Comment on page
Deployment Firewall
OpsMx Deployment firewall is a feature to enforce application security at the point of deployment, across all environments such as staging and production. The firewall adds a gating mechanism to your existing CI/CD tools to ensure compliance and prevent any vulnerabilities from breaching the application.
The deployment firewall can be seamlessly integrated with the Continuous Deployment (CD) system or installed directly within the Kubernetes cluster. When a deployment occurs, the firewall is automatically triggered. It leverages Secure Software Delivery intelligence to analyze data collected throughout the development cycle. The firewall then evaluates this data against predefined rules. Based on this evaluation and any detected vulnerabilities or alerts, the firewall either allows or denies the deployment, effectively preventing insecure code from merging into production. This robust approach ensures that your application remains secure and resilient.
The deployment firewall rules can be predefined based on your need and how you want them to be enforced for the deployments. Some of the rules that can be defined are mandatory code scanning, no critical CVEs, approved change request ticket, or security review. The deployment firewall when triggered runs in the background to automatically verify at the time of deployment that the defined rules have been followed. The deployment of application releases that are out of compliance is blocked.
The following table lists examples of few deployment firewalls rules along with their description and severity level:
Category | Rule | Description | Severity |
GIT | Branch Protection policy | Repositories should have branch protection enabled requiring all code | Critical |
Build Server | Use tokens with minimum permissions in workflows. | Use minimal-permission tokens in workflows to prevent unauthorized access. GitHub Workflows use temporary tokens that can be stolen by attackers and used to access the repository and bypass restrictions such as requiring a reviewer. Reducing the permissions of the workflow would limit the actions of a potential attacker. | High |
Container Security | Avoid critical security issues in containers. | Critical Container Security issues should not be present based on the container security scan | Critical |
Artifact Integrity | Cloud Artifact should match the artifact in the artifact repo by hash. | An image running in your cloud that does not match an artifact in your repo may signal a cloud account compromise. Someone may be running an unauthorized app in your cloud, such as a crypto miner. | Critical |
Cloud Security | Use the latest image for cloud services | A service running in your cloud should always have the latest version available in the registry. | Medium |