Git Cloud Security Scanning

# Git Documentation
# Git global setup # Prowler is a multi-cloud audit tool
git config --global user.name "John Doe" # Install and run the tool, which will use the
git config --global user.email cloud APIs to gather information
"[email protected]" # Ensure you’re logged into the correct cloud
provider prior to running prowler
# Clone and Edit a repository pip3 install prowler
prowler --help
git clone
[email protected]:repository/project.git Cloud Native Security Tool
# Review options for the aws, azure, and gcp
cd project
providers
Cloud Security and DevOps
touch README.md
prowler aws --help By Jon Zeolla
git add README.md
prowler azure --help Cheat Sheet v1.0.0
git commit -m "docs: add README"
git push -u origin main prowler gcp --help sans.org/cloud-security

# Convert existing folder to repo and push Docker

cd existing_folder Docker (continued)
git init # Docker Documentation # Create a minimal Dockerfile into an OCI-
git remote add origin docker pull <image>:<tag> compliant artifact
[email protected]

:repository/project.git docker image ls cat >> Dockerfile << EOF
git add -A docker image rm <imageid> FROM nginx
git commit -m "Initial commit" docker container ls -a EOF
git push -u origin main docker buildx build -o type=oci,dest=nginx.tar .
Pre-Commit # Run Containers in Detached Mode
docker run -d -p 443:443 nginx # Build and push a multiplatform image
docker login --username ace135 # Example User
# Install Pre-Commit to manage git hooks that
# List all nginx containers docker buildx build \
can run before or after git commands
docker ps --filter ancestor=nginx --platform=linux/amd64,linux/arm64 --push \
pip3 install pre-commit --build-arg KEY=VALUE --tag ace135/demo .
# Prevent storing AWS credentials in git # Stop and delete the running container
# Build and push an image with an accompanying
cd repository latest_container_id=$(docker ps -n 1 --format SLSA attestation
"{{.ID}}") docker buildx build --push --attest
cat >> .pre-commit-config.yaml << EOF docker kill "${latest_container_id}" type=provenance,mode=max -t ace135/demo:slsa .
--- docker rm "${latest_container_id}"
repos: # Extract the Dockerfile used to create the
- repo: https://github.com/pre-commit/pre- # Mount the current directory on your host into specified image
commit-hooks the /host directory inside a container docker buildx imagetools inspect jonzeolla/docker-
rev: v4.5.0 docker run -v "$(pwd):/host" -it ubuntu:22.04 provenance:latest --format '{{ range (index
hooks: .Provenance.SLSA.metadata
- id: detect-aws-credentials # Setup the local system for multi-platform "https://mobyproject.org/buildkit@v1#metadata").so
EOF image builds urce.infos }}{{ if eq .filename "Dockerfile"
pre-commit install docker buildx inspect multiplatform || docker }}{{.data }}{{ end }}{{ end }}' | base64 -d
buildx create --name multiplatform --driver
# Update hook to the latest release docker-container --use
pre-commit autoupdate
 Infrastructure as Code Scans
# Checkov is a misconfiguration scanner. It
can scan Terraform, Kubernetes, Dockerfiles,
and other file types.
pip3 install checkov
checkov -f example/file.tf
# Recursively scan a directory
checkov --directory .
# Find security misconfigurations in Helm
Charts
checkov --framework helm --directory .
# Use easy_infra to run IaC tools in a
secure-by-default docker image
# Turn off security scans to ensure it
functionally works in your environment
docker run -e DISABLE_SECURITY=true -v
.:/iac seiso/easy_infra:latest-terraform
terraform validate
# Run security scans but suppress failures
docker run -e LEARNING_MODE=true -v .:/iac
seiso/easy_infra:latest-terraform terraform
validate
# Fail on detected security issues
docker run -v .:/iac
seiso/easy_infra:latest-terraform terraform
validate
# Detect directories with terraform files,
and run security scans and then terraform
validate in each directory
docker run -e AUTODETECT=true -v .:/iac
seiso/easy_infra:latest-terraform terraform
validate
# See the logs from latest docker run
docker cp $(docker ps -n 1 --format
"{{.ID}}"):/var/log/easy_infra.log .
cat easy_infra.log
Policy as Code AWS Systems Manager Parameter Store
# Conftest uses a language called Rego to scan aws ssm put-parameter --name MyParameter
configuration files such as Terraform, --value "secret value" --type SecureString
Dockerfiles, Kubernetes manifests, and any
other structured data aws ssm get-parameter --name MyParameter
--with-decryption
# See numerous examples here
# Write a policy that disallows the use of Azure Key Vault
nginx
mkdir policy && cat > policy/policy.rego << # Create a Resource Group
EOF az group create --name MyResourceGroup --
package main location EastUS
denylist := ["nginx"] # Create a new key in the keyvault
az keyvault create --name MyKeyVault --
deny[msg] { resource-group MyResourceGroup --location
some i EastUS
input[i].Cmd == "from"
val := input[i].Value # Show details of a key vault
az keyvault show --name MyKeyVault
contains(val[i], denylist[_])
msg = sprintf("unallowed image found %s",
[val]) # List Azure Key Vaults
} az keyvault list --resource-group
EOF MyResourceGroup
# Create and scan a disallowed Dockerfile # Delete a Key Vault
cat > Dockerfile << EOF az keyvault delete --name MyKeyVault --
FROM nginx:latest resource-group MyResourceGroup
EOF
docker run --rm -v $(pwd):/project
openpolicyagent/conftest test Dockerfile
# Create and scan an allowed Dockerfile
cat > Dockerfile << EOF
FROM httpd
EOF
docker run --rm -v $(pwd):/project
openpolicyagent/conftest test Dockerfile