/allero

By scanning CI/CD misconfigurations, Allero helps reduce production issues, harden your security posture and shift-left CI/CD from DevOps to developers.

Primary LanguageGoApache License 2.0Apache-2.0

allero=github

Prevent CI/CD misconfiguration

What is Allero?

Allero is a policy tool that prevents misconfigurations in CI/CD pipelines. This helps prevent failures and security risks from reaching production. It also allows R&D teams be less dependent on DevOps engineers when building and maintaining CI/CD pipelines. Allero comes with built-in rules, and developed to be as friendly as possible for you to create your own rules!
Here are a few use-cases that can be mitigated with Allero:

  1. Prevent Log4shell vulnerability by making sure SCA runs in every pipeline.
  2. Prevent the use of deprecated language versions. (e.g. Node version <= 12)
  3. Ensure all IaC manifests are scanned for misconfigurations. (e.g. Run checkov on any terraform file)

Quick Start!

Allero supports GitHub Actions and GitLab Pipelines. allero-cli

1. Install the latest release in your terminal

Linux & MacOS: curl https://get.allero.io | /bin/bash
Brew: brew install allero-io/allero/allero
Windows: iwr -useb https://get.allero.io/windows_install.ps1 | iex

2. Validate your pipelines

Validate pipelines in a local directory

  • Run allero validate {DIRECTORY_PATH}

Validate pipelines from a remote source control

  • Fetch your organizations and/or repositories: allero fetch github dapr/dapr
  • Validate your pipelines across all your fetched data: allero validate

Fetching private repositories from Github

Fetching data from a private GitHub organization requires a personal access token (PAT).

  1. Create a GitHub PAT with access to the repos you want to scan. More information about how to create a Github PAT can be found here Generate the token with the following read permissions:

    • repo:
      • repo:status
      • repo_deployment
      • public_repo
      • repo:invite
      • security_events
  2. Once the token is generated, run export ALLERO_GITHUB_TOKEN={YOUR_TOKEN}.

  • When running Allero from GitHub Actions, the PAT should be stored as an encrypted secret.
  1. Fetch your private repositories: allero fetch github {your_repo}

Fetching private repositories from Gitlab

Fetching data from a private GitLab group requires an access token.

  1. Create a GitLab Access Token with access to the repos you want to scan. More information about how to create a GitLab Token can be found here Generate the token with the following permissions:
    • read_api
  2. Once the token is generated, run export ALLERO_GITLAB_TOKEN={YOUR_TOKEN}.
  3. Fetch your private repositories: allero fetch gitlab {your_repo}

Next Steps

⛔️ Fail a PR on violation

Allero can fail a PR if the repo's pipelines don't meet the policy. Use this GitHub Action to trigger allero validation on a PR event.

🛡 Continuously assess all your piplines on a daily basis

To achieve a continuous assessment, allero needs to periodically scan the entire organization.
Implementing with GitHub Actions: We created a GitHub Action that runs Allero everyday at 8am on your entire organization.

  1. Fork Allero repo
  2. Create a GitHub Personal Access Token and store it in your forked repo as an encrypted secret named ALLERO_GITHUB_TOKEN.
  3. GitHub disables scheduled Actions on a forked repo by default. To enable the Allero Action, browse to your forked allero repo, navigate to GitHub Actions and enable the workflow.

Using any other scheduler: as a CLI tool, Allero can be easily run in - CI/CD, docker scheduler, crontab, kubernetes - anywhere!

🚨 Rules

Some rules apply to everyone, while others are very stack-specific. That is why some rules are enabled by default and others are disabled. Learn how to enable and disable rules here.

Supported Rules

Unique Id Rule Name Description Default State Reason
1 ensure-github-action-version Ensure github action version is set Enabled Avoid unexpected behavior
2 ensure-node-version Make sure a specific version is set when using a node image Enabled Avoid unexpected behavior
3 ensure-npm-ignore-scripts Ensures that pre/post-install scripts are not run by NPM Enabled link
4 ensure-python-version Make sure a specific version is set when using a python image Enabled Avoid unexpected behavior
5 prevent-kubectl-apply Prevents the usage of kubectl apply in pipelines. We recommend using helm or any other k8s deployment tool Enabled link
6 prevent-npm-install Prevents the usage of npm install in pipelines. We recommend using npm ci instead Enabled link
7 prevent-password-plain-text Prevent use of password as plain text Enabled Keep passwords from leaking
8 snyk-prevent-continue-on-error Prevent continuing workflows when snyk detects vulnerabilities Enabled Keep production secured
9 prevent-using-uncontrolled-values Avoid running malware commands through repository names Enabled Keep production secured
10 ensure-sca-scanner Make sure every repository has at least one pipeline with (Trivy, BlackDuck, Grype) Disabled Keep production secured
11 ensure-terraform-scanner Make sure every repository has at least one pipeline with terraform scanner (Checkov ,Snyk, Tenable) Disabled Keep production secured
12 prevent-action-setup-java-v1 Prevent using deprecated java version Disabled Keep production secured
13 prevent-adopt-distributions-on-setup-java Prevent using deprecated java distribution Disabled Keep production secured
14 ensure-code-coverage Make sure every repository has at least one pipeline with Codecov Disabled Keep Code Quality
15 ensure-secrets-scanner Make sure every repository has at least one pipeline with secrets scanner (Truffles ,GitGuardian, Gitleaks, Trivy) Disabled Keep production secured
16 ensure-linter Make sure every repository has at least one pipeline with linter (Wemake, SuperLinter, MegaLinter, Renovate) Disabled Keep Code Quality
17 ensure-code-quality Make sure every repository has at least one pipeline with code cuality checker (CodeClimate, SonarQube, SonarCloud) Disabled Keep Code Quality

Enabling and disabling rules

A policy is a set of rules, and it is represented by a token.
To generate a token, go to this page, choose the rules you want and generate the token. The token will be sent to your email.
To run the policy, you need to set the token by running allero config set token {your_token} and re-run allero validate.

Temporarily ignore a token

Tokens can be temporarily ignored during a single validation by running allero validate --ignore-token

Clear a token

Tokens can be cleared from the CLI by running allero config clear token | ensure-sca-scanner | Make sure every repository has at least one pipeline with sca scanner | Keep production secured | ensure-terraform-scanner | Make sure every repository has at least one pipeline with terraform scanner | Keep production secured

📝 Adding your own rules

Rules can be defined using the Json Schema format. Json Schema rules should be based on our data schema. An example of our data schema structure can be found here.

  1. Create a new json file and define your rule. Example rules can be found here. Make sure to update the rule description and failureMessage.
  2. Copy-paste the rule-files to ~/.allero/rules/github/ and ~/.allero/rules/gitlab/.
  3. Run allero validate

Contribution 👩🏽‍💻

We encourage you to contribute to Allero!

Created a new rule and want to give back to the community?

  1. Fork our repo
  2. Read how to add your own rule here
  3. Add your rule to pkg/rulesConfig/github or to pkg/rulesConfig/gitlab directories
  4. Create a PR!

Interested in contributing more to the CLI? We will provide a more detailed explanation on how to contribute soon. If you're intrested, you can contact us to get our help with your first PR!

🔏 Privacy

Your privacy and code integrity are very important to us. That's why our CLI operates locally only, and doesn't save any sensitive information related to your code anywhere. We only track metrics that reflect your usage of the CLI :)

Contact Us

Open an issue or shoot us an email.