SAST for Kubernetes manifests
Problem to solve
Kubernetes manifests should be checked for sensitive data, especially pods definitions. Secrets should be encrypted.
Privileges checked.
PodSecurityPolicies
are useful at runtime, but they're not enough. That's why we should run SAST on K8S yaml files.
Intended users
Further details
https://kubesec.io/ is now opensource, and available as a docker image. We should use it to scan repos container kubernetes manifests.
Proposal
Detect yaml files in repos, and analyze their content to determine if they're manifests (maybe look for specific keys and values like apiVersion: v1
, kind: Pod
, etc.). We'll have to tweak the output of kubesec to fit our format.
Permissions and Security
N/A
Documentation
Update https://docs.gitlab.com/ee/user/application_security/sast/index.html
Update https://gitlab.com/gitlab-org/security-products/sast/blob/master/docs/analyzers.md#analyzers-data
Testing
E2E tests like for any other sast analyzer.
What does success look like, and how can we measure that?
Users get security insights for their kubernetes manifests.
What is the type of buyer?
Links / references
Analyzer Checklist
Underlying tool
-
Has permissive software license -
Headless execution (CLI tool) -
Executable using GitLab Runner's Linux or Windows Docker executor -
Language identification method (file extension, package file, etc)
Minimal vulnerability data
-
name -
description (helpful but not mandatory) -
type (unique value to avoid collisions with other occurrences) -
file path -
line number