Applying security policies in CI pipelines ensures that security measures are integrated into the development process from the outset, reducing the risk of introducing vulnerabilities and threats to the software. By detecting and addressing security issues early in the development cycle, organizations can mitigate potential risks and ensure the delivery of more secure and reliable software. The popular CI pipelines are GitLab CI, Jenkins, GitHub Actions, and BitBucket Pipelines. This blog focuses on GitLab CI, demonstrating how Kyverno policies are applied to identify misconfigurations early.

Detect and Remediate Early

In everything-as-code, detecting misconfigurations in the development phase significantly diminishes the time and resources needed during subsequent deployment stages. By tackling issues at their source, surprises during production are minimized.

Identifying misconfigurations is just the initial step. Addressing them requires domain expertise to comprehend, debug, and resolve the problem. Misconfigurations may arise in various files, including Kubernetes manifests, Dockerfiles, IaC files (like Terraform, OpenTofu, Pulumi), and CloudFormation templates.

Integrating NCTL with GitLab CI

NCTL, a CLI tool from Nirmata, is pivotal in CI/CD pipelines, enabling seamless interaction with Nirmata products. It empowers developers and DevOps teams to scan files like Dockerfiles, Terraform scripts, and Kubernetes manifests against centrally defined security policies. In GitLab pipelines, while stages like linting, unit tests, and integration tests are standard, there often needs to be more focus on misconfigurations. Integrating NCTL into the pipeline allows scanning against security team-defined policies, ensuring misconfigurations are addressed alongside other tests and vulnerability scanning. Below is an example of incorporating NCTL into the pipeline.

Refer to the official documentation to learn more about GitLab pipelines and how to configure them.

Install nctl in the GitLab pipeline

Add the `install-nctl` job to the ‘.gitlab-ci.yml’ file. This job installs the CLI and is stored as an artifact for future jobs.

install-nctl: 
  stage: install
  script:
    - echo "Downloading and Installing NCTL 4.0.1"
    - curl -O -L -s https://nirmata-downloads.s3.us-east-2.amazonaws.com/nctl/nctl_4.0.1/nctl_4.0.1_linux_386.zip
    - unzip *.zip
    - echo "Verify Installation"
    - chmod 755 ./nctl
    - ./nctl version
  artifacts:
    paths:
    - ./nctl

Scan Kubernetes files for any misconfigurations

The `nctl-scan-k8s` job scans Kubernetes files for any misconfigurations. The `–policies` argument points to the directory containing security policies. Note that policies can also be stored in a different GitLab repository. Refer to the sample list of policies here.

When this job is executed, the pipeline fails if there are misconfigurations, forcing the developer to debug and fix the issue at the source. The `–audit-as-warn` flag allows violations to be considered warnings instead of failures, resulting in a successful pipeline run.

nctl-scan-k8s:   # This job scans k8s files for misconfigurations.
  stage: scan    # It only starts when the job in the install stage completes successfully.
  dependencies:
    - install-nctl
  script:
    - echo "Running nctl scan"
    - ./nctl scan kubernetes --policies controls/pod-security --resources config-files/k8s --details --audit-as-warn

Similarly, to scan the Dockerfile, use the `nctl scan dockerfile` command. Some of the Dockerfile Best Practices policies can be found here.

nctl-scan-dockerfile:   # This job scans dockerfiles for misconfigurations.
  stage: scan    # It only starts when the job in the install stage completes successfully.
  dependencies:
    - install-nctl
  script:
    - echo "Running nctl scan"
    - ./nctl scan dockerfile --policies controls/dockerfile-best-practices --resources Dockerfile

The pipeline has two stages: install-nctl and scan. They can be visualized in the GitLab UI.

What’s Next

While individual pipelines cater to developers’ needs, administrators require a centralized view to maintain governance across all organization repositories, ensuring a comprehensive understanding of the organization’s overall security posture.

To address this, Nirmata provides a unified dashboard consolidating all cluster and pipeline-related insights. Platform and security administrators can confidently oversee compliance across their code repositories, clusters, and cloud resources. Nirmata offers intelligent insights and recommendations to strengthen the organization’s overall security posture, safeguarding against compliance breaches and potential cybersecurity threats and ensuring peace of mind for administrators.

Downloading and using NCTL is free for all users. Refer to the official documentation for installation instructions. The Nirmata Policy Manager (NPM) has a 15-day free trial. No credit card is required! Try it out today, or contact us for a demo.