Skip to content

Latest commit

 

History

History
24 lines (14 loc) · 1.3 KB

File metadata and controls

24 lines (14 loc) · 1.3 KB

Manifest Scanning

This is a practical example of Manifest Scanning via Open Policy Agent (OPA).

Manifest Scanning is the process of scanning our manifests (non-code artifacts, e.g. Kubernetes manifests, Terraform files, Dockerfiles, etc.) for misconfigurations, bad-practices, etc.

In this example we are going to verify that our Kubernetes Deployment don't have any containers that run as root. This is a security bad-practice and should be avoided unless strictly necessary.

The policy.rego file contains the Rego policies, which OPA will use to verify our manifests.

deploy.yaml contains a Kubernetes Deployment.

We can use the OPA CLI to validate the manifest file against the policy:

opa eval -i deploy.yaml -d policy.rego 'data.noprivileged.violations[_].msg' --fail-defined

The --fail-defined flag means that the command will fail (return a non-zero error code) if the policy check output any violations.

This CI Job is an example of a failed policy check.

This CI Job is an example of a successfull policy check.