Hi Yujun, I would need Fatih to comment as I am not that up to speed on CI. The following is an albeit incomplete example of how we will wire this in:
https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml Regards, Luke On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang <[email protected]> wrote: > Luke, > > I remember that Fatih once mentioned that there are no gates in OPNFV CI > yet. So you are talking about some additional verification jobs enforced on > each commit. Or it is something like the current daily/weekly job. > > Could you help to clarify it? > > On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds <[email protected]> wrote: > >> Hi, >> >> Myself and Ash with help from Fatih are currently prototyping some new >> gates we plan to phase in overtime. >> >> The idea is that each commit made to an OPNFV repo will perform some >> checks. >> >> 1. Search for any strings containing passwords, ssh / tls certs and other >> stuff we don't want sitting around in repos to then be scooped up for a >> release. >> >> 2. Search out any binaries. We need to be very strict over what compiled >> binaries are packaged in release (if any at all), as a binary could be >> compromised (without the knowledge of the project itself). >> >> 3. Security lint checks. Code will be searched for patterns such as shell >> executions, xss flaws etc and reports linked within the gate. >> >> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide >> for projects, with the support of the security group, if needed. >> >> For both 1,2 we will maintain a waiver / exception list. This means that >> if no threat is shown to be present, an ignore entry can be made for a >> single project. The gate will then allow the said string, file etc to pass >> with no vote. >> >> Initially we are working with a sandbox project, so expect no >> interruptions at all. From there we will start to bring projects over, so >> they will be aware ahead of any changes implemented that will affect them. >> >> Cheers, >> >> Luke >> _______________________________________________ >> opnfv-security mailing list >> [email protected] >> https://lists.opnfv.org/mailman/listinfo/opnfv-security >> > -- Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat e: [email protected] | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44 12 52 36 2483
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
