Increasing the Security Posture of your Pipelines

Getting the Security Team to stop bothering you daily

Sr. Developer Advocate at HashiCorp he / him @ksatirli Kerim Satirli

Define the Pipeline ! react to repository events # deal with code quality issues " ensure code quality

!!" # when to run this pipeline # all the stuff it needs to do # handle errors other people introduced pipeline.yml Define the Pipeline

!!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - run: terraform fmt -check -recursive !# terraform validate # handle errors other people introduced sad_path: steps: - if: $!$ failure() !% uses: upload-artifacts terraform.yml Define the Pipeline

!!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - run: terraform fmt -check -recursive !# terraform validate # handle errors other people introduced sad_path: steps: - if: $!$ failure() !% uses: upload-artifacts terraform.yml Define the Pipeline

!!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - run: terraform fmt -check -recursive !# terraform validate with: version: "1.6.0" terraform.yml Define the Pipeline

terraform.yml !!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/setup-terraform" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.6.0" Define the Pipeline

terraform.yml !!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/[email protected]" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.6.0" Define the Pipeline

Ship it.

$ from the Security Team

terraform.yml My Pipeline Definition !!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/[email protected]" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.6.0"

terraform.yml Their Pipeline Definition !!" # when to run this pipeline on: push: jobs: # all the stuff it needs to do happy_path: steps: - uses: "hashicorp/setup-terraform@633b725c73b2cacd13a8fdd1" - run: terraform fmt -check -recursive !# terraform validate with: version: "1.6.0"

No content

Getting Release Information https://docs.github.com/en/rest/releases/releases

variables.tf variable "actions_config" { type = map(object({ owner = string repository = string version = string })) default = { # see https:!"github.com/hashicorp/setup-terraform/releases terraform = { owner = "hashicorp" repository = "setup-terraform" version = "v2.0.3" } } } Define a Set of Actions

variables.tf data "github_release" "actions" { for_each = { for id, action in var.actions_config : id !& action } repository = each.value.repository owner = each.value.owner retrieve_by = "tag" release_tag = each.value.version } data "github_ref" "actions" { for_each. = data.github_release.actions repository = each.value.repository owner = each.value.owner ref = "tags/${each.value.release_tag}" } Retrieve Release Information

variables.tf Transform Release Information locals { actions_config = { # This place is not a place of honor. # no highly esteemed deed is commemorated here. # (but we really needed these values) for action in tolist(keys(var.actions_config)) : action !& { owner = var.actions_config[action].owner path = var.actions_config[action].path ref = data.github_ref.actions[action].ref repo = var.actions_config[action].repository sha = data.github_ref.actions[action].sha version = var.actions_config[action].version } } }

Terminal Verify Transformed Data > terraform output github_actions_releases { "terraform" = { "repo" = "hashicorp/setup-terraform" "sha" = "633666f66e0061ca3b725c73b2ec20cd13a8fdd1" "version" = "v2.0.3" } }

terraform.tftpl.yml Prepare Template !!' jobs: workflow: name: Terraform runs-on: ubuntu-latest steps: # github.com/${owner}/${repo}/releases/tag/${version} - name: Set up Terraform uses: "${owner}/${repo}@${sha}" # ref: `${ref}` with: terraform_version: "1.6.0" !!'

variables.tf Render Template locals { repository_files = [ { file = ".github/workflows/terraform.yml" content = templatefile("./tmpl/terraform.tftpl.yml", { checkout = local.actions_config["checkout"] terraform = local.actions_config["terraform"] } ) }, ] }

terraform.yml Render Template !!' jobs: workflow: name: Terraform runs-on: ubuntu-latest steps: # github.com/hashicorp/setup-terraform/releases/tag/v2.0.3 - name: Set up Terraform uses: "hashicorp/setup-terraform@633!!'dd1" # ref: `tags/v2.0.3` with: terraform_version: "1.6.0" !!'

Add Rendered Template to Repository https://github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

organization.tf Update Allow List for Actions resource "github_actions_organization_permissions" "main" { allowed_actions = "selected" enabled_repositories = "all" allowed_actions_config { github_owned_allowed = false verified_allowed = false } }

organization.tf Update Allow List for Actions resource "github_actions_organization_permissions" "main" { allowed_actions = "selected" enabled_repositories = "all" allowed_actions_config { github_owned_allowed = false verified_allowed = false patterns_allowed = [ for action in local.actions_config : action.path !( null ? "${action.owner}/$ {action.repository}/${action.path}@${action.sha}" : "$ {action.owner}/${action.repository}@${action.sha}" ] } }

Update Allow List for Actions https://github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

Update Allow List for Actions https://github.com/workloads/workspaces/blob/main/.github/workflows/terraform.yml

Demo Code https://github.com/workloads/github-organization

What's next?

No content

Software Security is a Team Sport.

Thank you speakerdeck.com/ksatirli