Support SAST in self-hosted instances on networks with a custom Certificate Authority
Problem to solve
Some users would like to use the Secure features (e.g. SAST) on a network that has a custom CA. These networks replace the public certificate with a private one from a custom CA so that they can monitor HTTPS traffic.
Proposal
- Verify if we do support this currently, and if we can make it easier.
- Update user documentation on how to do this
Links / references
ZD https://gitlab.zendesk.com/agent/tickets/121947 (internal)
product
- X release post may not be needed if it's mostly doc improvements
Implementation Plan
High Level
Add support for a new ADDITIONAL_CA_CERT_BUNDLE
env var. A user can set a value for this and it would be added to the analyzer on the fly so that SSL communication with certificates signed by the CA will be considered valid.
Low Level Todos
-
Repo for testing that an analyzer can use a custom CA -
CI tests are setup to run against the latest for each analyzer -
Setup an image to be built against nginx or the like with a custom cert signed with a static custom CA. The tests will use this image as a service to test against. The tests will get passed the static custom CA via the ADDITIONAL_CA_CERT_BUNDLE
env var. -
Add source code for a minimal go binary that will just hit an arbitrary HTTPS server and validate whether or not the SSL cert is trusted. This minimal go binary will be downloaded into each analyzer when running tests inside the analyzers.
-
-
Add support for ADDITIONAL_CA_CERT_BUNDLE
to common -
Enumerate the following list of todos for each analyzer that uses common -
bandit -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
brakeman -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
bundler-audit -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
eslint -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
flawfinder -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
gemnasium-maven -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
gemnasium-python -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
gemnasium -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
gosec -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
klar -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
kubesec -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
nodejs-scan -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
phpcs-security-audit -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
pmd-apex -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
retire.js -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
secrets -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
security-code-scan -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
sobelow -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
spotbugs -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
tslint -
Add init hook if analyzer overrides common's cli commands (e.g. klar). -
Update common dep. -
Add a downstream trigger to run CA tests against this analyzer only.
-
-
Document the new ADDITIONAL_CA_CERT_BUNDLE
env var on the relevant pages (may include SAST, DAST and other analyzers that use common). (see #11797 (comment 285844822) for thoughts on where)