Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support updating a policy file based on aqua.yaml #2778

Open
suzuki-shunsuke opened this issue Mar 26, 2024 · 0 comments
Open

Support updating a policy file based on aqua.yaml #2778

suzuki-shunsuke opened this issue Mar 26, 2024 · 0 comments
Labels
enhancement New feature or request policy security

Comments

@suzuki-shunsuke
Copy link
Member

Feature Overview

Support updating a policy file based on aqua.yaml.
Add packages used in aqua.yaml to a policy file.

Why is the feature needed?

To improve the security.
To prevent malicious packages from being used in CI, we should manage the whitelist of packages by policy file.
But it's bothersome to manage a policy file and update it every time we start using a new package.
So it's useful to add a command updating a policy file based on aqua.yaml.

Workaround

Maintain a policy file manually.
This is bothersome.

Example Code

$ aqua policy update aqua-policy.yaml aqua.yaml foo/aqua.yaml ...

aqua-policy.yaml is updated based on aqua.yaml.

Note

https://aquaproj.github.io/docs/reference/security/policy-as-code/

To prevent aqua-policy.yaml from being tampered in CI, you should manage aqua-policy.yaml on the default branch and synchronize it in CI.

https://github.com/suzuki-shunsuke/simple-sync-action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request policy security
Projects
No open projects
Status: Todo
Development

No branches or pull requests

1 participant