A demo can be found here: https://github.com/cds-snc/security-goals-demo
The purpose of this tool is to automate compliance checking for Kubernetes based applications. It assumes that certain aspects of compliance such as security and accessibility can be validated through automation, and therefore run at every deployment of the application. It leverages the introspectability of the Kubernetes cluster as well as multitude of external APIs that expose such information (ex. The GitHub API exposes data around code review).
Automating controls that do not need to be verified by hand is what really matters. This frees up both security and developer time to focus on the harder problems.
The tool is build out of multiple components listed below. Each component needs to be installed inside a Kubernetes cluster. You can view example manifest files in the /manifests directory or look at our live implementation here: https://github.com/cds-snc/report-a-cybercrime/tree/master/compliance.
The tools is built using the following components:
| Name | Description | Fully documented |
|---|---|---|
| api | Ingress checks and serves them up through a GraphQL API | No |
| pdf-report | A PDF report of complaince data | No |
| web-report | A user interface to explore data from the API | No |
| runner | A tool to run compliance checks inside a Kubernetes cluster | Yes |
| security-goals-checks | A set of security goals check containers that do the actual checking | Yes |
As a result we set the following goals for the tool
- Leverage existing features in tools to automatically perform checks (Kubernetes Jobs)
- Use common APIs to complete checks (ex. GitHub API, List of Kubernetes Pods, Open Repositories)
- Decouple checks from reporting tool (Write checks in any language)
- Make reports available through multiple channels in real time (GraphQL, PDF, Web)
- Trigger checks on every release
The app roughly follows this high level flow:
- Merge on GitHub to master kicks off a continuous testing / continuous delivery process to a Kubernetes cluster as a release.
- When app is deployed on the cluster it triggers a list of jobs to be run on the Kubernetes cluster (Watcher).
- Jobs are containers written in different programming languages (Go, Rust, Javascript, Crystal) that automatically check against controls with the ITSG-33, or other.
- Each container writes a JSON file to a shared directory, tagged with the release ID.
- Javascript app (API) watches the directory and ingests JSON files, loading them into a MongoDB and sorts them by control and release. This app also serves the data through a GraphQL API.
- Second Javascript app (UI) renders the data in a user friendly format
Following is a graphical representation of the same flow:
Please see this guide
Please contact us through any of the multiple ways listed on our website.
