Checkov, the open-source software for locating infrastructure misconfigurations, has been up to date with new CI/CD configuration insurance policies. These insurance policies may be utilized throughout common CI/CD frameworks like GitHub Actions, GitLab Runners, BitBucket Pipelines, CircleCI, and Argo.
Checkov has a developer-first strategy to produce chain safety, so it embeds these CI/CD insurance policies instantly into current DevOps workflows to make it simpler for builders to undertake them.
Business benchmarks, similar to SLSA and CIS, have been used to create these insurance policies. In line with the Checkov workforce, this helps builders align their pipelines with business requirements.
The brand new insurance policies embody controls like requiring two reviewers for a pull request, requiring signatures for particular person commits, stopping deprecated instructions or beta options from getting used, stopping secrets and techniques exfiltration, and blocking privileged workflow pods.
In line with the Checkov workforce, CI/CD safety insurance policies are significantly wanted to stop provide chain assaults. They defined that CI/CD pipelines that aren’t correctly secured supplier attackers with a simple entry level into the software program provide chain.
For instance, a repository configured to run any command in a pull request may be manipulated by injecting code that can ship API tokens and different secrets and techniques to the attacker, the workforce defined.
