Search This Blog

Tuesday, 18 October 2022

Secure your application from Argo CD to Kubernetes

GitOps is a popular framework for managing and securing the application development pipeline. For many who have embarked on a GitOps journey, a common question is: “how can I secure my pipeline when everything is automated?” 

The GitOps framework is a concept where any code commits or changes are done through Git, which then triggers an automated pipeline that builds and deploys applications on Kubernetes. Because there are few touch points for development and security teams in the pipeline, its security needs to be mandated to ensure the deployed applications have as few vulnerabilities as possible. 

This blog covers how Snyk can provide application security in GitOps, focusing on a popular tool, Argo CD. In this scenario, Snyk runs an IaC scan to ensure the to-be-deployed application is safe before deployment, and stops the build if it is not. Snyk also can monitor the deployed applications across different namespaces in Kubernetes in an automated fashion.

https://snyk.io/blog/secure-apps-from-argocd-to-kubernetes/


Thursday, 2 June 2022

Note for self: Snyk scan from ArgoCD

 Demo

https://github.com/papicella/springbootemployee-api/tree/master/argocd

Demo Job on K8s to perform Snyk IaC Scan

  
apiVersion: batch/v1
kind: Job
metadata:
  name: snyk-iac-scan
  annotations:
    argocd.argoproj.io/hook: PreSync
spec:
  ttlSecondsAfterFinished: 600
  template:
    spec:
      containers:
        - name: snyk-cli
          image: snyk/snyk-cli:npm
          command: ["/bin/sh","-c"]
          args:
            - git clone https://github.com/papicella/springbootemployee-api.git;
              snyk auth $SNYK_TOKEN;
              snyk iac test springbootemployee-api/argocd/employee-K8s.yaml || true;
          env:
            - name: SNYK_TOKEN
              valueFrom:
                secretKeyRef:
                  name: snyk-token
                  key: token
      restartPolicy: Never
  backoffLimit: 0


Monday, 30 May 2022

Using Pulumi to automate the Snyk Kubernetes integration for containers

Better late than never finally got around to posting this today.

In this blog post, we will walk through the process of using Pulumi, a new open source tool that allows developers to build code in multiple languages like JavaScript, Typescript, Python, and Go to create all that is required to configure the Kubernetes integration in Snyk Container.

Using Pulumi to automate the Snyk Kubernetes integration for containers
https://snyk.io/blog/automate-snyk-kubernetes-pulumi/