macos-setup
🐱 Source ☕️ Java SampleGo Sample Angular Sample
  • Mac Setup
  • Getting Started
    • Xcode
    • Homebrew
    • System Preferences
    • Essentials
    • Dotfiles
  • Applications
    • Ghostty
    • Sublime-text
    • JetBrains
    • VSCode
    • Xcode
    • Marta
    • Benthos
    • OrbStack
    • Traefik
    • n8n
  • Platforms
    • Java
    • Node
      • Bub
      • NPM
      • PNPM
      • Turborepo
    • GoLang
    • Rust
    • Python
      • Agno AI
  • DevOps
    • Development Workflow
      • Git
        • GitHub CLL
      • GitOps
      • Documentation
      • mkcert
      • YubiKey
    • Monorepo
    • dnsmasq
    • Docker
    • Skaffold
    • Kubernetes
    • Helm
    • Kustomize
    • kustomizer
    • Terraform
    • Security
    • Cloud
      • gcloud
      • azure
      • aws
  • Tips
    • Git
    • MacOS
Powered by GitBook
On this page
  • Supply Chain Security
  • Goals
  • Binary Authorization
  • Cosign
  • Gitsign
  • Software Bill of Materials
  • Pod security standard
  • Kubernetes' security standard

Was this helpful?

Edit on GitHub
  1. DevOps

Security

PreviousTerraformNextCloud

Last updated 2 years ago

Was this helpful?

This document outlines an overview of security considerations for micro-apps services, components, artifacts, as well as configuration options for Kubernetes cluster.

Safeguarding artifact integrity across any software supply chain.

Supply Chain Security

Goals

  1. Adopt Framework Level 4 guideline for DevSecOps

  2. Signed container images with Cosign

  3. Software Bill of Materials (SBOM) with Syft

  4. Static Code Analysis with

  5. Vulnerabilities scanning with

  6. Software Composition Analysis (SCA) with and

  7. Risk and compliance as code () via with Or

Binary Authorization

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE). With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

Cosign

To verify the authenticity of container images, install cosign and run:

$ COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/xmlking/micro-apps/account-service:v0.3.1

Verification for ghcr.io/xmlking/micro-apps/account-service:v0.3.1 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.

Gitsign

Install

brew install sigstore/tap/gitsign
# go install github.com/sigstore/gitsign@latest

Configuration

Single Repository:

cd /path/to/my/repository
git config --local commit.gpgsign true  # Sign all commits
git config --local tag.gpgsign true  # Sign all tags
git config --local gpg.x509.program gitsign  # Use gitsign for signing
git config --local gpg.format x509  # gitsign expects x509 args

All Repositories:

git config --global commit.gpgsign true  # Sign all commits
git config --global tag.gpgsign true  # Sign all tags
git config --global gpg.x509.program gitsign  # Use gitsign for signing
git config --global gpg.format x509  # gitsign expects x509 args

Usage

Signing Commits

git commit --allow-empty --message="feat(apps): adding gitsign cli"
# verify
git verify-commit HEAD
git log --show-signature -1

Signing Commits

git tag v0.0.1
# verify
git verify-tag v0.0.1

Software Bill of Materials

The spdx.json file is available for download on the GitHub release page e.g.:

curl -sL https://github.com/xmlking/micro-apps/releases/download/v0.3.1/micro_0.3.1_sbom.spdx.json | jq

Pod security standard

  • all Linux capabilities are dropped

  • the root filesystem is set to read-only

  • the seccomp profile is set to the runtime default

  • run as non-root is enabled

  • the filesystem group is set to 1337

  • the user and group ID is set to 65534

Kubernetes' security standard

  • properly adheres to Kubernetes security model including RBAC

  • implement policy-as-code via OPA, Kyverno admission controllers

All container images are signed using Cosign and GitHub OIDC

enable Keyless Git/commits signing with your own GitHub / OIDC identity.

For the micro-apps project we publish a Software Bill of Materials (SBOM) with each release. The SBOM is generated with in the format.

The deployments are configured in conformance with the Kubernetes :

SLSA
Sigstore
Anchore
CodeQL
Snyk
OWASP Dependency-Check
Dependabot
RCaC
Open Policy Agent
Gatekeeper
Kyverno
Sigstore
Gitsign
Syft
SPDX
restricted pod security standard