From 5f362820ba920e5ee72b202586da047b72d46231 Mon Sep 17 00:00:00 2001 From: balexand Date: Thu, 6 May 2021 17:58:52 +0000 Subject: [PATCH] Update Application - Initial.md --- .../issue_templates/Application - Initial.md | 138 ++++++++++++++++-- 1 file changed, 122 insertions(+), 16 deletions(-) diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md index 7ddab91..c8704a0 100644 --- a/.gitlab/issue_templates/Application - Initial.md +++ b/.gitlab/issue_templates/Application - Initial.md @@ -25,26 +25,132 @@ If this application is owned by a Contributor or Vendor (identifed as `Owner::Co ## Definition of Done -Hardening: -- [ ] Hardening manifest is created and adheres to the schema (https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json) -- [ ] Container builds successfully through the Gitlab CI pipeline -- [ ] Branch has been merged into `development` -- [ ] Project is configured for automatic renovate updates (if possible) +Hardening Process +----------------- -Justifications: -- [ ] All findings have been justified per the above documentation -- [ ] Justifications have been attached to this issue -- [ ] Apply the label `Approval` to indicate this container is ready for the approval phase +### Repository Requirements -Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over. +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/structure_requirements.md) + +- [ ] A Dockerfile has been created in the root of the repository + +- [ ] Hardening_manifest.yaml has been created in the root of the repository + +- [ ] The project has a LICENSE or a copy of the EULA + +- [ ] The project has a README in the root of the repository with sufficient instructions on using the Iron Bank version of the image + +- [ ] If your container is an enterprise/commercial container, the opensource version is ready + +- [ ] Scripts used in the Dockerfile are placed into a `scripts` directory + +- [ ] Configuration files are placed into a `config` directory + +- [ ] Project is [configured for automatic renovate updates](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Renovate.md) (if possible) + + - [ ] Renovate.json is present in root of repository + + - [ ] Reviewers have been specified for notifications on new merge requests + +### Dockerfile Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md) + +- [ ] There is one Dockerfile named Dockerfile + +- [ ] The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline) + +- [ ] The Dockerfile is [based on a hardened Iron Bank image](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md#requirements) + +- [ ] The Dockerfile includes a HEALTHCHECK (required if it is an application container) + +- [ ] The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification. + +- [ ] If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root + +- [ ] No ADD instructions are used in the Dockerfile + +Hardening Manifest +------------------ + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/hardening%20manifest) + +- [ ] Begin with this example and update with relevant information: https://repo1.dso.mil/dsop/dccscr/-/blob/master/hardening%20manifest/hardening_manifest.yaml + +- [ ] Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json + +- [ ] The BASE_IMAGE and BASE_TAG arguments refer to a hardened/approved Iron Bank image (BASE_REGISTRY defaults to `registry1.dso.mil/ironbank` in the pipeline) + +- [ ] Relevant image metadata has been entered for the corresponding labels + +- [ ] Any downloaded resources include a checksum for verification (letters must be lowercase) + +- [ ] For resource URLs that require authentication, credentials have been provided to an Iron Bank team member + +- [ ] The maintainers' contact information has been provided in the `maintainers` section + +Gitlab CI Pipeline +------------------ + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pipeline) + +- [ ] Validate your container builds successfully through the Gitlab CI pipeline. When viewing the repository in repo1.dso.mil, go to `CI/CD > Pipelines` on the left. From there, you can see the status of your pipelines. + +- [ ] Review scan output from `csv output` stage of the pipeline. For instructions on downloading the findings spreadsheet, click [here](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/spreadsheet.md) + +- [ ] Fix vulnerabilities that were found and run the pipeline again before requesting a merge to the development branch + +Pre-Approval: +------------- + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pre-approval) + +- [ ] Submit a Merge Request to the development branch + +- [ ] Feature branch has been merged into development + +- [ ] All findings from the development branch pipeline have been justified per the above documentation + +- [ ] Justifications have been attached to this issue + +- [ ] Apply the `Approval` label and remove the `Doing` label to indicate this container is ready for the approval phase + +*Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over.* Approval Process (Container Hardening Team processes): -- [ ] Peer review from Container Hardening Team -- [ ] Findings Approver has reviewed and approved all justifications -- [ ] Approval request has been sent to Authorizing Official -- [ ] Approval request has been processed by Authorizing Official +------------------------------------------------------ + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/approval) + +- [ ] Peer review from Container Hardening Team + +- [ ] Findings Approver has reviewed and approved all justifications + +- [ ] Approval request has been sent to Authorizing Official + +- [ ] Approval request has been processed by Authorizing Official + +One of the following statuses is assigned: + +- [ ] Conditional approval has been granted by the Authorizing Official for this container (`Approval::Expiring` label is applied) + +- [ ] This container has been approved by the Authorizing Official (`Approved` label is applied) + +*Note: If the above approval process is kicked back for any reason, the* `Approval` *label will be removed and the issue will be sent back to* `Open`*. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the* `Approval` *label.* + +Post-Approval +------------- + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/post%20approval) + +- [ ] Your issue has been closed + +- [ ] Your project has been merged into master + +- [ ] Master branch pipeline has completed successfully (at this point, the image is made available on `ironbank.dso.mil` and `registry1.dso.mil` ) + +*Note: Now that your application has been approved, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (Gitlab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process.* -Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label. ## Post Approval @@ -72,4 +178,4 @@ Occassionally, users may file bug reports for your application. It is your respo -/label ~"Container::Initial" \ No newline at end of file +/label ~"Container::Initial" -- GitLab