gcr-kritis-signer

command module

v0.0.0-...-5ce7b52 Latest Latest Go to latest Published: Dec 23, 2020 License: Apache-2.0 Imports: 21 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/binxio/gcr-kritis-signer

Links

Open Source Insights

README ¶

GCR kritis signer

The GCR kritis signer has been merged into the grafeas code base.

GCR kritis signer is a service that creates an attestation for a container image if it passes the vulnerability policy. it will accept direct check and sign requests, but it can be subscribed to the topic container-analysis-occurrence-v1. When a container vulnerability analysis has completed, it checks the vulnerabilities against the policy. When it passes the policy, it creates an attestation.

Read How to automate the Kritis Signer on Google Cloud Platform

api specification

The following tables shows the available operations from the api:

path	description
/check	checks the specified image against the policy
/check-and-sign	checks and signs if the image passes the policy
/event	if the event indicates the completion of a vulnerability scan, checks and signs the image

/check and /check-and-sign accept the following request message:

{ 
    "image": "gcr.io/project/alpine@sha256:f86657a463e3de9e5176e4774640c76399b2480634af97f45354f1553e372cc9",
}

If the image passes the policy the response message will be:

{
    "image": "gcr.io/project/alpine@sha256:f86657a463e3de9e5176e4774640c76399b2480634af97f45354f1553e372cc9",
    "status": "ok"
}

If it does not pass the policy, the message will be.

{
  "status": "failed",
  "image": "gcr.io/project/a27@sha256:f86657a463e3de9e5176e4774640c76399b2480634af97f45354f1553e372cc9",
  "violations": [
    "found unfixable CVE projects/goog-vulnz/notes/CVE-2018-18344 in gcr.io/..., which has severity MEDIUM exceeding max unfixable severity LOW",
    "found unfixable CVE projects/goog-vulnz/notes/CVE-2020-1751 in gcr.io/..., which has severity MEDIUM exceeding max unfixable severity LOW",
  ]
}

/event accepts a normal pubsub event message:

{
  "subscription": "vulnerability-attestor-container-analysis-occurrences",
  "message": {
    "data": "eyJuYW1lIjoicHJvamVjdHMvcHJvamVjdC9vY2N1cnJlbmNlcy9mNjJmMWU1MC1lMGUyLTQ3ZWYtOTI1ZC1iZDc5OTA1YWI4MmQiLCJraW5kIjoiRElTQ09WRVJZIiwibm90aWZpY2F0aW9uVGltZSI6IjIwMjAtMTEtMDZUMTU6MDM6NTAuNTMxMDgyWiJ9",
    "id": "1681150847368976"
  }
}

where the data will be provided by the container analysis service:

{
  "name": "projects/project/occurrences/f62f1e50-e0e2-47ef-925d-bd79905ab82d",
  "kind": "DISCOVERY",
  "notificationTime": "2020-11-06T15:03:50.531082Z"
}

configuration

You configure the GCP signer using the following environment variables and/or command options:

name	option	description	required
ATTESTATION_POLICY	-policy	policy defining acceptable vulnerabilities	yes
ATTESTATION_NOTE_NAME	-note-name	name of the note to attest	yes
ATTESTATION_KMS_KEY	-kms-key	KMS key version to use to sign	yes
ATTESTATION_DIGEST_ALGORITHM	-digest-algorithm	digest algorithm used	yes
ATTESTATION_PROJECT	-project	GCP project to store attestation	no, default it uses the image project
ATTESTATION_OVERWRITE	-overwrite	overwrite existing attestations	no, default false

deployment

The GCP signer can be deployed using the following terraform configuration:

resource "google_cloud_run_service" "vulnerability_policy_attestor" {
  name     = "vulnerability-policy-attestor"
  location = "europe-west1"

  template {
    spec {
      service_account_name = google_service_account.vulnerability_policy_attestor.email
      containers {
        image = "gcr.io/binx-io-public/gcp-kritis-signer:latest
        env {
          name  = "ATTESTATION_PROJECT"
          value = var.project
        }
        env {
          name  = "ATTESTATION_NOTE_NAME"
          value = google_container_analysis_note.passed_vulnerability_policy.id
        }
        env {
          name  = "ATTESTATION_KMS_KEY"
          value = replace(data.google_kms_crypto_key_version.vulnerability_policy_attestor.id, "///cloudkms.googleapis.com/[^/]*//", "")
        }
        env {
          name  = "ATTESTATION_DIGEST_ALGORITHM"
          value = "SHA384"
        }
        env {
          name  = "ATTESTATION_OVERWRITE"
          value = "true"
        }
        env {
          name  = "ATTESTATION_POLICY"
          value = <<EOF
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
metadata:
  name: image-vulnerability-policy
spec:
  imageVulnerabilityRequirements:
    maximumFixableSeverity: MEDIUM
    maximumUnfixableSeverity: MEDIUM
    allowlistCVEs:
    - projects/goog-vulnz/notes/CVE-2020-10543
    - projects/goog-vulnz/notes/CVE-2020-10878
    - projects/goog-vulnz/notes/CVE-2020-14155
EOF
        }
      }
    }
  }

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL