Skip to content

Commit

Permalink
Add security.md (#256)
Browse files Browse the repository at this point in the history
* added security scan to ci and release pipelines

* added SECURITY.md file

* moved from mockery to gomock library
  • Loading branch information
roi-codefresh authored Mar 29, 2022
1 parent 0f98783 commit 1f80aa9
Show file tree
Hide file tree
Showing 45 changed files with 5,548 additions and 9,413 deletions.
6 changes: 5 additions & 1 deletion .golangci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@

# options for analysis running
run:
# https://github.com/golangci/golangci-lint/issues/2649
# enable go 1.17 linting, will not allow generics
go: "1.17"

# default concurrency is a available CPU number
concurrency: 4

Expand Down Expand Up @@ -30,4 +34,4 @@ linters-settings:

gocyclo:
# minimal code complexity to report, 30 by default (but we recommend 10-20)
min-complexity: 18
min-complexity: 18
25 changes: 6 additions & 19 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ $(OUT_DIR)/$(CLI_NAME).image: $(CLI_SRCS)

.PHONY: lint
lint: $(GOBIN)/golangci-lint tidy
@golangci-lint version
@echo linting go code...
@golangci-lint run --fix --timeout 6m

Expand All @@ -110,7 +111,7 @@ test:
./hack/test.sh

.PHONY: codegen
codegen: $(GOBIN)/mockery
codegen: $(GOBIN)/mockgen
rm -f docs/commands/*
go generate ./...

Expand Down Expand Up @@ -149,25 +150,11 @@ tidy:
check-worktree:
@./hack/check_worktree.sh

$(GOBIN)/mockery:
@mkdir dist || true
@echo installing: mockery
@curl -L -o dist/mockery.tar.gz -- https://github.com/vektra/mockery/releases/download/v2.8.0/mockery_2.8.0_$(shell uname -s)_$(shell uname -m).tar.gz
@tar zxvf dist/mockery.tar.gz mockery
@rm dist/mockery.tar.gz
@chmod +x mockery
@mkdir -p $(GOBIN)
@mv mockery $(GOBIN)/mockery
@mockery --version
$(GOBIN)/mockgen:
@go install github.com/golang/mock/[email protected]
@mockgen -version

$(GOBIN)/golangci-lint:
@mkdir dist || true
@echo installing: golangci-lint
@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.36.0

$(GOBIN)/interfacer: cwd=$(shell pwd)
$(GOBIN)/interfacer:
@cd /tmp
@echo installing: interfacer
@GO111MODULE=on go get -v github.com/rjeczalik/interfaces/cmd/[email protected]
@cd ${cwd}
@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOBIN) v1.45.2
48 changes: 48 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Security Policy for Argo-CD Autopilot

## Preface

Argo-CD Autopilot is a tool that helps users to get an opinionated gitops
repository and bootstrapped Argo-CD installation. To achieve its goals
Argo-CD Autopilot requires access to the Kubernetes cluster you want to
install Argo-CD on and optionally to other Kubernetes clusters you want
to connect to the Argo-CD instance as target clusters for deployments.

Because Argo-CD Autopilot is a gitops tool it also requires access to
your git repositories. Currently it requires pull and push access to
your gitops repo (permission to create repositories is also required
if you want to also create the repository as part of the bootstrapping
process). Though, there are [plans](https://github.com/argoproj-labs/argocd-autopilot/issues/51)
to have an optional <i>local</i> mode of operation where the user can
tell Argo-CD Autopilot to make changes to a local copy of the repo,
making the git repository access completely optional.

## Security Scans

We use the following static code analysis tools:

* golangci-lint and tslint for compile time linting
* snyk.io - for image scanning

These are run on each pull request and before each release.

Additionally, Dependabot is configured to scan and report new security
vulnerabilities in our dependancy tree on a daily basis.

## Reporting a Vulnerability

If you find a security related bug in Argo-CD Autopilot, we kindly ask you
for responsible disclosure and for giving us appropriate time to react,
analyze and develop a fix to mitigate the found security vulnerability.

Please report vulnerabilities by e-mail to the following address:

* [email protected]

All vulnerabilities and associated information will be treated with full confidentiality.

## Public Disclosure

Security vulnerabilities will be disclosed via release notes and using the
[GitHub Security Advisories](https://github.com/argoproj-labs/argocd-autopilot/security/advisories)
feature to keep our community well informed, and will credit you for your findings (unless you prefer to stay anonymous, of course).
19 changes: 19 additions & 0 deletions build/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,25 @@ steps:
on:
- success

scan-image:
stage: Build
title: scan docker image
image: quay.io/codefresh/snyk-cli:latest
shell: bash
environment:
- SNYK_TOKEN=${{SNYK_TOKEN}}
- LOCAL_IMAGE_REF=${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
commands:
- |
snyk test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} || fail=1
snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
if [ "$fail" == "1" ]; then exit 1; fi
when:
steps:
- name: build
on:
- success

push_dev:
stage: Push Dev
title: push with dev tags
Expand Down
23 changes: 21 additions & 2 deletions build/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ steps:
- name: test
on:
- success

build:
stage: Build
title: build docker image
Expand All @@ -112,6 +112,25 @@ steps:
on:
- success

scan-image:
stage: Build
title: scan docker image
image: quay.io/codefresh/snyk-cli:latest
shell: bash
environment:
- SNYK_TOKEN=${{SNYK_TOKEN}}
- LOCAL_IMAGE_REF=${{IMAGE_NAME}}:${{CF_BRANCH_TAG_NORMALIZED_LOWER_CASE}}
commands:
- |
snyk test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} || fail=1
snyk container test --severity-threshold=${{SNYK_SEVERITY_THRESHOLD}} --file=Dockerfile ${LOCAL_IMAGE_REF}
if [ "$fail" == "1" ]; then exit 1; fi
when:
steps:
- name: build
on:
- success

build_binaries:
<<: *deps
stage: Build
Expand Down Expand Up @@ -153,7 +172,7 @@ steps:
- name: lint
on:
- success

create_release:
<<: *deps
stage: Release
Expand Down
Loading

0 comments on commit 1f80aa9

Please sign in to comment.