OPA (Open Policy Agent)
checkov
OPA (Open Policy Agent) | checkov | |
---|---|---|
97 | 56 | |
9,610 | 7,035 | |
1.3% | 2.9% | |
9.6 | 9.9 | |
2 days ago | 6 days ago | |
Go | Python | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
OPA (Open Policy Agent)
-
Kubernetes Multi-Cloud Multi-Cluster Strategy Overview
Going multicloud and multi-cluster can make it harder to maintain continual oversight of your security posture. Different clouds and cluster distributions may have their own security defaults and policy engines, so you need a mechanism that permits you to centrally roll out new configurations and compliance controls. Standardizing on a well-supported policy model such as Open Policy Agent (OPA) will make it easier to apply consistent settings to all your environments.
-
5 Use Cases for Using Open Policy Agent
Open Policy Agent is an open-source policy engine recently graduated by the Cloud Native Computing Foundation (CNCF). Developed by the community and maintained by Styra, the OPA project aims to offer a unified framework to define, manage, and enforce policies through policies-as-code (PaC) across the technology stack layers of cloud-native applications.
-
Opa Gatekeeper: How To Write Policies For Kubernetes Clusters
Open Policy Agent (OPA) helps us write policy as code using Rego, a declarative language designed specifically for this reason.
-
Fastly and the Linux kernel
The open source projects Fastly uses and the foundations we partner with are vital to Fastly’s mission and success. Here's an unscientific list of projects and organizations supported by the Linux Foundation that we use and love include: The Linux Kernel, Kubernetes, containerd, eBPF, Falco, OpenAPI Initiative, ESLint, Express, Fastify, Lodash, Mocha, Node.js, Prometheus, Jenkins, OpenTelemetry, Envoy, etcd, Helm, osquery, Harbor, sigstore, cert-manager, Cilium, Fluentd, Keycloak, Open Policy Agent, Coalition for Content Provenance and Authority (C2PA), Flux, gRPC, Strimzi, Thanos, Linkerd, Let’s Encrypt, WebAssembly. And the list goes on!
-
My Journey in Authorization with OPAL
OPA - https://www.openpolicyagent.org/
-
Clusters Are Cattle Until You Deploy Ingress
Bart: Our numerous podcast discussions with seasoned professionals show that GitOps has been a recurring theme in about 90% of our conversations. Almost every guest we've interviewed has emphasized its importance, often mentioning it as their primary tool alongside other essentials like cert manager, Kyverno, or OPA, depending on their preferences.
-
The API database architecture – Stop writing HTTP-GET endpoints
Yeah, I fully agree. The tooling for putting that much logic into the database is just not great. I've been decently happy with Sqitch[0] for DB change management, but even with that you don't really get a good basis for testing some of the logic you could otherwise test in isolation in app code.
I've also tried to rely heavily on the database handling security and authorization, but as soon as you start to do somewhat non-trivial attribute-/relationship-based authorization (as you would find in many products nowadays), it really isn't fun anymore, and you spend a lot of the time you saved on manually building backend routes on trying to fit you authz model into those basic primitives (and avoiding performance bottlenecks). Especially compares to other modern authz solutions like OPA[1] or oso[2] it really doesn't stack up.
[0]: https://github.com/sqitchers/sqitch
[1]: https://www.openpolicyagent.org
[2]: https://www.osohq.com
-
SAP BTP, Terraform and Open Policy Agent
How can we handle this? Are there any mechanisms to prevent or at least to some extent safeguard this kind of issues without falling back to a manual workflow? There is. One huge advantage of sticking to (de-facto) standards like Terraform is that first we are probably not the first ones to come up with this question and second there is a huge ecosystem around Terraform that might help us with such challenges. And for this specific scenario the solution is the Open Policy Agent. Let us take a closer look how the solution could look like.
-
Top Terraform Tools to Know in 2024
A popular Policy-as-Code tool for Terraform is OPA, everyone's favorite versatile open-source policy engine that enforces security and compliance policies across your cloud-native stack, making it easier to manage and maintain consistent policy enforcement in complex, multi-service environments.
- Open Policy Agent
checkov
-
Automating Snowflake Resource Deployment using Terraform and GitHub Actions
The workflow also includes a step for infrastructure code scan to scan Terraform code. This uses Checkov action against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
-
Cloud Security and Resilience: DevSecOps Tools and Practices
1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.
-
A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0
-
Top Terraform Tools to Know in 2024
Checkov is another great tool that examines your Terraform files (.tf), parsing the configurations and evaluating them against a comprehensive set of predefined policies. It scans Terraform-managed infrastructure and detects misconfigurations that could lead to security issues or non-compliance with best practices and regulations.
-
A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev
Bridgecrew — Infrastructure as code (IaC) security powered by the open source tool - Checkov. The core Bridgecrew platform is free for up to 50 IaC resources.
-
10 Ways for Kubernetes Declarative Configuration Management
Kustomize: It provides a solution to customize the Kubernetes resource base configuration and differential configuration without template and DSL. It does not solve the constraint problem itself, but needs to cooperate with a large number of additional tools to check constraints, such as Kube-linter, Checkov and kubescape.
-
Top 10 terraform tools you should know about.
Checkov is a versatile static code analysis tool designed for infrastructure as code (IaC) and software composition analysis (SCA). It supports a wide range of technologies, including Terraform, CloudFormation, Kubernetes, Docker, and others, to detect security and compliance issues through graph-based scanning. Checkov also performs SCA scans, identifying vulnerabilities in open source packages and images by checking for Common Vulnerabilities and Exposures (CVEs). Additionally, it is integrated into Prisma Cloud Application Security, a platform that helps developers secure cloud resources and infrastructure-as-code files, enabling the identification, rectification, and prevention of misconfigurations throughout the development lifecycle.
-
Understanding Container Security
For your Dockerfiles, you can also scan them. There are lots of tools that can check your Dockerfiles. They will validate if Dockerfile is compliant with Docker best practices such as not using root user, making sure a health check exists, and not exposing the SSH port. You can use Snyk and Checkov.
-
Apim + function app & event grid
You could try https://www.checkov.io/
-
Terraform Security Best Practices
We use https://www.checkov.io/ for this, it's very simple to get started with and works really well as PR quality gate
What are some alternatives?
casbin - An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
tfsec - Security scanner for your Terraform code [Moved to: https://github.com/aquasecurity/tfsec]
Ory Keto - The most scalable and customizable permission server on the market. Fix your slow or broken permission system with Google's proven "Zanzibar" approach. Supports ACL, RBAC, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
tflint - A Pluggable Terraform Linter
cerbos - Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
terrascan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
spicedb - Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data
kics - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
oso - Deprecated: See README
cfn_nag - Linting tool for CloudFormation templates