feat: audit mode

semgr8ns · Jun 13, 2024 · e958504 · e958504
1 parent dda6305
commit e958504
Show file tree

Hide file tree

Showing 9 changed files with 70 additions and 12 deletions.
diff --git a/.github/workflows/.reusable-integration-test.yml b/.github/workflows/.reusable-integration-test.yml
@@ -43,6 +43,7 @@ jobs:
  "basic",
  "autofix",
  "semgrep_login",
+ "audit",
  ]
  steps:
  - name: Checkout code

diff --git a/charts/semgr8s/templates/_helpers.tpl b/charts/semgr8s/templates/_helpers.tpl
@@ -83,4 +83,4 @@ Create the name of the environments to use
 
 {{- define "semgr8s.getFileName" -}}
 {{- . | trimPrefix "rules/" | replace "/" "_" }}
-{{- end }}
+{{- end }}
diff --git a/charts/semgr8s/templates/env.yaml b/charts/semgr8s/templates/env.yaml
@@ -5,5 +5,6 @@ metadata:
  labels:
  {{- include "semgr8s.labels" . | nindent 4 }}
 data:
- SEMGREP_RULES: {{ join " " .Values.application.remoteRules | quote }}
- NAMESPACE: {{ .Release.Namespace }}
+ ENFORCE: {{ .Values.application.enforce | quote }}
+ SEMGREP_RULES: {{ join " " .Values.application.remoteRules | quote }}
+ NAMESPACE: {{ .Release.Namespace }}
diff --git a/charts/semgr8s/values.yaml b/charts/semgr8s/values.yaml
@@ -63,10 +63,11 @@ webhooks: # configuration options for webhooks described under https://kubernet
  operations: ["CREATE", "UPDATE"]
 
 application:
- # Apply remote rules from e.g.
+ enforce: true # fail on rule violation (true/false)
+ # remoteRules: Apply remote rules from e.g.
  # * semgrep registry: https://semgrep.dev/r
  # * semgrep-rules github repo: https://github.com/semgrep/semgrep-rules
  # common choices: p/kubernetes, r/yaml.kubernetes
  remoteRules: ["p/kubernetes"]
- autofix: false
+ autofix: false # apply semgrep fixes before validation (see https://semgrep.dev/docs/writing-rules/autofix)
  semgrepLogin: false # requires generic secret with name 'semgrep-app-token' and key 'token' in semgr8ns namespace
diff --git a/docs/usage.md b/docs/usage.md
@@ -214,6 +214,14 @@ kubectl delete -f tests/demo/
 
 ## Features
 
+### Audit mode
+
+It is possible to run Semgr8s in *audit* mode by which it will not block but only warn on non-compliant resources.
+As the logs contain an explicit error code, it is possible to alert on admission responses with warnings via typical monitoring solutions such as [Prometheus](https://prometheus.io/) or [DataDog](https://www.datadoghq.com/).
+This is particularly useful during rollout of Semgr8s and for enforcement of new policies.
+
+To activate audit mode, set `.application.enforce=false` in the `charts/semgr8s/values.yaml`.
+
 ### Semgrep login
 
 With the *Semgrep login* feature, you can connect Semgr8s to your [Semgrep AppSec Platform](https://semgrep.dev/login) account and use platform features such as [private remote rules](https://semgrep.dev/docs/writing-rules/private-rules).

diff --git a/semgr8s/app.py b/semgr8s/app.py
@@ -15,6 +15,7 @@
 from semgr8s.files import S8sFiles
 
 APP = Flask(__name__)
+AUDIT = os.environ.get("ENFORCE", "true").lower() == "false"
 
 
 @APP.route("/health", methods=["GET", "POST"])
@@ -70,7 +71,7 @@ def perform_review(
  'allowed': <bool True/False>,
  'status': {
  'code': <int http_status_codes>,
- 'message': <str reponse_message>
+ 'msg': <str reponse_msg>
  },
  'uid': <str admission_request_uid>
  }
@@ -181,26 +182,30 @@ def perform_review(
  return send_response(True, uid, 201, "Compliant resource admitted")
 
 
-def send_response(allowed, uid, code, message, patch=None):
+def send_response(allowed, uid, code, msg, patch=None):
  """
  Prepare json response in expected format based on validation result.
  """
  APP.logger.info(
- "> response:(allowed=%s, uid=%s, status_code=%s message=%s)",
- allowed,
+ "> response:(allowed=%s, uid=%s, status_code=%s msg=%s)",
+ allowed | AUDIT,
  uid,
  code,
- message,
+ msg,
  )
  review = {
  "apiVersion": "admission.k8s.io/v1",
  "kind": "AdmissionReview",
  "response": {
- "allowed": allowed,
+ "allowed": allowed | AUDIT,
  "uid": uid,
- "status": {"code": code, "message": message},
+ "status": {"code": code, "message": msg},
  },
  }
+
+ if AUDIT and not allowed:
+ review["response"]["warnings"] = ["[Semgr8s] " + msg.replace("\n", "")]
+
  if patch:
  review["response"]["patchType"] = "JSONPatch"
  review["response"]["patch"] = base64.b64encode(

diff --git a/tests/integration/main.sh b/tests/integration/main.sh
@@ -19,6 +19,7 @@ source "${SCRIPT_PATH}/scripts/basic.sh"
 source "${SCRIPT_PATH}/scripts/remote_rules.sh"
 source "${SCRIPT_PATH}/scripts/autofix.sh"
 source "${SCRIPT_PATH}/scripts/semgrep_login.sh"
+source "${SCRIPT_PATH}/scripts/audit.sh"
 
 # backup values.yaml
 cp charts/semgr8s/values.yaml charts/semgr8s/values.yaml.bak
@@ -40,6 +41,10 @@ case $1 in
  # testing semgrep appsec platform login with private rules
  semgrep_login_integration_test
  ;;
+"audit")
+ # testing autofixing with mutating webhook
+ audit_integration_test
+ ;;
 "restore")
  restore
  ;;

diff --git a/tests/integration/scripts/audit.sh b/tests/integration/scripts/audit.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+audit_integration_test() {
+ create_test_namespaces
+ update_with_file "audit"
+ install "make"
+ multi_test "audit"
+ uninstall "make"
+}
diff --git a/tests/integration/test_cases/audit.yaml b/tests/integration/test_cases/audit.yaml
@@ -0,0 +1,27 @@
+testCases:
+- id: a-01
+ txt: Testing compliant pod...
+ type: k8s-yaml
+ ref: 20_compliant_pod
+ namespace: validatedns
+ expected_msg: pod/compliant-pod created
+- id: a-02
+ txt: Testing non-compliant pod against local rule for forbidden test label...
+ type: k8s-yaml
+ ref: 40_testlabel_pod
+ namespace: validatedns
+ expected_msg: "Warning: [Semgr8s] Found 1 violation"
+- id: a-03
+ txt: Testing non-compliant pod against local rule for forbidden test label...
+ type: k8s-yaml
+ ref: 41_nosc_pod
+ namespace: validatedns
+ expected_msg: pod/nosc-pod created
+
+values:
+ deployment:
+ image:
+ repository: "${IMAGE}"
+ tag: "${TAG}"
+ application:
+ enforce: false