Commit/Build time checks Enterprise
Overview
Weave GitOps Enterprise enable developers and operators to check policy violations early in their software development life cycle, specifically at commit and build time. Developers and operators can have Weave Policy Validator integrated in their CI tools to validate whether their code changes are violating any policies or not.
Weave GitOps Enterprise offer a policy engine image that can be used to perform commit/build time checks.The image can be found on Docker Hub under the name: weaveworks/weave-iac-validator:v1.1
.
Usage
USAGE:
main [global options] command [command options] [arguments...]
VERSION:
0.0.1
COMMANDS:
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--path value path to resources kustomization directory
--helm-values-file value path to resources helm values file
--policies-path value path to policies kustomization directory
--policies-helm-values-file value path to policies helm values file
--git-repo-provider value git repository provider [$WEAVE_REPO_PROVIDER]
--git-repo-url value git repository url [$WEAVE_REPO_URL]
--git-repo-branch value git repository branch [$WEAVE_REPO_BRANCH]
--git-repo-sha value git repository commit sha [$WEAVE_REPO_SHA]
--git-repo-token value git repository token [$WEAVE_REPO_TOKEN]
--sast value save result as gitlab sast format
--sarif value save result as sarif format
--json value save result as json format
--generate-git-report generate git report if supported (default: false) [$WEAVE_GENERATE_GIT_PROVIDER_REPORT]
--remediate auto remediate resources if possible (default: false)
--no-exit-error exit with no error (default: false)
--help, -h show help (default: false)
--version, -v print the version (default: false)
Setup policies
Policies can be helm chart, kustomize directory or just plain kubernetes yaml files.
Example of policies kustomize directory
└── policies
├── kustomization.yaml
├── minimum-replica-count.yaml
├── privileged-mode.yaml
└── privilege-escalation.yaml
# kustomization.yaml
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
resources:
- minimum-replica-count.yaml
- privilege-escalation.yaml
- privileged-mode.yaml
Auto-Remediation
Weave validator supports auto-remediation functionality which creates a pull request with suggested fixes to remediate the reported violations.
Supported in:
- Helm
- Kustomize
- Plain kubernetes files
To enable it you need to provide --remediate
flag and --git-repo-token
.
The token must have the permission to create pull request
UseCase: Github
See how to setup the Github Action
UseCase: Gitlab
weave:
image:
name: weaveworks/weave-iac-validator:v1.1
script:
- weave-validator --path <path to resources> --policies-path <path to policies>
Enable Auto Remediation
script:
- weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $GITLAB_TOKEN --remediate
Enable Static Application Security Testing
stages:
- weave
- sast
weave:
stage: weave
image:
name: weaveworks/weave-iac-validator:v1.1
script:
- weave-validator <path to resources> --policies-path <path to policies> --sast sast.json
artifacts:
when: on_failure
paths:
- sast.json
upload_sast:
stage: sast
when: always
script:
- echo "creating sast report"
artifacts:
reports:
sast: sast.json
UseCase: Bitbucket
pipelines:
default:
- step:
name: 'Weaveworks'
image: weaveworks/weave-iac-validator:v1.1
script:
- weave-validator --path <path to resources> --policies-path <path to policies>
Enable Auto Remediation
script:
- weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $TOKEN --remediate
Create Pipeline Report
script:
- weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $TOKEN -generate-git-report
UseCase: CircleCI
jobs:
weave:
docker:
- image: weaveworks/weave-iac-validator:v1.1
steps:
- checkout
- run:
command: weave-validator --path <path to resources> --policies-path <path to policies>
Enable Auto Remediation
- run:
command: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token ${GITHUB_TOKEN} --remediate
UseCase: Azure DevOps
trigger:
- <list of branches to trigger the pipeline on>
pool:
vmImage: ubuntu-latest
container:
image: weaveworks/weave-iac-validator:v1.1-azure
steps:
- script: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $(TOKEN)
Enable Auto Remediation
steps:
- script: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $(TOKEN) --remediate