Access external data to build a secure supply chain

[hendrikhalkow]

I'd like to use Gatekeeper to build a secure supply chain, which means that I only want artefacts to be deployed that fulfil certain criteria, e.g.:

• no known vulnerabilities, similar to Kritis or Portieris
• build by a secure build system
• static code analysis has been performed
• license scan has been performed
• required tests have been performed and test coverage is above a threshold
• more ideas at rode

As this data is not available from within Gatekeeper, we would need a way to sync data into Gatekeeper or extend Gatekeeper so that it can access external data like Grafeas.

Support for writing policies in Go would help for this use case, too.

See also Kritis issue 606.

[ritazh]

Hi @hendrikhalkow thanks for opening this issue. To enable these scenarios, we would need to add the external data feature in Gatekeeper. The proposed design is in this doc. Would love to hear your thoughts.

[sozercan]

this is great, love the ideas @hendrikhalkow and would love to hear your thoughts on the design.

[teq0]

This is what I've been waiting for for a few years and is the use case that got me involved with OPA in the first place, particularly having data-driven mutations.

Can I add content to the doc or should I just add comments? I've been out of the loop for a while.

[hendrikhalkow]

This is great to see that you are already working on this. In the proposed design documentation, both option 4 and 5 look feasible to me. In the vulnerabilities example, it is helpful to not only retrieve the number of vulnerabilities, but also their detailed CVSS score. For example, vulnerabilities with an attack vector (AV) Network are more critical than Physical or those with privileges required (PR) High are only relevant when the containers run as root.
Generally speaking, the external data should not only return a number or a boolean, but the actual data that can be processed in the policies.

[maxsmythe]

@teq0 Great to hear from you again! Feel free to add comments to the doc.

@hendrikhalkow definitely handling complex return types is a valid use case. Figuring out a syntax for dealing with complex (and potentially multi-valued) return statements would be a requirement for option #5 IMO.

[jalseth]

+1 for this. I'd like to be able to make authorization decisions based on criteria from external systems and the actor's user identity.

[developer-guy]

We (w/@Dentrax) did some experiments about using OPA Gatekeeper to validate signatures and attestations using cosign. Here are the following links that explain what we did:

• Signature Verify
• Attestation Verify

[hendrikhalkow]

@wurstbrot

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[sozercan]

Closing with https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata. Please let us know if you have any feedback.