验证证据
在DevSecOps架构中,在部署资产之前,必须验证在 CI 管道中收集的所有证据,以便资产符合合规性要求。
收集证据是 DevSecOps 参考架构的一个重要方面。 CI 管道收集 CI 管道所执行的资产的所有扫描或步骤的证据片段。 “持续部署”(CD) 管道将部署由 CI 管道生成的资产,而“持续合规性”(CC) 管道将扫描由 CD 管道部署的资产。
您可以通过以下方式之一验证证据:
- 使用 Security and Compliance Center (SCC) 概要文件。
- 使用配置文件。
使用 SCC 概要文件
使用 SCC 将安全检查嵌入到日常工作流程中,以监视安全性和合规性。 通过对风险进行监视,您可以识别安全漏洞,努力减轻影响并修复问题。 工具链必须根据 SCC 概要文件和版本启用 SCC 集成和 Use profile with attachment。 将根据收集的附件中所有资源的证据来验证所有控件。 工具链支持 V 为 1.0.0 或更高版本的 IBM Cloud® 安全性最佳实践,或 V 为 1.2.0 或更高版本的 IBM Cloud® for Financial Services 概要文件。 如果需要指定控件的子集,请使用这些概要文件创建定制概要文件并选择控件的子集。 将针对该概要文件验证工具链。 有关更多信息,请参阅 Security and Compliance Center。
使用配置文件
使用配置文件验证证据的工作方式如下所示:
- 部署前检查将验证 CI 管道生成的证据,并根据这些检查检测部署。 如果成功验证了所有检查,那么将自动核准变更请求。 如果任何检查失败,那么不会自动核准变更请求,并且会阻止部署。 对于
emergency变更请求,不会阻止部署。 配置文件是更改请求的一部分。 - 部署后检查将验证 CD 管道生成的证据,并根据这些检查对管道进行评估。
- 完成步骤将验证部署后证据检查并评估 CD 管道。 这些检查存储在
summary.json文件旁边的证据锁定程序中。
对于每种资产类型,可能需要收集不同的证据类型。 因此,在您可以定义资产类型的检查中,根据该资产,为工具收集的证据如下所示:
使用配置文件启用证据验证和评估
要在工具链中启用 validation of evidence,请在 CD 和 CC 工具链中将环境变量 opt-in-evidence-checks 设置为 1。
配置配置文件
要定义配置文件路径,请将 evidence-checks-config-path 设置为 pipeline-config-repo 中存在的文件路径,否则将使用缺省配置文件。 不同的部署环境可能具有不同的配置文件。 例如,stage 可能具有与生产证据检查不同的证据检查。 如果未定义 evidence-checks-config-path,那么配置文件将在 pipeline-config-repo 中搜索名为 <region>.<target>.validation.json,<target>.validation.JSON 或 validation.json 的文件。
此配置文件有两个版本:
配置文件版本 2
证据收集概述:
在 CI/CD/CC 管道运行期间,我们会针对不同的服务环境使用不同的工具收集各种证据 简单地说,服务环境可以是开发环境、生产环境和最近支持的预生产环境(或阶段)。 对这些证据的结果进行汇总,以确定特定服务环境的整体应用级别合规性。 用户可以配置规则,以确定如何进行结果汇总。 用户可使用配置文件 version2 调整如何根据服务环境评估任何特定证据。 证据可申报为
- 推荐(默认)
- 必需
下图显示了证据汇总的工作原理:
证据评估和选拔
如果没有达到所需的应用程序合规水平,我们就会在 CD 管道运行中关闭部署。 支持门控的证据:
pre-deployment[evidences list]
post-deployment[evidences list]
各种部署拓扑结构:
1.从 master 晋升为 prod
{: caption="Usecase 1. 从 master 升级到 prod" title-side="bottom"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 的属性"}
2.从 master 升级到 stage 再升级到 prod
{: caption="Usecase 2. 从 master 升级到 stage 再升级到 prod" title-side="bottom"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 stage"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 prod"}
3.从 master 升至 stage(us-east) 再升至 stage(us-south) 再升至 prod(us-south)
{: caption="Usecase 3. 从 master 升级到 stage(us-east) 再升级到 stage(us-south) 再升级到 prod(us-south)"
title-side="bottom"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 stage(us-east)"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 stage(us-south)"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 prod(us-south)"}
4.从 master 升级到 stage(us-east) 再升级到 stage(us-south) 再升级到 prod(us-south)
{: caption="Usecase 4. 从 master 升级到 stage(us-east) 再升级到 stage(us-south) 再升级到 prod(us-south)"
title-side="bottom"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 stage(us-east)"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 stage(us-east)"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 stage(us-south)"}
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 prod(us-south)"}
version2 cocoa locker evidence check 的结果表:
{: caption="Manual Promotion Trigger 和 Manual CD Trigger 环境的属性 prod(us-south)"}
预部署 (在自动核准变更请求之前执行的检查)
- 资产类型 (例如
image,commit,*或任何资产)- 证据
- 证据类型标识 (例如
com.ibm.static-scan)- 必需 (证据以
success状态显示)- 工具 (为其收集证据的工具类型。 例如,
SonarQube,owasp-zap,*或任何工具)
- 工具 (为其收集证据的工具类型。 例如,
- 建议 (如果证据缺失/暂挂/失败,那么管道将记录警告消息)
- 工具 (为其收集证据的工具类型。 例如,
SonarQube,owasp-zap,*或任何工具)
- 工具 (为其收集证据的工具类型。 例如,
- 必需 (证据以
- 证据类型标识 (例如
- 证据
部署后 (用于评估 CD 管道的检查)
- 资产类型 (例如
image,commit,*或任何资产)- 证据
- 证据类型标识 (例如
com.ibm.acceptance_tests)- 必需 (证据必须处于
success状态)- 工具 (工具类型,例如
jest,*或任何工具)
- 工具 (工具类型,例如
- 建议 (如果证据缺失/暂挂/失败,那么管道将记录警告消息)
- 工具 (为其收集证据的工具类型。 例如,
SonarQube,owasp-zap,*或任何工具)
- 工具 (为其收集证据的工具类型。 例如,
- 必需 (证据必须处于
- 证据类型标识 (例如
- 证据
在 CD 和 CC 中启用检查时,也将使用配置文件进行管道评估。
样本配置文件版本 2
{
"version": "2.0",
"pre-deployment": [
{
"evidence_type_id": "com.ibm.prod_change_request",
"rules": [
{
"asset_type": "image",
"source_environments": [
{
"name": "stage"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "stage"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
},
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "image",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.branch_protection",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.cloud.slsa",
"rules": [
{
"asset_type": "image",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.dynamic_scan",
"rules": [
{
"asset_type": "image",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.cloud.verify_signature",
"rules": [
{
"asset_type": "image",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.cloud.image_vulnerability_scan",
"rules": [
{
"asset_type": "image",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.peer_review",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.unit_tests",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.static_scan",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.detect_secrets",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.code_vulnerability_scan",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.code_cis_check",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.code_bom_check",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.network_compliance",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.pipeline_run_data",
"rules": [
{
"asset_type": "generic",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.pipeline_logs",
"rules": [
{
"asset_type": "generic",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.code-branch-protection",
"rules": [
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.cloud.image_signing",
"rules": [
{
"asset_type": "*",
"source_environments": [
{
"name": "master"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
}
],
"post-deployment": [
{
"evidence_type_id": "com.ibm.prod_change_request",
"rules": [
{
"asset_type": "image",
"source_environments": [
{
"name": "stage"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "stage"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": [
{
"asset_type": "commit",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "image",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
},
{
"asset_type": "*",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.pipeline_run_data",
"rules": [
{
"asset_type": "generic",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
},
{
"evidence_type_id": "com.ibm.pipeline_logs",
"rules": [
{
"asset_type": "generic",
"source_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"target_environments": [
{
"name": "stage"
},
{
"name": "prod"
}
],
"required": [],
"recommended": [
{
"name": "tool",
"values": [
"*"
],
"description": "The tool that collected the evidence"
}
]
}
]
}
]
}
配置文件版本 1
预部署 (在自动核准变更请求之前执行的检查)
- 资产类型 (例如
image,commit,*或任何资产)- 证据
- 证据类型标识 (例如
com.ibm.static-scan)- 必需 (证据以
success状态显示)- 工具 (为其收集证据的工具类型。 例如,
SonarQube,owasp-zap,*或任何工具)
- 工具 (为其收集证据的工具类型。 例如,
- 可选 (如果证据存在,那么它必须处于
success状态)- 工具 (为其收集证据的工具类型。 例如,
SonarQube,owasp-zap,*或任何工具)
- 工具 (为其收集证据的工具类型。 例如,
- 忽略 (未验证证据)
- 必需 (证据以
- 证据类型标识 (例如
- 证据
部署后 (用于评估 CD 管道的检查)
- 资产类型 (例如
image,commit,*或任何资产)- 证据
- 证据类型标识 (例如
com.ibm.acceptance_tests)- 必需 (证据必须处于
success状态)- 工具 (工具类型,例如
jest,*或任何工具)
- 工具 (工具类型,例如
- 可选 (如果证据存在,那么它必须处于
success状态)- 工具 (工具类型,例如
servicenow-v3,*或任何工具)
- 工具 (工具类型,例如
- 忽略 (未验证证据)
- 必需 (证据必须处于
- 证据类型标识 (例如
- 证据
在 CD 和 CC 中启用检查时,也将使用配置文件进行管道评估。
样本配置文件版本 1
{
"pre-deployment": [
{
"asset_type": "commit",
"evidences": [
{
"evidence_type_id": "com.ibm.branch_protection",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.peer_review",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.unit_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.static_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.detect_secrets",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.code_vulnerability_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.code_cis_check",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.code_bom_check",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
},
{
"asset_type": "image",
"evidences": [
{
"evidence_type_id": "com.ibm.cloud.slsa",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.cloud.image_signing",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.cloud.image_vulnerability_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.dynamic_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.cloud.verify_signature",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
},
{
"asset_type": "generic",
"evidences": [
{
"evidence_type_id": "com.ibm.pipeline_run_data",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.pipeline_logs",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
},
{
"asset_type": "*",
"evidences": [
{
"evidence_type_id": "com.ibm.code-branch-protection",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.peer_review",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.unit_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.static_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.detect_secrets",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.code_vulnerability_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.code_cis_check",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.code_bom_check",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.cloud.image_signing",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.cloud.image_vulnerability_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.dynamic_scan",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.cloud.verify_signature",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
}
],
"post-deployment": [
{
"asset_type": "image",
"evidences": [
{
"evidence_type_id": "com.ibm.prod_change_request",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
},
{
"asset_type": "generic",
"evidences": [
{
"evidence_type_id": "com.ibm.pipeline_run_data",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.pipeline_logs",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
},
{
"asset_type": "commit",
"evidences": [
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
},
{
"asset_type": "*",
"evidences": [
{
"evidence_type_id": "com.ibm.prod_change_request",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
},
{
"evidence_type_id": "com.ibm.acceptance_tests",
"rules": {
"required": [],
"optional": [
{
"tool": "*"
}
],
"ignore": []
}
}
]
}
]
}
DevSecOps 中各阶段的默认工具值
| 证据类型标识 | 缺省受支持的工具 |
|---|---|
com.ibm.branch_protection |
cocoa-branch-protection |
com.ibm.unit_tests |
jest |
com.ibm.detect_secrets |
detect-secrets |
com.ibm.code_vulnerability_scan |
对于应用程序: cra-tf,cra,mend 对于作为代码的基础结构: tfsec,checkov |
com.ibm.code_bom_check |
cra-bom, sbom-utility |
com.ibm.code_cis_check |
cra-cis |
com.ibm.peer_review |
peer-review |
com.ibm.static_scan |
对于应用程序: sonarqube,gosec 对于作为代码的基础结构: terraform-fmt,terraform-validate 和 tflint |
com.ibm.cloud.image_signing |
artifact-signing |
com.ibm.acceptance_tests |
jest |
com.ibm.dynamic_scan |
owasp-zap, owasp-zap-ui |
com.ibm.cloud.image_vulnerability_scan |
va, sysdig, xray |
com.ibm.prod_change_request |
gitlab, |
com.ibm.close_change_request |
gitlab |
|com.ibm.cloud.slsa | tekton-chains |