New Security Stage of Pipeline: CrowdStrike Image Scanning and Gitleaks Secret Scanning - V 4.5
We have recently added a new security stage to our pipeline which includes CrowdStrike image scanning and Gitleaks secret scanning. This document explains the procedures and outcomes of this new security stage.
CrowdStrike Image Scan
CrowdStrike is a cybersecurity technology that scans Docker images for vulnerabilities. During the security stage of the pipeline, CrowdStrike will perform a comprehensive scan of the application image.
The scanner will report the vulnerabilities it finds in the images. The NetApp Global Security team is currently determining the factors at which to block production deployment. Until the Security team defines a policy, vulnerability findings will not impact your pipeline and you will be able to deploy to production. If the scanner finds vulnerabilities, it will show a warning message. Please ensure that any image with vulnerabilities is given immediate attention.
Gitleaks Scan
Gitleaks is an open-source tool that scans Git repositories for passwords, certificates, and other potential secrets. In the security stage of the pipeline, Gitleaks will scan the branch in which the pipeline is run.
- If Gitleaks identifies any secrets in your current branch, the security stage will display a warning message: "Secrets were found in this branch. This will prevent the production deployment of this service (block pipeline) at a future date. Please review and remediate this ASAP."
-
To review the Gitleaks scan report, go to the Extensions tab. Here, you will find a list of the identified secrets. It's important to carefully review this list and handle the secrets appropriately.
- If you believe that any of the reported secrets are not actual passwords or certificates, you can mark them as false positives from the same tab. This will indicate that these are not true vulnerabilities and can be ignored in future scans.
- After making these changes, rerun the pipeline. The security stage should now show that the marked or corrected secrets have been removed from the list.
This new security stage is a crucial addition to our pipeline, ensuring that our applications are secure and free of vulnerabilities. We encourage everyone to familiarize themselves with the process and to handle any warnings promptly and appropriately.