This repository was archived by the owner on Sep 30, 2024. It is now read-only.
Integrate security release approval into release pipeline#63990
Merged
Conversation
Comment on lines
+237
to
+240
| - name: 'Check Security Approval' | ||
| cmd: | | ||
| curl --location 'https://security-manager.sgdev.org/approve-release?release={{tag}}' --header "Authorization: Bearer ${SCANNER_TOKEN}" --fail && "Release {{tag}} has security approval" | ||
| || echo "Release {{tag}} does not have security approval - reach out to the Security Team to resolve." |
Contributor
There was a problem hiding this comment.
These steps would run after promotion has happened. We should move them to the cmd that runs the buildkite pipeline
Contributor
Author
There was a problem hiding this comment.
Very true! But that cmd runs locally, so the sec-manager webhook secret won't be available. I've moved them to the runtype.PromoteRelease Buildkite pipeline, though this makes it a little harder to bypass the release approval step in the event something goes wrong.
Comment on lines
+14
to
+29
| // checkSecurityApproval checks whether the specified release has release approval from the Security Team. | ||
| func checkSecurityApproval(c Config) operations.Operation { | ||
| return func(pipeline *bk.Pipeline) { | ||
| pipeline.AddStep("Check security approval", | ||
| bk.Agent("queue", AspectWorkflows.QueueDefault), | ||
| bk.Env("VERSION", c.Version), | ||
| bk.AnnotatedCmd( | ||
| "./tools/release/check_security_approval.sh", | ||
| bk.AnnotatedCmdOpts{ | ||
| Annotations: &bk.AnnotationOpts{ | ||
| Type: bk.AnnotationTypeInfo, | ||
| IncludeNames: false, | ||
| }, | ||
| }, | ||
| ), | ||
| ) |
Check notice
Code scanning / Semgrep OSS
Semgrep Finding: security-semgrep-rules.semgrep-rules.generic.comment-tagging-rule
| curl --location 'https://incoming.sgdev.org/new-image-scan?tag={{tag}}&scanType=release&dev=true' --header 'X-Special-Header: ${SCANNER_TOKEN}' | ||
| set -eu | ||
|
|
||
| curl --location 'https://security-manager.sgdev.org/internal-release-scan?release={{tag}}' --request POST --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}" |
Check notice
Code scanning / Semgrep OSS
Semgrep Finding: security-semgrep-rules.semgrep-rules.generic.comment-tagging-rule
37d9b5c to
2a139b9
Compare
Comment on lines
+22
to
+31
| curl --location "https://security-manager.sgdev.org/approve-release?release=${VERSION}" \ | ||
| --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}" --fail | ||
| SECURITY_APPROVAL=$? | ||
|
|
||
| if [ "$SECURITY_APPROVAL" -eq 0 ]; then | ||
| echo "Release \`${VERSION}\` has security approval." | tee -a ./annotations/security_approval.md | ||
| else | ||
| echo -e "Release ${VERSION} does **not** have security approval - reach out to the Security Team to resolve.\n" | tee -a ./annotations/security_approval.md | ||
| echo "Run \`@SecBot cve approve-release 5.5.1339\` in [#secbot-commands](https://sourcegraph.slack.com/archives/C07BQJDFCV8) to check the approval status." | tee -a ./annotations/security_approval.md | ||
| exit 1 |
Check notice
Code scanning / Semgrep OSS
Semgrep Finding: security-semgrep-rules.semgrep-rules.generic.comment-tagging-rule
Comment on lines
+22
to
+32
| curl --location "https://security-manager.sgdev.org/approve-release?release=${VERSION}" \ | ||
| --header "Authorization: Bearer ${SECURITY_SCANNER_TOKEN}" --fail | ||
| SECURITY_APPROVAL=$? | ||
|
|
||
| if [ "$SECURITY_APPROVAL" -eq 0 ]; then | ||
| echo "Release \`${VERSION}\` has security approval." | tee -a ./annotations/security_approval.md | ||
| else | ||
| echo -e "Release ${VERSION} does **not** have security approval - reach out to the Security Team to resolve.\n" | tee -a ./annotations/security_approval.md | ||
| echo "Run \`@SecBot cve approve-release 5.5.1339\` in [#secbot-commands](https://sourcegraph.slack.com/archives/C07BQJDFCV8) to check the approval status." | tee -a ./annotations/security_approval.md | ||
| exit 1 | ||
| fi |
Check notice
Code scanning / Semgrep OSS
Semgrep Finding: security-semgrep-rules.semgrep-rules.generic.comment-tagging-rule
Chickensoupwithrice
approved these changes
Jul 23, 2024
Chickensoupwithrice
left a comment
Contributor
There was a problem hiding this comment.
Looks great! 🚀 Excited to take it for a spin tomorrow :)
sourcegraph-release-bot
pushed a commit
that referenced
this pull request
Jul 24, 2024
As part of the [Vuln Scanning Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues) project, I've been working on tooling to automate the security approval step of the release process. This PR integrates these improvements into the release pipeline: * Internal releases will run a vulnerability scan * Promote-to-public releases will check for security approval If a public release does not have security approval, it will block the promotion process. The step happens at the start of the pipeline so should be a fast-fail. You can also check for release approval before running promotion by running `@secbot cve approve-release <version>` in the #secbot-commands channel. In an ideal world we (security) will have already gone through and approved ahead of release. I've tested this PR as much as I can without running an actual release! We have a 5.5.x release tomorrow so it'll be a good test. If it does cause problems that can't be easily solved, it can always be temporarily disabled. I've tagged this PR to be backported to `5.5.x`. <!-- PR description tips: https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e --> ## Pre-merge checklist - [x] Revert commit that disables release promotion ## Test plan Manual testing of the release process: - [x] [Successful test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714) that shows the security scan being triggered - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that shows the security approval approving a release - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127) that shows the security approval rejecting a release with un-accepted CVEs <!-- REQUIRED; info at https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles --> ## Changelog <!-- OPTIONAL; info at https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c --> (cherry picked from commit 9dd901f)
4 tasks
willdollman
added a commit
that referenced
this pull request
Jul 24, 2024
…eline (#64030) As part of the [Vuln Scanning Improvements](https://linear.app/sourcegraph/project/[p0]-vulnerability-scanning-improvements-75299c4312dd/issues) project, I've been working on tooling to automate the security approval step of the release process. This PR integrates these improvements into the release pipeline: * Internal releases will run a vulnerability scan * Promote-to-public releases will check for security approval If a public release does not have security approval, it will block the promotion process. The step happens at the start of the pipeline so should be a fast-fail. You can also check for release approval before running promotion by running `@secbot cve approve-release <version>` in the #secbot-commands channel. In an ideal world we (security) will have already gone through and approved ahead of release. I've tested this PR as much as I can without running an actual release! We have a 5.5.x release tomorrow so it'll be a good test. If it does cause problems that can't be easily solved, it can always be temporarily disabled. I've tagged this PR to be backported to `5.5.x`. ## Pre-merge checklist - [x] Revert commit that disables release promotion ## Test plan Manual testing of the release process: - [x] [Successful test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283774#0190dfd6-fa70-4cea-9711-f5b8493c7714) that shows the security scan being triggered - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283826) that shows the security approval approving a release - [x] [Promote to public test run](https://buildkite.com/sourcegraph/sourcegraph/builds/283817#0190e0ec-0641-4451-b7c7-171e664a3127) that shows the security approval rejecting a release with un-accepted CVEs ## Changelog <br> Backport 9dd901f from #63990 Co-authored-by: Will Dollman <will.dollman@sourcegraph.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As part of the Vuln Scanning Improvements project, I've been working on tooling to automate the security approval step of the release process.
This PR integrates these improvements into the release pipeline:
If a public release does not have security approval, it will block the promotion process. The step happens at the start of the pipeline so should be a fast-fail. You can also check for release approval before running promotion by running
@secbot cve approve-release <version>in the #secbot-commands channel. In an ideal world we (security) will have already gone through and approved ahead of release.I've tested this PR as much as I can without running an actual release! We have a 5.5.x release tomorrow so it'll be a good test. If it does cause problems that can't be easily solved, it can always be temporarily disabled.
I've tagged this PR to be backported to
5.5.x.Pre-merge checklist
Test plan
Manual testing of the release process:
Changelog