Empowering CI/CD with Rego Policies

Loginsoft has diligently crafted Rego policies stored in the GitHub Repository – Rego-CNS which are specifically designed to identify security misconfigurations in AWS CloudFormation, AWS and GCP terraform environments. These policies cover a wide range of areas, including access controls, network security, encryption, authentication mechanisms, and compliance frameworks. By continuously evaluating JSON code against these policies, organizations can proactively identify and rectify potential security gaps before they are exploited.

The GitHub Repository Rego-CNS mainly includes Rego policies for the following:

AWS CloudFormation:aws_cloudformation_nist_800_53 contains Rego policies which help in establishing minimum recommended security and operational best practices for Amazon Web Services (AWS).

AWS Terraform:aws_terraform_nist_800_53 contains policies which check for security misconfigurations in Terraform for Amazon Web Services.

GCP Terraform:gcp_terraform_nist_800_53  contains policies which check for security misconfigurations in Terraform for Google Cloud.

How to test the Rego policies:

Example: If a user wants to check the Rego policies for their respective AWS terraform, they can pick any one of the Rego policies in the folder aws_terraform for and run it against their respective JSON input. Since Rego policies cannot process the .tf (terraform extension) directly, we need to convert them to JSON and feed it as input to Rego.

In order to run the Rego policies, we need to supply structured data (JSON) as input so that OPA can generate policy decisions (output) by evaluating the query input against policies and data.

Run the Rego policies:

One can use the OPA playground to – https://play.openpolicyagent.org/ to run the Rego policies. Example of an output after running the Rego policy:

"aws_security_api_gw_cache_enabled_and_encrypted": [
		"Ensure that all methods in Amazon API Gateway stages have cache enabled and cache encrypted"  
]

Users also have the option to execute Rego policies via the command line. They can obtain the OPA executable from https://www.openpolicyagent.org/docs/latest/

On command line one can use it in the following manner:

$ opa.exe eval -f pretty -d $PATH\policy.rego -i $PATH\input.json data

where policy.rego is the policy file and input.json is the input file that the OPA policy should evaluate against.

GitHub Action workflow:

.github/workflows provides a GitHub Actions workflow that helps the user validate their AWS CloudFormation, AWS/GCP terraform templates against best practices using Rego policies and OPA. By integrating this workflow into the pull request process, they can ensure their templates adhere to recommended best practices.

Whenever a new pull request is opened or synchronized, a GitHub action Example: terraform_action for runs which validates AWS/GCP terraform templates against best security practices using Rego Policies and OPA. If there are any security concerns or misconfigurations, then an issue will automatically be created with the Rego policy decisions (output). The user can review the identified problem to determine the necessary corrective actions and mitigate any potential security concerns.

Usage:

To use the validation workflow, one can follow the below steps:Clone the RepositoryClone this repository to your local machine or fork it to your GitHub account.

Define Rego PoliciesDefine your Rego policies for CloudFormation or AWS/GCP terraform best practices in the respective directory. Each policy should be written as a separate Rego file.

Configure the Workflow for CI/CD pipelineModify the provided GitHub Actions workflow file present in (Example: .github/workflows/) to suit your needs. You can customize the triggers, environment, and any additional steps as required.

Ensure the workflow specifies the Rego policies directory correctly and sets up OPA.

Commit and PushCommit your changes and push them to the repository or your fork.

Create a Pull RequestCreate a pull request with your CloudFormation, AWS/GCP terraform templates to trigger the validation workflow.

Review the ResultsOnce the workflow is triggered, it will evaluate the CloudFormation, AWS/GCP terraform templates against the defined Rego policies using OPA. The workflow will provide compliance results for each best practice. Review the workflow logs and any annotations added to the pull request for details on the compliance status.

Contribution:

The GitHub Repository Rego-CNS serves as a collaborative platform for organizations to contribute, share, and improve cloud security practices. The repository allows teams to review and enhance existing policies, share insights, and collectively work towards building a robust security framework for cloud deployments. Rego-CNS is built as an open source and anyone who is interested can help it grow by contributing to the project.
Rego is a policy language used by the Open Policy Agent (OPA), a powerful policy enforcement engine. By integrating Rego OPA with CI/CD pipelines, we can automate policy enforcement, improve code and configuration quality, ensure compliance and reduce the risk of security misconfigurations. Rego policies can be applied as part of static code analysis during the CI phase. During the CD phase, Rego policies can be used to validate and enforce dynamic configuration settings.