diff options
author | lhinds <lhinds@redhat.com> | 2017-07-05 15:19:29 +0100 |
---|---|---|
committer | lhinds <lhinds@redhat.com> | 2017-07-05 15:21:05 +0100 |
commit | 5e0e1b8fcc200c0a72e08feb65ba2a6c65d978d9 (patch) | |
tree | 5b5f43b33184e27f77b002b16d4f2482b12cfca3 /README.md | |
parent | 9af99d2cc199d6095a4512c4d6a80e38fc1e763e (diff) |
Readme window dressing
This is mainly to provide some information to users landing
on the github mirror of releng-anteater
Change-Id: I7ef27dd2b313e9ff0e7e103d547d07252235f128
Signed-off-by: lhinds <lhinds@redhat.com>
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 39 |
1 files changed, 33 insertions, 6 deletions
@@ -1,6 +1,6 @@ -======== -Anteater -======== +# Anteater + +![anteater](http://i.imgur.com/BPvV3Gz.png) CI Gate Security for Gerrit --------------------------- @@ -8,8 +8,35 @@ CI Gate Security for Gerrit Description ----------- -Searches repositories for compiled binaries, private keys, passwords and senstive strings +Anteater performs scanning of any commited patches sent to a gerrit code review +site. Each time a patch is pushed to a repository, jenkins instantiates +anteater, who then performs a series of security checks to each file proposed +in a patch. + +Checks consist of verification that no binary / blobs are present. If they are, +they are immediately voted as '-1' (do not merge), until a review has occurred +to insure the binary is safe and its origins are known. Once agreed as safe, a +sha256 checksum is entered into anteaters 'exception' list to insure it is not +maliciously replaced at any given time in the future. + +Checks are made to insure the file are not of a sensitive nature, for example +cryptographic keys or application configuration files known to contain +sensitive details, are all blocked from merge. + +Finally a deep scan is performed to look for suspect patterns, such as scripts +pulling in file / objects from untrusted sites, or various patterns such as +shell executions. + +Anteater uses an open framework to allow users to add new additions easily, +without having to touch any code. -Provides exception / waiver lists to whitelist files, data. +Anteater was developed to address concerns of recent high profile attacks that +have occurred against CI environments, where hackers have backdoor'ed build / +DevOps systems by various means (such as stealing a users ssh key and self +approving patches). By having automated non-human checks in place, it adds an +extra layer of security review with the ability to block a patch merge at gate. -Provides option to add own file types for white / blacklisting +The project is mainly used in the Linux Foundations OPNFV platform, which has +over 40 repositories that need monitoring. Plans are in place to port it to the +github API where it can operate as a review bot as part of a github hosted +project.
\ No newline at end of file |