Commit/Build Time Checks Enterprise

Overview

Weave GitOps Enterprise enables developers and operators to check policy violations early in their software development life cycle, specifically at commit and build time. Developers and operators can have Weave Policy Validator integrated in their CI tools to validate whether their code changes are violating any policies or not.

Weave GitOps Enterprise offer a policy engine image that can be used to perform commit/build time checks.The image can be found on Docker Hub under the name: weaveworks/weave-iac-validator:v1.1.

Expand to view of the usage options

USAGE:
 app [global options] command [command options] [arguments...]

VERSION:
 0.0.1

COMMANDS:
 help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
 --path value                       path to scan resources from
 --helm-values-file value           path to resources helm values file
 --policies-path value              path to policies kustomization directory
 --policies-helm-values-file value  path to policies helm values file
 --git-repo-provider value          git repository provider
 --git-repo-host value              git repository host
 --git-repo-url value               git repository url
 --git-repo-branch value            git repository branch
 --git-repo-sha value               git repository commit sha
 --git-repo-token value             git repository toke
 --azure-project value              azure project name
 --sast value                       save result as gitlab sast format
 --sarif value                      save result as sarif format
 --json value                       save result as json format
 --generate-git-report              generate git report if supported (default: false)
 --remediate                        auto remediate resources if possible (default: false)
 --no-exit-error                    exit with no error (default: false)
 --help, -h                         show help (default: false)
 --version, -v                      print the version (default: false)

---

Setup policies

Policies can be a helm chart, kustomize directory or just plain kubernetes yaml files.

Example of policies kustomize directory

└── policies
    ├── kustomization.yaml
    ├── minimum-replica-count.yaml
    ├── privileged-mode.yaml
    └── privilege-escalation.yaml

# kustomization.yaml
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
resources:
- minimum-replica-count.yaml
- privilege-escalation.yaml
- privileged-mode.yaml

---

Supported CI/CD

• Github
• Github Enterprise
• Gitlab
• Bitbucket
• Circle CI
• Azure Devops

---

Auto-Remediation

Weave validator supports auto-remediation functionality which creates a pull request with suggested fixes to remediate the reported violations.

Supported in:

• Helm
• Kustomize
• Plain kubernetes files

To enable it you need to provide --remediate flag and --git-repo-token.

The token must have the permission to create a pull request.

---

UseCase: Github

See how to setup the Github Action

---

UseCase: Gitlab

weave:
  image:
    name: weaveworks/weave-iac-validator:v1.1
  script:
  - weave-validator --path <path to resources> --policies-path <path to policies>

Enable Auto Remediation

  script:
  - weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $GITLAB_TOKEN --remediate

---

Enable Static Application Security Testing

stages:
  - weave
  - sast

weave:
  stage: weave
  image:
    name: weaveworks/weave-iac-validator:v1.1
  script:
  - weave-validator <path to resources> --policies-path <path to policies> --sast sast.json
  artifacts:
    when: on_failure
    paths:
    - sast.json

upload_sast:
  stage: sast
  when: always
  script:
  - echo "creating sast report"
  artifacts:
    reports:
      sast: sast.json

---

UseCase: Bitbucket

pipelines:
  default:
    - step:
        name: 'Weaveworks'
        image: weaveworks/weave-iac-validator:v1.1
        script:
          - weave-validator --path <path to resources> --policies-path <path to policies>

Enable Auto Remediation

  script:
    - weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $TOKEN --remediate

Create Pipeline Report

  script:
    - weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $TOKEN -generate-git-report

---

UseCase: CircleCI

jobs:
  weave:
    docker:
    - image: weaveworks/weave-iac-validator:v1.1
    steps:
    - checkout
    - run:
        command: weave-validator --path <path to resources> --policies-path <path to policies>

Enable Auto Remediation

    - run:
        command: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token ${GITHUB_TOKEN} --remediate

---

UseCase: Azure DevOps

trigger:
- <list of branches to trigger the pipeline on>

pool:
  vmImage: ubuntu-latest

container:
  image: weaveworks/weave-iac-validator:v1.1-azure

steps:
- script: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $(TOKEN)

Enable Auto Remediation

steps:
- script: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $(TOKEN) --remediate