.gitlab/issue_templates/Application - Initial.md

@@ -17,6 +17,13 @@ If you need to contact the Container Hardening team, please identify your assign
 
 If you have no assignee, feel free to tag Container Hardening leadership in your issue by commenting on this issue with your questions/concerns and then add `/cc @ironbank-notifications/leadership`. Gitlab will automatically notify all Container Hardening leadership to look at this issue and respond.
 
+##  Get Unstuck/AMA:  
+Iron Bank Get Unstuck/AMA Working Sessions every Wednesday from 1630-1730EST.  
+Need some help with your containers getting through Iron Bank? Have questions on where things are at? Are you feeling stuck and want to figure out the next steps? This is the meeting for you! Come meet with the Iron Bank leadership and engineers to get answers to your questions. 
+ Register in advance for this meeting: https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo  
+After registering, you will receive a confirmation email containing information about joining the meeting. 
+ 
+If you have any questions, please come to our Get Unstuck/AMA sessions. There we will have the right combination of business folks and engineers to get your questions answered.
 
 ## Responsibilities
 
@@ -25,28 +32,140 @@ If this application is owned by a Contributor or Vendor (identifed as `Owner::Co
 
 ## Definition of Done
 
-Hardening:
-- [ ] Hardening manifest is created and adheres to the schema (https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json)
-- [ ] Container builds successfully through the Gitlab CI pipeline
-- [ ] Branch has been merged into `development`
-- [ ] Project is configured for automatic renovate updates (if possible)
 
-Justifications:
-- [ ] All findings have been justified per the above documentation
+This checklist is meant to provide a high level overview of the process and steps for getting your container(s) onto Iron Bank. 
+
+- [ ] Create a Repo1 account (https://repo1.dso.mil/users/sign_in) to get access to the public repository of containers. You can register by clicking on the 'Sign in with Iron Bank SSO' button in the sign-in page, followed by the Register button
+
+- [ ] Fill out the onboarding form: https://p1.dso.mil/#/products/iron-bank/getting-started 
+
+- [ ] Attend our once weekly onboarding session where you can ask questions. [Register here](https://www.zoomgov.com/meeting/register/vJIsce6rpzkqGq9hHHRscNfGENYqvRL1s10%E2%81%A9).
+
+- [ ] Your Onboarding form will be processed by the Iron Bank team, who will then assign it a priority level and create your repository. You will receive an email that your Gitlab issue has been created and is ready for you to complete the hardening process
+
+- [ ] Ensure that all POCs are assigned to the issue to ensure proper tracking and notifications
+
+## Hardening Process
+
+### Repository Requirements
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/structure_requirements.md)
+
+- [ ] A Dockerfile has been created in the root of the repository
+
+- [ ] Hardening_manifest.yaml has been created in the root of the repository
+
+- [ ] The project has a LICENSE or a copy of the EULA
+
+- [ ] The project has a README in the root of the repository with sufficient instructions on using the Iron Bank version of the image
+
+- [ ] If your container is an enterprise/commercial container, the opensource version is ready
+
+- [ ] Scripts used in the Dockerfile are placed into a `scripts` directory
+
+- [ ] Configuration files are placed into a `config` directory
+
+- [ ] Project is [configured for automatic renovate updates](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Renovate.md) (if possible)
+
+  - [ ] Renovate.json is present in root of repository
+
+  - [ ] Reviewers have been specified for notifications on new merge requests
+
+### Dockerfile Requirements 
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md)
+
+- [ ] There is one Dockerfile named Dockerfile
+
+- [ ] The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline)
+
+- [ ] The Dockerfile is [based on a hardened Iron Bank image](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md#requirements)
+
+- [ ] The Dockerfile includes a HEALTHCHECK (required if it is an application container)
+
+- [ ] The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification.
+
+- [ ] If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root
+
+- [ ] No ADD instructions are used in the Dockerfile
+
+## Hardening Manifest
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/hardening%20manifest)
+
+- [ ] Begin with this example and update with relevant information: https://repo1.dso.mil/dsop/dccscr/-/blob/master/hardening%20manifest/hardening_manifest.yaml
+
+- [ ] Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json
+
+- [ ] The BASE_IMAGE and BASE_TAG arguments refer to a hardened/approved Iron Bank image (BASE_REGISTRY defaults to `registry1.dso.mil/ironbank` in the pipeline)
+
+- [ ] Relevant image metadata has been entered for the corresponding labels
+
+- [ ] Any downloaded resources include a checksum for verification (letters must be lowercase)
+
+- [ ] For resource URLs that require authentication, credentials have been provided to an Iron Bank team member
+
+- [ ] The maintainers' contact information has been provided in the `maintainers` section
+
+## Gitlab CI Pipeline
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pipeline)
+
+- [ ] Validate your container builds successfully through the Gitlab CI pipeline. When viewing the repository in repo1.dso.mil, go to `CI/CD > Pipelines` on the left. From there, you can see the status of your pipelines.
+
+- [ ] Review scan output from `csv output` stage of the pipeline. For instructions on downloading the findings spreadsheet, click [here](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/spreadsheet.md)
+
+- [ ] Fix vulnerabilities that were found and run the pipeline again before requesting a merge to the development branch
+
+## Pre-Approval:
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pre-approval)
+
+- [ ] Submit a Merge Request to the development branch
+
+- [ ] Feature branch has been merged into development
+
+- [ ] All findings from the development branch pipeline have been justified per the above documentation
+
 - [ ] Justifications have been attached to this issue
-- [ ] Apply the label `Approval` to indicate this container is ready for the approval phase
 
-Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over.
+- [ ] Apply the `Approval` label and remove the `Doing` label to indicate this container is ready for the approval phase
+
+_Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over._
+
+## Approval Process (Container Hardening Team processes):
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/approval)
 
-Approval Process (Container Hardening Team processes):
 - [ ] Peer review from Container Hardening Team
+
 - [ ] Findings Approver has reviewed and approved all justifications
+
 - [ ] Approval request has been sent to Authorizing Official
+
 - [ ] Approval request has been processed by Authorizing Official
 
-Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label.
+One of the following statuses is assigned:
+
+- [ ] Conditional approval has been granted by the Authorizing Official for this container (`Approval::Expiring` label is applied)
+
+- [ ] This container has been approved by the Authorizing Official (`Approved` label is applied)
+
+_Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label._
+
+## Post-Approval
+
+[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/post%20approval)
+
+- [ ] Your issue has been closed
+
+- [ ] Your project has been merged into master
+
+- [ ] Master branch pipeline has completed successfully (at this point, the image is made available on `ironbank.dso.mil` and `registry1.dso.mil` )
+
+_Note: Now that your application has been approved, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (Gitlab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process._
+
 
-## Post Approval
 
 ### Continuous Monitoring
 

Dockerfile

+# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \
+# '--build-arg' when building locally to replace these values
+# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image
+# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine
+ARG BASE_REGISTRY=registry1.dsop.io
+ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
+ARG BASE_TAG=8.4
+
+# FROM statement must reference the base image using the three ARGs established
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+
+ENV REQUIRED_PACKAGES="shadow-utils libsemanage"
+
+RUN microdnf update -y --setopt=install_weak_deps=0 --nodocs \
+  && microdnf --setopt=tsflags=nodocs install $REQUIRED_PACKAGES \
+  && useradd sysdig -u 1000 \
+  && microdnf remove $REQUIRED_PACKAGES \
+  && microdnf clean all \
+  && rm -rf /var/cache/yum
+
+ARG BINARY="cloud-scanning-v0.7.9"
+
+COPY ${BINARY} /cloud-scanning
+
+RUN chown sysdig:sysdig /cloud-scanning \
+  && chmod u+x /cloud-scanning
+
+EXPOSE 5000
+HEALTHCHECK --start-period=30s CMD curl -f 127.0.0.1:5000 || exit 1
+USER 1000
+ENTRYPOINT ["/cloud-scanning"]

README.md

-# <application name>
+# Sysdig Cloud Scanner
+---
+description: Image Scanning using Cloud Audit Logs and Sysdig Secure
+---
 
-Project template for all Iron Bank container repositories.
+Sysdig Cloud Scanning leverages Cloud Audit log like AWS CloudTrail
\ No newline at end of file
+to detect container images that are being pushed to your registries or used
+in cloud workloads. When a new image is detected, a scanning process can be started
+to analyze the image and report vulnerabilities directly to Sysdig Secure.
+
+# Installation
+
+Sysdig Cloud Connector is part of [Sysdig Cloud Security](https://cloudsec.sysdig.com/) platform. Please check [Sysdig Cloud Security site](https://cloudsec.sysdig.com/) for installation guides on the different cloud providers.
+
+# Configuration
+
+The CloudScanning component can be configured by setting the following environment variables:
+
+## Common
+
+* **SECURE_URL**: must be set to a secure API endpoint.
+* **SECURE_API_TOKEN**: must be set to a valid API token.
+* **LOG_LEVEL**: Sets the log level to `debug`, `info` or `error`. It defaults to `info` if not specified.
+* **VERIFY_SSL**: Set to `false` to skip TLS verification from the Secure backend (i.e. On-Prem with invalid TLS certificate).
+
+## AWS
+
+* **CODEBUILD_PROJECT**: Name of the CodeBuild project that executes the inline scan
+* **ECR_DEPLOYED**: Set to `true` to enable ECR scanning.
+* **ECS_DEPLOYED**: Set to `true` to enable ECS scanning.
+
+### AWS Single-account mode
+
+When running CloudScanning in a single account. The role executing the task has required permissions in the account.
+
+* **SQS_QUEUE_URL**: URL of the SQS queue where the CloudTrail notifications are published.
+
+### AWS Multi-account
+
+When running CloudScanning in multi-account mode. Each of the child accounts has a SQS queue following the naming convention
+specified by `SQS_QUEUE_NAME` and there is a role `ACCOUNT_ROLE` on each child account that the executing task can assume,
+providing all the required permissions.
+
+* **ACCOUNTS_AND_REGIONS**: List of child accounts and regions, in format `account1:region1,account2:region2,...`
+* **ACCOUNT_ROLE**: Role to assume on each child account, providing the required permissions.
+* **SQS_QUEUE_NAME**: Use instead of **SQS_QUEUE_URL** to provide the name of the SQS which must exist on every child account.
+
+## Google Cloud Platform
+
+* **GCP_PROJECT**: Name of the GCP project
+* **GCR_DEPLOYED**: Set to `true` to enable scanning of images pushed to Google Container Registry.
+* **GCR_PUBSUB_SUBSCRIPTION**: Consume messages from this PubSub subscription. Subscription needs to be subscribed to topic `gcr`.  
+* **CLOUDRUN_DEPLOYED**: Set to `true` to enable scanning of images running in Google Cloud Run.
+* **AUDITLOG_INTERVAL**: Auditlog check interval. CloudRun events are received from the AuditLog. Must be a valid go interval expression. Defaults to `1m`.
+* **SECURE_API_TOKEN_SECRET**: name of the secret from SecretManager that stores the API Token.
+* **CLOUDBUILD_SERVICE_ACCOUNT**: Name of the Service Account executing the CloudBuild project for performing the scanning.
+* **CLOUDBUILD_BUCKET**: Name of the bucket to store CloudBuild execution logs

hardening_manifest.yaml

+---
+apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "sysdig/sysdig-secure/cloud-scanning-0.7.9"
+
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dsop.io
+tags:
+  - "0.7.9"
+  - "latest"
+
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "redhat/ubi/ubi8-minimal"
+  BASE_TAG: "8.4"
+
+# Docker image labels
+labels:
+  org.opencontainers.image.title: "cloud-scanning-0.7.9"
+  ## Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "Sysdig - Cloud Scanning"
+  ## License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "proprietary"
+  ## URL to find more information on the image
+  # org.opencontainers.image.url: "FIXME"
+  ## Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "Sysdig"
+  org.opencontainers.image.version: "0.7.9"
+  ## Keywords to help with search (ex. "cicd,gitops,golang")
+  # mil.dso.ironbank.image.keywords: "FIXME"
+  ## This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "commercial"
+  ## Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "sysdig-secure/cloud-scanning"
+
+# List of resources to make available to the offline build context
+resources:
+- filename: cloud-scanning-v0.7.9
+  url: https://s3.amazonaws.com/download.draios.com/repo1/cloud-scanning/cloud-scanning-v0.7.9
+  validation:
+    type: sha256
+    value: 01734dd863b59cfd0163bd139ff4e751e8c788730d82abe53000e36cc102eeaf
+
+# List of project maintainers
+maintainers:
+  - email: "aitor.acedo@sysdig.com"
+    #   # The name of the current container owner
+    name: "Aitor Acedo"
+    #   # The gitlab username of the current container owner
+    username: "aitor.acedo"