Security

This document outlines an overview of security considerations for micro-apps services, components, artifacts, as well as configuration options for Kubernetes cluster.

Safeguarding artifact integrity across any software supply chain.

Supply Chain Security

Goals

1. Adopt SLSA Framework Level 4 guideline for DevSecOps

2. Signed container images with Sigstore Cosign

3. Software Bill of Materials (SBOM) with Anchore Syft

4. Static Code Analysis with CodeQL

5. Vulnerabilities scanning with Snyk

6. Software Composition Analysis (SCA) with OWASP Dependency-Check and Dependabot

7. Risk and compliance as code (RCaC) via Open Policy Agent with Gatekeeper Or Kyverno

Binary Authorization

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE). With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

Cosign

All container images are signed using Sigstore Cosign and GitHub OIDC

To verify the authenticity of container images, install cosign and run:

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/xmlking/micro-apps/account-service:v0.3.1

Verification for ghcr.io/xmlking/micro-apps/account-service:v0.3.1 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

Gitsign

Gitsign enable Keyless Git/commits signing with your own GitHub / OIDC identity.

Install

brew install sigstore/tap/gitsign
# go install github.com/sigstore/gitsign@latest

Configuration

Single Repository:

cd /path/to/my/repository
git config --local commit.gpgsign true  # Sign all commits
git config --local tag.gpgsign true  # Sign all tags
git config --local gpg.x509.program gitsign  # Use gitsign for signing
git config --local gpg.format x509  # gitsign expects x509 args

All Repositories:

git config --global commit.gpgsign true  # Sign all commits
git config --global tag.gpgsign true  # Sign all tags
git config --global gpg.x509.program gitsign  # Use gitsign for signing
git config --global gpg.format x509  # gitsign expects x509 args

Usage

Signing Commits

git commit --allow-empty --message="feat(apps): adding gitsign cli"
# verify
git verify-commit HEAD
git log --show-signature -1

Signing Commits

git tag v0.0.1
# verify
git verify-tag v0.0.1

Software Bill of Materials

For the micro-apps project we publish a Software Bill of Materials (SBOM) with each release. The SBOM is generated with Syft in the SPDX format.

The spdx.json file is available for download on the GitHub release page e.g.:

curl -sL https://github.com/xmlking/micro-apps/releases/download/v0.3.1/micro_0.3.1_sbom.spdx.json | jq

Pod security standard

The deployments are configured in conformance with the Kubernetes restricted pod security standard:

• all Linux capabilities are dropped

• the root filesystem is set to read-only

• the seccomp profile is set to the runtime default

• run as non-root is enabled

• the filesystem group is set to 1337

• the user and group ID is set to 65534

Kubernetes' security standard

• properly adheres to Kubernetes security model including RBAC

• implement policy-as-code via OPA, Kyverno admission controllers