field
hook). To select a certain hook type, use the labelapp.kubernetes.io/name
(e.g.update-field
).Extra hook labels may be added by deploying the hook with the
hook.labels
field set invalues.yaml
.Usage in combination with Cascading Scans
Besides existing fields (e.g.
inheritVolumes
,inheritLabels
, etc.), the fieldinheritHookSelector
is now available with the same behavior as the other existing fields.Note: to use cascading scans in combination with
hookSelector
, ensure that you also select the cascading scans hook. You can use the existing labelsecurecodebox.io/internal
to select core features like cascading scans. You should manually ensure that your other selectors override this selector in behavior.Checklist
npm test
runs for the whole project.