Detect malicious behavior of deployed apps (Vision)
Problem to solve
When we deploy an application, we expect the code to do a known set of operations on the system. For example, write files in a temporary directory, access the database, connect to a specific host.
A malicious user can manipulate the app and perform unintended tasks, like spawning a shell, access sensitive files, connect to external resources.
We should support a way to detect if the system is doing something different from what was originally scoped, and report it so actions can be taken. This will not prevent the intrusion, but can spot it in the very early stage, hopefully limiting the damage. Warnings will be accessible in the GitLab UI and via notifications.
Proposal
Add support for software like Falco (https://github.com/draios/falco/) to detect malicious activity on the deployed applications.
What does success look like, and how can we measure that?
Users will enable detection for their projects.