gsa-tts / cg-egress-proxy Goto Github PK

Would it make sense to migrate this to the cloud-gov org?

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• proxy/caddy

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

Issued created by GSA-TTS Allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Bringing Caddy into the mix with a custom binary and using the binary buildpack makes this solution not a whole lot better than just building this custom CONNECT module and dynamically loading it into the NGINX buildpack. So we might think about adding a workflow to build the matching .so module file and simplifying the number of things folks have to understand about how this works by leaving Caddy out of the conversation. (More docs on how this module can be used.)

This issue was automatically created by Allstar.

Security Policy Violation
Signed commits required, but not enabled for branch: main

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

This issue was automatically created by Allstar.

Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/GSA-TTS/cg-egress-proxy/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

Issued created by GSA-TTS Allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

There's code to auto-include appropriate S3 endpoints in the egress proxy config, so proxied apps can still reach their bound S3 buckets. HOWEVER, this code is not enough for aws s3 ls s3://... to function properly inside a proxied app.

We need to work with cloud.gov and AWS support to figure out what additional hosts beyond the S3 endpoint hostnames must be included in order for aws s3 ls s3://... to work.

This issue was automatically created by Allstar.

Security Policy Violation
Signed commits required, but not enabled for branch: main

Issued created by GSA-TTS Allstar

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

We are now generating a new binary whenever the upstream dependencies change, and including that binary in the proxy directory in the repository. The content of the proxy directory is essentially ready to use just by pushing to CF with the binary_buildpack.

When deploying the proxy with Terraform, the process of retrieving the content of the proxy/ directory file-by-file to reconstruct the app dir locally, then making a .zip file to push is needlessly complicated (and relies on the deprecated archive_file resource).

It would be better to move the manifest.yml and vars.yml-example files into the proxy directory to make it self-contained, and add a workflow to create a new GitHub release of a .zip of the proxy/ directory every time the content of that directory changes on main. That way the Terraform module (and any other consumers) could just retrieve the latest .zip file.

@JeanMarie-TTS points out that since we're now distributing our own version of the Caddy binary that includes our selected plugins, we should have a process in place to check that we don't release binaries created from vulnerable dependencies.

Trivy has the ability to scan both Go binaries (no dependencies) and Go modules (including dependencies). I'm unsure how to generate a go.mod as a side effect of compiling our binary with xcaddy; someone with more golang experience probably knows how to do that. Even if we can't do that directly by customizing Caddy's compilation process, apparently it's possible to extract the necessary info from a Go binary.

We should incorporate a scan by Trivy into our GitHub Action workflow that recompiles the binary nightly, and only make a PR adding the binary if the scan is clean.

Ideally, we'd also have a nightly workflow to check for vulnerabilities in our most recent existing binary, and make a vulnerability report if anything is found.

This issue was automatically created by Allstar.

Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code

Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.

Remediation Steps
To remediate, remove the generated executable artifacts from the repository.

Artifacts Found

• proxy/caddy

Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

This issue was automatically created by Allstar.

Security Policy Violation
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/GSA-TTS/cg-egress-proxy/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.