Enhance artifact pull and push commands

[santoshkal]

This PR enhances artifact pull and push commands by implementing an incremental retry in case of failures while pulling and pushing artifacts. Additionally, references to OCI registries must now be prefixed with oci:// to differentiate between HTTP and OCI operations.
Moreover, users can provide rego policies packaged and stored in an OCI-compatible registry.
Dockerfile policies from OCI registry:

Infrafile policies from registries:

Generating Dockerfiles and validating with policies stored in OCI registries:

Closes: #96 #103

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	34 findings
Sensitive Files Analyzer	❕	2 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on enhancing the security and functionality of the Genval application, a configuration management tool for generating and validating Infrastructure as Code (IaC) files. The key improvements include:

1. Improved OCI Registry Integration: The application now supports fetching security policies from OCI-compliant container registries, allowing for centralized management and distribution of security policies. This includes the ability to provide credentials for accessing the registries, improving the overall security of the policy retrieval process.

2. Enhanced Artifact Handling: The changes introduce improvements to the artifact pulling and pushing functionality, including support for signature verification using Cosign and better error handling. These enhancements help ensure the integrity and authenticity of the generated artifacts.

3. Expanded Validation Capabilities: The application now supports validating a wider range of file types, including Dockerfiles, Kubernetes manifests, CRD manifests, and Terraform files, against both local and OCI-based security policies. This improves the overall security posture of the generated configurations.

4. Improved Usability and Documentation: The changes include updates to the command-line interface, shell completion functionality, and the project's README, making the application more user-friendly and providing better guidance for users.

Overall, these changes demonstrate a strong focus on improving the security and reliability of the Genval application, which is crucial for managing the security of infrastructure-as-code deployments.

Files Changed:

1. README.md: Updated to provide more information about the Genval tool, including details on policy validation, Cue lang support, and artifact management.
2. .goreleaser.yaml: Introduced changes to the changelog configuration and added artifact signing using Cosign.
3. .gitignore: Updated to ignore new files and directories related to the project.
4. cmd/artifact_pull.go: Improved authentication and signature verification for artifact pulling.
5. cmd/completion.go: Added a new command for generating shell completion scripts.
6. cmd/cuemod_init.go: Enhanced the workspace initialization process, including artifact verification and credential management.
7. cmd/artifact_push.go: Improved the artifact pushing functionality, including support for Cosign signing.
8. cmd/container.go: Expanded the Dockerfile validation capabilities, including support for OCI-based policies.
9. cmd/cue.go: Updated the command-line flag for the "cue" command.
10. cmd/root.go: Improved the documentation and usability of the root command.
11. cmd/regoval_dockerfileval.go: Added support for fetching Rego policies from OCI registries.
12. cmd/regoval_infrafile.go: Enhanced the Kubernetes manifest validation capabilities using OCI-based policies.
13. go.mod: Added a new dependency, gotest.tools/v3 v3.5.1.
14. pkg/oci/constants.go: Updated the policy URLs and the FetchPolicyFromRegistry function.
15. cmd/regoval_terraform.go: Added support for validating Terraform configurations against OCI-based policies.
16. pkg/oci/ociUtils.go: Introduced a new function, ParseOCIReference, to handle OCI URL parsing.
17. pkg/oci/ociClient.go: Improved the credential handling and retry mechanism for artifact pulling.
18. pkg/validate/constants.go: Added a new constant for a Rego policy image location.
19. pkg/validate/regoval.go: Enhanced the OCI policy handling and input validation process.

Powered by DryRun Security