Skip to content

Commit c52ebb0

Browse files
santoshkalsantoshkal
authored
Update Rego validations (#104)
* WIP: implement validating with default policies Need to handle the error throwing when unable to fetch metadata feilds from the defaultpolicies Signed-off-by: Santosh <ksantosh@intelops.dev> * WIP: Improved logging individual policy errors Signed-off-by: Santosh <ksantosh@intelops.dev> * WIP: Removed all the error which were showing even with correct validation results Signed-off-by: Santosh <ksantosh@intelops.dev> * WIP: Fetching policies using .env file This method would require to supply the '.env' file to users, without which the command will fail with error: Error reading .env file Another approach could be to store all the ociURLs in a const and refer them to pull default policies. Signed-off-by: Santosh <ksantosh@intelops.dev> * Update: Validation with default policies forinfrafile and terraform files Added examples for using default policies. Updated the logic for adding the source annotation for creating a OCI artifact Signed-off-by: Santosh <ksantosh@intelops.dev> * Update ValidateWithRego() to validate with new format of Rego policy Signed-off-by: Santosh <ksantosh@intelops.dev> * Update URLs for default policies Signed-off-by: Santosh <ksantosh@intelops.dev> * fix failing tests Signed-off-by: Santosh <ksantosh@intelops.dev> --------- Signed-off-by: Santosh <ksantosh@intelops.dev>
1 parent e08425b commit c52ebb0

23 files changed

+361
-160
lines changed

cmd/artifact_push.go

+3-1
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,9 @@ func runPushCmd(cmd *cobra.Command, args []string) error {
120120
if err != nil {
121121
log.Printf("Error parsing source: %v", err)
122122
}
123-
remoteURL, err := oci.GetGitRemoteURL()
123+
124+
remoteURL, err := oci.GetRemoteURL()
125+
fmt.Printf("Remote Name: %v", remoteURL)
124126
if err != nil {
125127
return err
126128
}

cmd/cel_infrafile.go

+5-1
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,11 @@ export GITHUB_TOKEN=<your GitHub PAT>
5656
5757
./genval celval infrafile --reqinput https://github.com/intelops/genval-security-policies/blob/patch-1/input-templates/k8s/deployment.json \
5858
--policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/cel/k8s_cel.yaml
59-
`,
59+
60+
61+
62+
63+
`,
6064

6165
RunE: runCelCmd,
6266
}

cmd/regoval.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ var regovalCmd = &cobra.Command{
1010
Long: `
1111
regoval command maages validation of Kubernetes and related manifests, Terraform files, and Dockerfiles
1212
using Rego policies.
13-
.
13+
1414
`,
1515
}
1616

cmd/regoval_dockerfileval.go

+45-8
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
package cmd
22

33
import (
4+
"fmt"
5+
"os"
6+
7+
"github.com/intelops/genval/pkg/oci"
48
"github.com/intelops/genval/pkg/utils"
59
"github.com/intelops/genval/pkg/validate"
610
log "github.com/sirupsen/logrus"
@@ -20,9 +24,9 @@ func init() {
2024
log.Fatalf("Error marking flag as required: %v", err)
2125
}
2226
dockerfilevalCmd.Flags().StringVarP(&dockerfilevalArgs.policy, "policy", "p", "", "Path for the Rego policy file, polciy can be passed from either Local or from remote URL")
23-
if err := dockerfilevalCmd.MarkFlagRequired("policy"); err != nil {
24-
log.Fatalf("Error marking flag as required: %v", err)
25-
}
27+
// if err := dockerfilevalCmd.MarkFlagRequired("policy"); err != nil {
28+
// log.Fatalf("Error marking flag as required: %v", err)
29+
// }
2630

2731
regovalCmd.AddCommand(dockerfilevalCmd)
2832
}
@@ -52,7 +56,12 @@ export GITHUB_TOKEN=<your GitHub PAT>
5256
5357
./genval regoval dockerfileval --reqinput https://raw.githubusercontent.com/intelops/genval-security-policies/patch-1/Dockerfile-sample \
5458
--policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/rego/dockerfile_policies.rego
55-
`,
59+
60+
61+
# Users can you use default policies maintained by the community stored in the https://github.com/intelops/policyhub repo
62+
63+
./genval regoval dockerfileval --reqinput <Path to Dockerfile>
64+
`,
5665
RunE: runDockerfilevalCmd,
5766
}
5867

@@ -65,10 +74,38 @@ func runDockerfilevalCmd(cmd *cobra.Command, args []string) error {
6574
log.Errorf("Error reading Dockerfile: %v, validation failed: %s\n", input, err)
6675
}
6776

68-
err = validate.ValidateDockerfile(string(dockerfilefileContent), policy)
69-
if err != nil {
70-
log.Errorf("Dockerfile validation failed: %s\n", err)
77+
if policy == "" {
78+
fmt.Println("\n" + "Validating with default policies...")
79+
80+
tempDir, err := os.MkdirTemp("", "policyDirectory")
81+
if err != nil {
82+
return fmt.Errorf("error creating policy directory: %v", err)
83+
}
84+
defer os.RemoveAll(tempDir)
85+
86+
policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
87+
if err != nil {
88+
return fmt.Errorf("error fetching policy from registry: %v", err)
89+
}
90+
91+
defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
92+
if err != nil {
93+
return fmt.Errorf("error applying default policies: %v", err)
94+
}
95+
96+
err = validate.ValidateDockerfile(string(dockerfilefileContent), defaultRegoPolicies)
97+
if err != nil {
98+
log.Errorf("Dockerfile validation failed: %s\n", err)
99+
return err
100+
}
101+
} else {
102+
err := validate.ValidateDockerfile(string(dockerfilefileContent), policy)
103+
if err != nil {
104+
log.Errorf("Dockerfile validation failed: %s\n", err)
105+
return err
106+
}
71107
}
72-
log.Infof("Dockerfile: %v validation succeeded!\n", input)
108+
109+
log.Infof("Dockerfile: %v validation completed!\n", input)
73110
return nil
74111
}

cmd/regoval_infrafile.go

+38-6
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
package cmd
22

33
import (
4+
"fmt"
5+
"os"
6+
7+
"github.com/intelops/genval/pkg/oci"
48
"github.com/intelops/genval/pkg/validate"
59
log "github.com/sirupsen/logrus"
610
"github.com/spf13/cobra"
@@ -20,9 +24,6 @@ func init() {
2024
}
2125

2226
infrafileCmd.Flags().StringVarP(&infrafileArgs.policy, "policy", "p", "", "Path for the CEL policy file, polciy can be passed from either Local or from remote URL")
23-
if err := infrafileCmd.MarkFlagRequired("policy"); err != nil {
24-
log.Fatalf("Error marking flag as required: %v", err)
25-
}
2627

2728
regovalCmd.AddCommand(infrafileCmd)
2829
}
@@ -54,6 +55,10 @@ export GITHUB_TOKEN=<Your GitHub PAT>
5455
./genval regoval infrafile --reqinput https://github.com/intelops/genval-security-policies/blob/patch-1/input-templates/k8s/deployment.json \
5556
--policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/rego/k8s.rego
5657
58+
59+
# Users can you use default policies maintained by the community stored in the https://github.com/intelops/policyhub repo
60+
61+
./genval --regoval infrafile --reqinput <Path to Infrafile like k8s>
5762
`,
5863
RunE: runinfrafileCmd,
5964
}
@@ -62,10 +67,37 @@ func runinfrafileCmd(cmd *cobra.Command, args []string) error {
6267
inputFile := infrafileArgs.reqinput
6368
policy := infrafileArgs.policy
6469

65-
err := validate.ValidateWithRego(inputFile, policy)
66-
if err != nil {
67-
log.Errorf("Validation %v failed", err)
70+
if policy == "" {
71+
fmt.Println("\n" + "Validating with default policies...")
72+
73+
tempDir, err := os.MkdirTemp("", "policyDirectory")
74+
if err != nil {
75+
return fmt.Errorf("error creating policy directory: %v", err)
76+
}
77+
defer os.RemoveAll(tempDir)
78+
79+
policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
80+
if err != nil {
81+
return fmt.Errorf("error fetching policy from registry: %v", err)
82+
}
83+
84+
defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
85+
if err != nil {
86+
return fmt.Errorf("error applying default policies: %v", err)
87+
}
88+
89+
err = validate.ValidateWithRego(inputFile, defaultRegoPolicies)
90+
if err != nil {
91+
return fmt.Errorf("validation infrafiles failed: %s", err)
92+
}
93+
} else {
94+
95+
err := validate.ValidateWithRego(inputFile, policy)
96+
if err != nil {
97+
return fmt.Errorf("validating %v failed: %v", inputFile, err)
98+
}
6899
}
100+
69101
log.Infof("infrafile %v, validated succussfully.", inputFile)
70102
return nil
71103
}

cmd/regoval_terraform.go

+37-7
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
package cmd
22

33
import (
4+
"fmt"
5+
"os"
6+
7+
"github.com/intelops/genval/pkg/oci"
48
"github.com/intelops/genval/pkg/parser"
59
"github.com/intelops/genval/pkg/validate"
610
log "github.com/sirupsen/logrus"
@@ -20,10 +24,6 @@ func init() {
2024
log.Fatalf("Error marking flag as required: %v", err)
2125
}
2226
terraformCmd.Flags().StringVarP(&terraformArgs.policy, "policy", "p", "", "Path for the Rego policy file, polciy can be passed from either Local or from remote URL")
23-
if err := terraformCmd.MarkFlagRequired("policy"); err != nil {
24-
log.Fatalf("Error marking flag as required: %v", err)
25-
}
26-
2727
regovalCmd.AddCommand(terraformCmd)
2828
}
2929

@@ -53,6 +53,10 @@ export GITHUB_TOKEN=<your GitHub PAT>
5353
5454
./genval regoval terraform --reqinput https://github.com/intelops/genval-security-policies/blob/patch-1/input-templates/terraform/sec_group.tf \
5555
--policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/rego/terraform.rego
56+
57+
# Users can you use default policies maintained by the community stored in the https://github.com/intelops/policyhub repo
58+
59+
./genval regoval terraform --reqinput <path to terraform file>
5660
`,
5761
RunE: runTerraformCmd,
5862
}
@@ -66,9 +70,35 @@ func runTerraformCmd(cmd *cobra.Command, args []string) error {
6670
log.Errorf("Error converting tf file: %v", err)
6771
}
6872

69-
err = validate.ValidateWithRego(inputJSON, policy)
70-
if err != nil {
71-
log.Errorf("Validation %v failed", err)
73+
if policy == "" {
74+
fmt.Println("\n" + "Validating with default policies...")
75+
76+
tempDir, err := os.MkdirTemp("", "policyDirectory")
77+
if err != nil {
78+
return fmt.Errorf("error creating policy directory: %v", err)
79+
}
80+
defer os.RemoveAll(tempDir)
81+
82+
policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
83+
if err != nil {
84+
return fmt.Errorf("error fetching policy from registry: %v", err)
85+
}
86+
87+
defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
88+
if err != nil {
89+
return fmt.Errorf("error applying default policies: %v", err)
90+
}
91+
92+
err = validate.ValidateDockerfile(inputFile, defaultRegoPolicies)
93+
if err != nil {
94+
log.Errorf("Dockerfile validation failed: %s\n", err)
95+
return err
96+
}
97+
} else {
98+
err = validate.ValidateWithRego(inputJSON, policy)
99+
if err != nil {
100+
log.Errorf("Validation %v failed", err)
101+
}
72102
}
73103
log.Infof("Terraform resource: %v, validated succussfully.", inputFile)
74104
return nil

go.mod

+14-1
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ require (
3333

3434
require (
3535
cloud.google.com/go/compute/metadata v0.3.0 // indirect
36+
dario.cat/mergo v1.0.0 // indirect
3637
filippo.io/edwards25519 v1.1.0 // indirect
3738
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
3839
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
@@ -46,7 +47,7 @@ require (
4647
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
4748
github.com/Microsoft/go-winio v0.6.2 // indirect
4849
github.com/OneOfOne/xxhash v1.2.8 // indirect
49-
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
50+
github.com/ProtonMail/go-crypto v1.0.0 // indirect
5051
github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
5152
github.com/agext/levenshtein v1.2.3 // indirect
5253
github.com/agnivade/levenshtein v1.1.1 // indirect
@@ -94,6 +95,7 @@ require (
9495
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
9596
github.com/coreos/go-oidc/v3 v3.10.0 // indirect
9697
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
98+
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
9799
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
98100
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
99101
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
@@ -105,9 +107,13 @@ require (
105107
github.com/dustin/go-humanize v1.0.1 // indirect
106108
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
107109
github.com/emicklei/proto v1.13.2 // indirect
110+
github.com/emirpasic/gods v1.18.1 // indirect
108111
github.com/felixge/httpsnoop v1.0.4 // indirect
109112
github.com/fsnotify/fsnotify v1.7.0 // indirect
110113
github.com/go-chi/chi v4.1.2+incompatible // indirect
114+
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
115+
github.com/go-git/go-billy/v5 v5.5.0 // indirect
116+
github.com/go-git/go-git/v5 v5.12.0 // indirect
111117
github.com/go-ini/ini v1.67.0 // indirect
112118
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
113119
github.com/go-jose/go-jose/v4 v4.0.1 // indirect
@@ -146,10 +152,12 @@ require (
146152
github.com/imdario/mergo v0.3.16 // indirect
147153
github.com/in-toto/in-toto-golang v0.9.0 // indirect
148154
github.com/inconshreveable/mousetrap v1.1.0 // indirect
155+
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
149156
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
150157
github.com/jmespath/go-jmespath v0.4.0 // indirect
151158
github.com/josharian/intern v1.0.0 // indirect
152159
github.com/json-iterator/go v1.1.12 // indirect
160+
github.com/kevinburke/ssh_config v1.2.0 // indirect
153161
github.com/klauspost/compress v1.17.8 // indirect
154162
github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
155163
github.com/magiconair/properties v1.8.7 // indirect
@@ -173,6 +181,7 @@ require (
173181
github.com/opentracing/opentracing-go v1.2.0 // indirect
174182
github.com/pborman/uuid v1.2.1 // indirect
175183
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
184+
github.com/pjbgf/sha1cd v0.3.0 // indirect
176185
github.com/pkg/errors v0.9.1 // indirect
177186
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
178187
github.com/prometheus/client_golang v1.19.1 // indirect
@@ -188,10 +197,12 @@ require (
188197
github.com/sassoftware/relic v7.2.1+incompatible // indirect
189198
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
190199
github.com/segmentio/ksuid v1.0.4 // indirect
200+
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
191201
github.com/shibumi/go-pathspec v1.3.0 // indirect
192202
github.com/sigstore/fulcio v1.4.5 // indirect
193203
github.com/sigstore/rekor v1.3.6 // indirect
194204
github.com/sigstore/timestamp-authority v1.2.2 // indirect
205+
github.com/skeema/knownhosts v1.2.2 // indirect
195206
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
196207
github.com/sourcegraph/conc v0.3.0 // indirect
197208
github.com/spf13/afero v1.11.0 // indirect
@@ -210,6 +221,7 @@ require (
210221
github.com/transparency-dev/merkle v0.0.2 // indirect
211222
github.com/vbatts/tar-split v0.11.5 // indirect
212223
github.com/xanzy/go-gitlab v0.102.0 // indirect
224+
github.com/xanzy/ssh-agent v0.3.3 // indirect
213225
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
214226
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
215227
github.com/yashtewari/glob-intersection v0.2.0 // indirect
@@ -241,6 +253,7 @@ require (
241253
gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
242254
gopkg.in/inf.v0 v0.9.1 // indirect
243255
gopkg.in/ini.v1 v1.67.0 // indirect
256+
gopkg.in/warnings.v0 v0.1.2 // indirect
244257
k8s.io/api v0.28.3 // indirect
245258
k8s.io/apimachinery v0.28.3 // indirect
246259
k8s.io/client-go v0.28.3 // indirect

0 commit comments

Comments
 (0)