Skip to content

Commit f9b1aae

Browse files
danielpacakdanielpacak
committed
feat(network-policy): configure ignored IP networks
1 parent 67ab925 commit f9b1aae

5 files changed

Lines changed: 43 additions & 22 deletions

File tree

.github/workflows/verify-pr.yaml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-22.04
2020
steps:
2121
- name: Checkout Code
22-
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
22+
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
2323

2424
- name: Run Cimon
2525
uses: ./
@@ -42,7 +42,7 @@ jobs:
4242
runs-on: ubuntu-22.04
4343
steps:
4444
- name: Checkout Code
45-
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
45+
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
4646

4747
- name: Run Cimon
4848
uses: ./
@@ -55,7 +55,7 @@ jobs:
5555
runs-on: ubuntu-22.04
5656
steps:
5757
- name: Checkout Code
58-
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
58+
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
5959

6060
- name: Run Cimon
6161
uses: ./
@@ -71,4 +71,3 @@ jobs:
7171
run: |
7272
curl -I https://cycode.com
7373
curl -I https://github.com
74-

README.md

Lines changed: 19 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -23,24 +23,25 @@ steps:
2323
2424
The action supports the following parameters:
2525
26-
| Name | Default | Description |
27-
|--------------------------|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
28-
| `client-id` | | Cimon client ID for authentication |
29-
| `secret` | | Cimon secret for authentication |
30-
| `prevent` | `false` | Enable prevention mode |
31-
| `allowed-ips` | | A comma or white space separated list of allowed IP addresses |
32-
| `allowed-hosts` | | A comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (`*`) to match multiple subdomains (e.g. `*.example.com`). |
33-
| `github-token` | `${{ github.token }}` | GitHub token (used to overcome GitHub rate limiting) |
34-
| `report-job-summary` | `true` | Report results through job summary output |
35-
| `report-process-tree` | `false` | Enable to report the process tree |
36-
| `report-artifact-log` | `true` | Report logs through job artifact |
37-
| `slack-webhook-endpoint` | | Slack webhook endpoint to report security events |
38-
| `apply-fs-events` | `false` | Enable processing filesystem events and display them in the process tree report |
39-
| `docker-image` | `docker.io/cycodelabs/cimon:v0.6.0` | Docker image reference |
40-
| `docker-image-pull` | `false` | Skip pulling image from registry (Used for debugging) |
41-
| `docker-username` | `false` | Username to pull image from registry (Used for debugging) |
42-
| `docker-password` | `false` | Password to pull image from registry (Used for debugging) |
43-
| `log-level` | `info` | Log level (Used for debugging) |
26+
| Name | Default | Description |
27+
|--------------------------|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
28+
| `client-id` | | Cimon client ID for authentication |
29+
| `secret` | | Cimon secret for authentication |
30+
| `prevent` | `false` | Enable prevention mode |
31+
| `allowed-ips` | | A comma or white space separated list of allowed IP addresses |
32+
| `allowed-hosts` | | A comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (`*`) to match multiple subdomains (e.g. `*.example.com`). |
33+
| `ignored-ip-nets` | | A comma or white space separated list of ignored IP networks in CIDR notation, e.g. 10.0.0.0/8, 172.16.0.0/12. This setting is mandatory if your workflow runs containers attached to a custom network with configured sub-range. In other words, inter-container networking is usually ignored by Cimon. Cimon implicitly ignores 10.0.0.0/8 and 172.16.0.0/12 networks. |
34+
| `github-token` | `${{ github.token }}` | GitHub token (used to overcome GitHub rate limiting) |
35+
| `report-job-summary` | `true` | Report results through job summary output |
36+
| `report-process-tree` | `false` | Enable to report the process tree |
37+
| `report-artifact-log` | `true` | Report logs through job artifact |
38+
| `slack-webhook-endpoint` | | Slack webhook endpoint to report security events |
39+
| `apply-fs-events` | `false` | Enable processing filesystem events and display them in the process tree report |
40+
| `docker-image` | `docker.io/cycodelabs/cimon:v0.6.0` | Docker image reference |
41+
| `docker-image-pull` | `false` | Skip pulling image from registry (Used for debugging) |
42+
| `docker-username` | `false` | Username to pull image from registry (Used for debugging) |
43+
| `docker-password` | `false` | Password to pull image from registry (Used for debugging) |
44+
| `log-level` | `info` | Log level (Used for debugging) |
4445

4546
## Scenarios
4647

action.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,15 @@ inputs:
2121
allowed-hosts:
2222
description: A comma-separated list of domain names
2323
required: false
24+
ignored-ip-nets:
25+
description: |
26+
A comma or white space separated list of ignored IP networks in CIDR
27+
notation, e.g. 10.0.0.0/8, 172.16.0.0/12. This setting is mandatory if
28+
your workflow runs containers attached to a custom network with
29+
configured sub-range. In other words, inter-container networking is
30+
usually ignored by Cimon. Cimon implicitly ignores 10.0.0.0/8 and
31+
172.16.0.0/12 networks.
32+
required: false
2433
github-token:
2534
description: GitHub token (used to overcome GitHub rate limiting)
2635
required: false

dist/main/index.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4132,6 +4132,7 @@ function getActionConfig() {
41324132
const preventionMode = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('prevent');
41334133
const allowedIPs = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('allowed-ips');
41344134
const allowedHosts = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('allowed-hosts');
4135+
const ignoredIPNets = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('ignored-ip-nets');
41354136

41364137
const applyFsEvents = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getBooleanInput('apply-fs-events');
41374138
const clientId = _actions_core__WEBPACK_IMPORTED_MODULE_0__.getInput('client-id');
@@ -4157,6 +4158,7 @@ function getActionConfig() {
41574158
preventionMode: preventionMode,
41584159
allowedIPs: allowedIPs,
41594160
allowedHosts: allowedHosts,
4161+
ignoredIPNets: ignoredIPNets,
41604162
applyFsEvents: applyFsEvents,
41614163
clientId: clientId,
41624164
secret: secret,
@@ -4219,6 +4221,10 @@ async function run(config) {
42194221
args.push('--env', `CIMON_ALLOWED_HOSTS=${config.cimon.allowedHosts}`);
42204222
}
42214223

4224+
if (config.cimon.ignoredIPNets !== "") {
4225+
args.push('--env', `CIMON_IGNORED_IP_NETS=${config.cimon.ignoredIPNets}`);
4226+
}
4227+
42224228
if (config.github.jobSummary) {
42234229
args.push('--env', 'CIMON_REPORT_GITHUB_JOB_SUMMARY=1');
42244230
}

src/main/index.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ function getActionConfig() {
1616
const preventionMode = core.getBooleanInput('prevent');
1717
const allowedIPs = core.getInput('allowed-ips');
1818
const allowedHosts = core.getInput('allowed-hosts');
19+
const ignoredIPNets = core.getInput('ignored-ip-nets');
1920

2021
const applyFsEvents = core.getBooleanInput('apply-fs-events');
2122
const clientId = core.getInput('client-id');
@@ -41,6 +42,7 @@ function getActionConfig() {
4142
preventionMode: preventionMode,
4243
allowedIPs: allowedIPs,
4344
allowedHosts: allowedHosts,
45+
ignoredIPNets: ignoredIPNets,
4446
applyFsEvents: applyFsEvents,
4547
clientId: clientId,
4648
secret: secret,
@@ -103,6 +105,10 @@ async function run(config) {
103105
args.push('--env', `CIMON_ALLOWED_HOSTS=${config.cimon.allowedHosts}`);
104106
}
105107

108+
if (config.cimon.ignoredIPNets !== "") {
109+
args.push('--env', `CIMON_IGNORED_IP_NETS=${config.cimon.ignoredIPNets}`);
110+
}
111+
106112
if (config.github.jobSummary) {
107113
args.push('--env', 'CIMON_REPORT_GITHUB_JOB_SUMMARY=1');
108114
}

0 commit comments

Comments
 (0)