diff options
authorlhinds <lhinds@redhat.com>2017-07-05 15:19:29 +0100
committerlhinds <lhinds@redhat.com>2017-07-05 15:21:05 +0100
commit5e0e1b8fcc200c0a72e08feb65ba2a6c65d978d9 (patch)
parent9af99d2cc199d6095a4512c4d6a80e38fc1e763e (diff)
Readme window dressing
This is mainly to provide some information to users landing on the github mirror of releng-anteater Change-Id: I7ef27dd2b313e9ff0e7e103d547d07252235f128 Signed-off-by: lhinds <lhinds@redhat.com>
1 files changed, 33 insertions, 6 deletions
diff --git a/README.md b/README.md
index 0df3e5c..2cbfe5b 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
+# Anteater
CI Gate Security for Gerrit
@@ -8,8 +8,35 @@ CI Gate Security for Gerrit
-Searches repositories for compiled binaries, private keys, passwords and senstive strings
+Anteater performs scanning of any commited patches sent to a gerrit code review
+site. Each time a patch is pushed to a repository, jenkins instantiates
+anteater, who then performs a series of security checks to each file proposed
+in a patch.
+Checks consist of verification that no binary / blobs are present. If they are,
+they are immediately voted as '-1' (do not merge), until a review has occurred
+to insure the binary is safe and its origins are known. Once agreed as safe, a
+sha256 checksum is entered into anteaters 'exception' list to insure it is not
+maliciously replaced at any given time in the future.
+Checks are made to insure the file are not of a sensitive nature, for example
+cryptographic keys or application configuration files known to contain
+sensitive details, are all blocked from merge.
+Finally a deep scan is performed to look for suspect patterns, such as scripts
+pulling in file / objects from untrusted sites, or various patterns such as
+shell executions.
+Anteater uses an open framework to allow users to add new additions easily,
+without having to touch any code.
-Provides exception / waiver lists to whitelist files, data.
+Anteater was developed to address concerns of recent high profile attacks that
+have occurred against CI environments, where hackers have backdoor'ed build /
+DevOps systems by various means (such as stealing a users ssh key and self
+approving patches). By having automated non-human checks in place, it adds an
+extra layer of security review with the ability to block a patch merge at gate.
-Provides option to add own file types for white / blacklisting
+The project is mainly used in the Linux Foundations OPNFV platform, which has
+over 40 repositories that need monitoring. Plans are in place to port it to the
+github API where it can operate as a review bot as part of a github hosted
+project. \ No newline at end of file