gsa-tts / cg-egress-proxy Goto Github PK
View Code? Open in Web Editor NEWProvides controlled egress for apps in a restricted-egress cloud.gov space
License: Other
Provides controlled egress for apps in a restricted-egress cloud.gov space
License: Other
Would it make sense to migrate this to the cloud-gov org?
This issue was automatically created by Allstar.
Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code
Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.
Remediation Steps
To remediate, remove the generated executable artifacts from the repository.
Artifacts Found
Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.
Issued created by GSA-TTS Allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
Bringing Caddy into the mix with a custom binary and using the binary buildpack makes this solution not a whole lot better than just building this custom CONNECT module and dynamically loading it into the NGINX buildpack. So we might think about adding a workflow to build the matching .so
module file and simplifying the number of things folks have to understand about how this works by leaving Caddy out of the conversation. (More docs on how this module can be used.)
This issue was automatically created by Allstar.
Security Policy Violation
Signed commits required, but not enabled for branch: main
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
This issue was automatically created by Allstar.
Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.
To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/GSA-TTS/cg-egress-proxy/security/policy to enable.
For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.
Issued created by GSA-TTS Allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
There's code to auto-include appropriate S3 endpoints in the egress proxy config, so proxied apps can still reach their bound S3 buckets. HOWEVER, this code is not enough for aws s3 ls s3://...
to function properly inside a proxied app.
We need to work with cloud.gov and AWS support to figure out what additional hosts beyond the S3 endpoint hostnames must be included in order for aws s3 ls s3://...
to work.
This issue was automatically created by Allstar.
Security Policy Violation
Signed commits required, but not enabled for branch: main
Issued created by GSA-TTS Allstar
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
We are now generating a new binary whenever the upstream dependencies change, and including that binary in the proxy
directory in the repository. The content of the proxy
directory is essentially ready to use just by pushing to CF with the binary_buildpack
.
When deploying the proxy with Terraform, the process of retrieving the content of the proxy/
directory file-by-file to reconstruct the app dir locally, then making a .zip file to push is needlessly complicated (and relies on the deprecated archive_file
resource).
It would be better to move the manifest.yml
and vars.yml-example
files into the proxy
directory to make it self-contained, and add a workflow to create a new GitHub release of a .zip
of the proxy/
directory every time the content of that directory changes on main
. That way the Terraform module (and any other consumers) could just retrieve the latest .zip
file.
@JeanMarie-TTS points out that since we're now distributing our own version of the Caddy binary that includes our selected plugins, we should have a process in place to check that we don't release binaries created from vulnerable dependencies.
Trivy has the ability to scan both Go binaries (no dependencies) and Go modules (including dependencies). I'm unsure how to generate a go.mod
as a side effect of compiling our binary with xcaddy
; someone with more golang experience probably knows how to do that. Even if we can't do that directly by customizing Caddy's compilation process, apparently it's possible to extract the necessary info from a Go binary.
We should incorporate a scan by Trivy into our GitHub Action workflow that recompiles the binary nightly, and only make a PR adding the binary if the scan is clean.
Ideally, we'd also have a nightly workflow to check for vulnerabilities in our most recent existing binary, and make a vulnerability report if anything is found.
This issue was automatically created by Allstar.
Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code
Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.
Remediation Steps
To remediate, remove the generated executable artifacts from the repository.
Artifacts Found
Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
This issue was automatically created by Allstar.
Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.
To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/GSA-TTS/cg-egress-proxy/security/policy to enable.
For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.