Add IaC Security #2611
Labels
Comments
|
SGTM, this looks great. Can we add it as part of the SAST check? We've been thinking of revamping it to support more tools based on what's in the repo. Fyi, we're working in a finer-grained output format #2584 which will allow reporting more granular results. /cc @raghavkaul |
|
Stale issue message - this issue will be closed in 7 days |
|
It's still on our TODO. |
|
This issue is stale because it has been open for 60 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
( opening this issue for further input, following presentation & discussion on December 1st community meeting)
Is your feature request related to a problem?
Many Open Source projects have IaC files to facilitate faster installation / consumption for their project. We want to verify projects check the security of these files, so the artifacts and the community who uses them would be safer. This, at later phases, also have Supply Chain Security implications.
Example: keptn project scans their repository with KICS to make sure the dockerfiles (and the containers created with them) are secure according to best practices. Same for HELM charts.
Describe the solution you'd like
Add an IaC security category / score.
Phase 1
Detect if repository has IaC files
Detect if repository has IaC security check in place (e.g. KICS github action)
Warn if files exist & there isn’t a security check
Similar to dependencies files & checking for SCA tools.
Phase 2
Score project based on the results of IaC security check.
Each critical result - 2 point reduction, high - 1 point reduction.
With goal to implement both phases as once, as suggested in the community meeting.
Additional context
Previous references where IaC scans were mentioned : #1984, #2318
The text was updated successfully, but these errors were encountered: