diff --git a/README.md b/README.md
index 4e0e0dc..d5a2cff 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# CI/CD Security by AccuKnox
+# Monitor & Audit CI/CD pipelines
@@ -21,6 +21,12 @@ assessment, monitoring, and protection capabilities, it enables you to:
- Gain real-time visibility into your pipeline's security posture
- Streamline the integration of security practices into your DevOps workflow
+Ensure application best practices by:
+
+- Applying app hardening policies and checking whether it deviates during GH workflow execution.
+- Identifying if there are any unknown processes spawning during CI/CD workflow execution.
+- Identifying if any unwanted network connections are started in the pipeline.
+
In today's fast-paced software development landscape, where operational efficiency
is paramount, the CI/CD Scan by AccuKnox empowers DevSecOps teams to deploy with confidence.
@@ -32,7 +38,7 @@ for enforcing the security policies either in block or audit mode.
To learn more about KubeArmor please visit, https://kubearmor.io/
-We install KubeArmor in systemd mode in the GitHub runner and that lets us watch over
+This action installs KubeArmor in systemd mode in the GitHub runner and watches over
the events and enforce security policies safely.
## Features
@@ -67,20 +73,34 @@ Here is an example of a security policy
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
- name: hsp-kubearmor-dev-proc-path-block
+ name: hsp-create-account-create-local-account
spec:
nodeSelector:
matchLabels:
- kubearmor.io/hostname: "*" # Apply to all hosts
+ kubearmor.io/hostname: "*" # this is typically replaced by the hostname of your system
+ message: Notification! User and password added/modified
+ file:
+ action: Audit
+ matchPaths:
+ - path: /etc/passwd
+ - path: /etc/shadow
+ severity: 3
process:
+ action: Audit
matchPaths:
- - path: /usr/bin/sleep # try sleep 1
- action:
- Block
+ - path: /bin/useradd
+ - path: /bin/adduser
+ severity: 3
+ tags:
+ - MITRE
+ - T1136.001
```
-Please make sure that in `kind` field you set `KubeArmorHostPolicy`.
-The above policy will block the `sleep` call. To read more about how KubeArmorHost
+As it can be seen in the above policy has Audit action defined for `file` and `process`
+events, any accesses made to the given paths under the `matchPaths` field would generate
+an 'Audit' alert from the system that you will be able to see in the report generated by this action.
+
+Please make sure that in `kind` field you set `KubeArmorHostPolicy`. To read more about how KubeArmorHost
policies are written and designed please take a look at this: [KubeArmor policy spec for nodes/VMs](https://docs.kubearmor.io/kubearmor/documentation/host_security_policy_specification)
### 3) Process tree and behaviour
@@ -102,14 +122,14 @@ protocol, process making the network call and the name of the process itself.
For example:
-We will also support standard network policies in the coming realeases.
+Support for network policies in coming releases.
## Usage
The usage is as simple as Plug-and-Play, you only have to include the following
lines in your GitHub workflow and you are all set to go.
```yaml
-- name: AccuKnox CI/CD scan
+- name: AccuKnox CI/CD Monitor
uses: accuknox/report-action@v0
```
@@ -125,7 +145,7 @@ currently provide the following options
| ----------------- | ------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
| All | True | `bool` | No | All will lets system collect all the logs from KubeArmor which in turn collects all the events taking place in the runner | `all: false` |
| System | False | `bool` | No | This will only collect system events that includes network and process events | `system: false` |
-| KubeArmor version | Latest | `string` | No | You can set the specific [release](https://github.com/kubearmor/KubeArmor/releases) version of KubeArmor | `kubearmor_version: '1.3.8'` |
+| KubeArmor version | Latest | `string` | No | You can set the specific [release version](https://github.com/kubearmor/KubeArmor/releases) of KubeArmor | `kubearmor_version: '1.3.8'` |
| Knoxctl version | Latest | `string` | No | This lets you set a specific [release version](https://github.com/accuknox/knoxctl-website/releases) for knoxctl (knoxctl is the tool that parses and scans the CI/CD environment) | `knoxctl_version: '0.5.1'` |
| Policy Action | Audit | `string` | No | You can set the policy action to either Audit or Block | `policy_action: block` |
| Dryrun | False | `bool` | No | Setting dryrun to true will not apply any policy but save it as asset which can be downloaded | `dryrun: true` |
@@ -138,8 +158,9 @@ currently provide the following options
Few examples on how you can use the options given
#### Running scan in dryrun mode with a specific knoxctl and KubeArmor version
+
```yaml
-- name: AccuKnox CI/CD scan
+- name: AccuKnox CI/CD Monitor
uses: accuknox/report-action@v0
with:
kubearmor_version: '1.3.8'
@@ -151,8 +172,9 @@ With the above configuration the policies will not be applied on your system, an
policy based alerts will be generated.
#### Applying policies in block mode
+
```yaml
-- name: AccuKnox CI/CD scan
+- name: AccuKnox CI/CD Monitor
uses: accuknox/report-action@v0
with:
policy_action: "block"