Continuous Security Framework (CSF for short) is an open-source project aiming at enabling continous security in cloud infrastructures (but not only). You can see it as IFTTT for the cloud. Similar to a typical continuous integration, CSF can be used to build pipelines composed of different tasks. Unlike a typical continuous integration, it can respond to a variety of events and uses simple scripting that anyone can use to build powerful automatic decision-making scripts.
Modules:
- Event source - a module that will send events to CSF (ex: a new vulnerability has been found by clair)
- Action module - a module that contains one or more actions (ex: send a mail)
The best way to run csf is to use the docker image objectiflibre/csf. You can also download the binary or build CSF yourself.
Take a look at this sample config and modify it if needed.
docker run -d \
-v $PWD/csf_config:/csf_config \
-v $PWD/csf_data:/db \
-p 8888:8888 \
objectiflibre/csfTake a look at config_sample.yaml for the config. The default localfiles configProvider loads modules configuration files from the ./config folder matching the names of the modules (if you load the k8s_imagevalidator module your config file for this module must be named k8s_imagevalidator.*, the extension does not matter). The default localdb storageProvider stores everything in ./db using tiedot.
Events trigger pipelines that can dynamically respond to events using scripts. Currently implemented events are:
- Clair notification about a new vulnerability in a docker image
- A new pod is spawned in kubernetes
- An ImagePolicyWebhook review request from kubernetes (can allow or deny the use of an image in k8s)
- Notifications from Openstack Nova (via AMQP)
Currently implemented actions are:
- Send a mail
- Check if an image is in a kubernetes pod or deployment
- Respond to an ImagePolicyWebhook image review request
- Scan a docker image using an external clair server
- Scan an instance / virtual machine / host via ssh using vuls.io and docker
More details on the different modules here.
Need something else ? Open an issue or write your own module !
You can use multiple actions to easily build complex pipelines. Here is a simple example:
Another use case is on the fly docker images scanning with kubernetes.
To write your own pipelines (called reactions here), you can find different sample json files in the samples folder or check out the docs about reactions.