valhalla94/pipeline-fortress

# pipeline-fortress 一个 PowerShell 工具，用于在使用 Terraform 配置的 Azure 托管 Kubernetes CI/CD 流水线中强制执行云安全策略和合规性关卡。 ## 概述 `pipeline-fortress` 在 CI/CD 流水线的每个阶段提供自动化的安全扫描和策略执行。它与 Azure DevOps、Kubernetes 和 Terraform 集成，确保基础设施代码、容器工作负载和构建代理在任何部署进行之前都满足组织的安全基线。 ### 核心功能 - **Terraform Plan 扫描** — 在流水线执行之前检测 Azure 资源配置错误和暴露的密钥 - **Kubernetes RBAC 验证** — 当服务账户权限超过最小权限阈值时阻止部署 - **Windows 构建代理加固** — 在允许流水线作业运行之前验证是否满足操作系统安全基线 ## 环境要求 - Python 3.10+ - PowerShell 7.2+ (用于代理加固检查) - Azure CLI (`az`) 已通过订阅身份验证 - `kubectl` 已配置集群访问权限 - Terraform 1.3+ ### Python 依赖 通过 pip 安装： ``` pip install pipeline-fortress ``` 或者用于本地开发： ``` git clone https://github.com/your-org/pipeline-fortress.git cd pipeline-fortress pip install -e .[dev] ``` ## 快速开始 ### 1. Terraform Plan 扫描 运行 Terraform plan 并通过管道将其传递给 `pipeline-fortress` 以进行配置错误和密钥检测： ``` # 生成 Terraform plan 输出 terraform plan -out=tfplan.binary terraform show -json tfplan.binary > tfplan.json # 扫描 plan python -m pipeline_fortress scan terraform --plan tfplan.json ``` 示例输出： ``` [pipeline-fortress] Terraform Plan Scanner ========================================== Scanning: tfplan.json [FAIL] Exposed secret detected in resource azurerm_key_vault_secret.db_password Field: value — matches pattern: password\s*=\s*['\"][^'\"]{8,} [WARN] Storage account 'mystorageacct' has public blob access enabled Resource: azurerm_storage_account.app_storage Recommendation: Set allow_blob_public_access = false [PASS] No overly permissive NSG rules detected [PASS] All Key Vault resources have soft_delete_enabled = true Scan complete. 1 failure(s), 1 warning(s). Pipeline gate: BLOCKED ``` ### 2. Kubernetes RBAC 验证 验证命名空间中的所有服务账户未超过定义的权限阈值： ``` python -m pipeline_fortress scan rbac \ --namespace production \ --policy policies/rbac-policy.yaml ``` 示例 `rbac-policy.yaml`： ``` max_permissions: cluster_admin: false allowed_verbs: - get - list - watch denied_resources: - secrets - nodes blocked_service_accounts: - default ``` 示例输出： ``` [pipeline-fortress] Kubernetes RBAC Validator ============================================= Namespace: production [FAIL] ServiceAccount 'app-deployer' has ClusterAdmin binding Binding: app-deployer-crb Action: Deployment blocked [PASS] ServiceAccount 'metrics-reader' — permissions within threshold [PASS] ServiceAccount 'log-shipper' — permissions within threshold Scan complete. 1 failure(s), 0 warning(s). Pipeline gate: BLOCKED ``` ### 3. Windows 构建代理加固 在允许流水线作业之前，验证 Windows Server 构建代理是否满足安全基线： ``` python -m pipeline_fortress scan agent \ --host build-agent-01.internal \ --baseline baselines/windows-cis-level1.yaml ``` 示例输出： ``` [pipeline-fortress] Build Agent Hardening Checker ================================================= Host: build-agent-01.internal Baseline: CIS Windows Server 2022 Level 1 [PASS] Windows Defender real-time protection: enabled [PASS] SMBv1 protocol: disabled [FAIL] Windows Firewall (Public profile): disabled Expected: enabled Remediation: Set-NetFirewallProfile -Profile Public -Enabled True [WARN] Automatic Windows Updates: not configured Recommendation: Enable via Group Policy or DSC Scan complete. 1 failure(s), 1 warning(s). Pipeline gate: BLOCKED ``` ## 配置 `pipeline-fortress` 可以通过项目根目录下的 `fortress.yaml` 文件或环境变量进行配置。 ### `fortress.yaml` ``` general: fail_on_warnings: false output_format: text # text | json | junit log_level: info terraform: enabled: true secret_patterns: - password\s*=\s*['"][^'"]{8,} - api_key\s*=\s*['"][^'"]{16,} blocked_resources: - azurerm_storage_account with allow_blob_public_access = true rbac: enabled: true namespaces: - production - staging policy_file: policies/rbac-policy.yaml agent: enabled: true baseline_file: baselines/windows-cis-level1.yaml powershell_path: /usr/bin/pwsh ``` ### 环境变量 | Variable | Description | Default | |---|---|---| | `FORTRESS_FAIL_ON_WARNINGS` | 将警告视为失败 | `false` | | `FORTRESS_OUTPUT_FORMAT` | 输出格式 (`text`, `json`, `junit`) | `text` | | `FORTRESS_LOG_LEVEL` | 日志详细程度 | `info` | | `FORTRESS_CONFIG` | `fortress.yaml` 的路径 | `./fortress.yaml` | | `AZURE_SUBSCRIPTION_ID` | 用于资源查询的 Azure 订阅 | *(required)* | | `KUBECONFIG` | kubeconfig 文件的路径 | `~/.kube/config` | ## Azure DevOps 集成 将 `pipeline-fortress` 作为流水线步骤添加到你的 `azure-pipelines.yml` 中： ``` steps: - task: UsePythonVersion@0 inputs: versionSpec: '3.11' - script: pip install pipeline-fortress displayName: 'Install pipeline-fortress' - script: | terraform init terraform plan -out=tfplan.binary terraform show -json tfplan.binary > tfplan.json displayName: 'Generate Terraform Plan' - script: python -m pipeline_fortress scan terraform --plan tfplan.json displayName: 'Terraform Security Scan' env: AZURE_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID) - script: | python -m pipeline_fortress scan rbac \ --namespace $(DEPLOY_NAMESPACE) \ --policy policies/rbac-policy.yaml displayName: 'RBAC Compliance Check' env: KUBECONFIG: $(KUBECONFIG_PATH) - script: | python -m pipeline_fortress scan agent \ --host $(Agent.MachineName) \ --baseline baselines/windows-cis-level1.yaml displayName: 'Agent Hardening Check' condition: eq(variables['Agent.OS'], 'Windows_NT') ``` ## 扫描器 API 参考 所有扫描器均继承自 `pipeline_fortress.scanners.base.BaseScanner` 并实现通用接口。 ### `BaseScanner` ``` from pipeline_fortress.scanners.base import BaseScanner, ScanResult, Severity class MyCustomScanner(BaseScanner): name = "my-scanner" def scan(self, target: str) -> list[ScanResult]: # Return a list of ScanResult objects ... ``` #### `ScanResult` | Field | Type | Description | |---|---|---| | `severity` | `Severity` | `PASS`, `WARN`, 或 `FAIL` | | `message` | `str` | 人类可读的发现描述 | | `resource` | `str` | 被评估的资源或组件 | | `remediation` | `str` | 可选的补救指导 | #### `Severity` 枚举 ``` from pipeline_fortress.scanners.base import Severity Severity.PASS # Check passed Severity.WARN # Non-blocking warning Severity.FAIL # Blocking failure ``` ### `TerraformScanner` ``` from pipeline_fortress.scanners.terraform_scanner import TerraformScanner scanner = TerraformScanner(config={ "secret_patterns": [r"password\s*=\s*['\"][^'\"]{8,}"] }) results = scanner.scan("path/to/tfplan.json") ``` ## 贡献 1. Fork 本仓库 2. 创建一个特性分支：`git checkout -b feat/my-new-scanner` 3. 为你的更改编写测试 4. 运行测试套件：`pytest tests/ -v` 5. 提交 Pull Request 请遵循 [Conventional Commits](https://www.conventionalcommits.org/) 规范编写提交信息。 ## 许可证 MIT 许可证。详情请参阅 [LICENSE](LICENSE)。

标签：AI合规, Azure DevOps, Azure Kubernetes, CI/CD 安全, DevSecOps, Pandas, Pipeline Fortress, PowerShell 工具, Python 安全工具, RBAC 验证, StruQ, Terraform 扫描, Web截图, Windows 安全基线, 上游代理, 云安全监控, 云安全策略, 基础设施即代码 (IaC), 子域名突变, 容器安全, 数据投毒防御, 构建代理加固, 足迹分析, 逆向工具, 静态分析