Skip to main content
Version: 0.18.0

Commit/Build time checks Enterprise

Overview

Weave GitOps Enterprise enable developers and operators to check policy violations early in their software development life cycle, specifically at commit and build time. Developers and operators can have Weave Policy Validator integrated in their CI tools to validate whether their code changes are violating any policies or not.

Weave GitOps Enterprise offer a policy engine image that can be used to perform commit/build time checks.The image can be found on Docker Hub under the name: weaveworks/weave-iac-validator:v1.1.


Usage

USAGE:
main [global options] command [command options] [arguments...]

VERSION:
0.0.1

COMMANDS:
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--path value path to resources kustomization directory
--helm-values-file value path to resources helm values file
--policies-path value path to policies kustomization directory
--policies-helm-values-file value path to policies helm values file
--git-repo-provider value git repository provider [$WEAVE_REPO_PROVIDER]
--git-repo-url value git repository url [$WEAVE_REPO_URL]
--git-repo-branch value git repository branch [$WEAVE_REPO_BRANCH]
--git-repo-sha value git repository commit sha [$WEAVE_REPO_SHA]
--git-repo-token value git repository token [$WEAVE_REPO_TOKEN]
--sast value save result as gitlab sast format
--sarif value save result as sarif format
--json value save result as json format
--generate-git-report generate git report if supported (default: false) [$WEAVE_GENERATE_GIT_PROVIDER_REPORT]
--remediate auto remediate resources if possible (default: false)
--no-exit-error exit with no error (default: false)
--help, -h show help (default: false)
--version, -v print the version (default: false)

Setup policies

Policies can be helm chart, kustomize directory or just plain kubernetes yaml files.

Example of policies kustomize directory

└── policies
├── kustomization.yaml
├── minimum-replica-count.yaml
├── privileged-mode.yaml
└── privilege-escalation.yaml
# kustomization.yaml
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
resources:
- minimum-replica-count.yaml
- privilege-escalation.yaml
- privileged-mode.yaml

Auto-Remediation

Weave validator supports auto-remediation functionality which creates a pull request with suggested fixes to remediate the reported violations.

Supported in:

  • Helm
  • Kustomize
  • Plain kubernetes files

To enable it you need to provide --remediate flag and --git-repo-token.

The token must have the permission to create pull request


UseCase: Github

See how to setup the Github Action


UseCase: Gitlab

weave:
image:
name: weaveworks/weave-iac-validator:v1.1
script:
- weave-validator --path <path to resources> --policies-path <path to policies>

Enable Auto Remediation

  script:
- weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $GITLAB_TOKEN --remediate

Enable Static Application Security Testing

stages:
- weave
- sast

weave:
stage: weave
image:
name: weaveworks/weave-iac-validator:v1.1
script:
- weave-validator <path to resources> --policies-path <path to policies> --sast sast.json
artifacts:
when: on_failure
paths:
- sast.json

upload_sast:
stage: sast
when: always
script:
- echo "creating sast report"
artifacts:
reports:
sast: sast.json

UseCase: Bitbucket

pipelines:
default:
- step:
name: 'Weaveworks'
image: weaveworks/weave-iac-validator:v1.1
script:
- weave-validator --path <path to resources> --policies-path <path to policies>

Enable Auto Remediation

  script:
- weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $TOKEN --remediate

Create Pipeline Report

  script:
- weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $TOKEN -generate-git-report

UseCase: CircleCI

jobs:
weave:
docker:
- image: weaveworks/weave-iac-validator:v1.1
steps:
- checkout
- run:
command: weave-validator --path <path to resources> --policies-path <path to policies>

Enable Auto Remediation

    - run:
command: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token ${GITHUB_TOKEN} --remediate

UseCase: Azure DevOps

trigger:
- <list of branches to trigger the pipeline on>

pool:
vmImage: ubuntu-latest

container:
image: weaveworks/weave-iac-validator:v1.1-azure

steps:
- script: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $(TOKEN)

Enable Auto Remediation

steps:
- script: weave-validator --path <path to resources> --policies-path <path to policies> --git-repo-token $(TOKEN) --remediate