🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more

github.com/mongodb-labs/drone-validation

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

github.com/mongodb-labs/drone-validation

v0.2.0
100

Supply Chain Security

100

Vulnerability

100

Quality

100

Maintenance

80

License

Version published
Created

Validation extension for Drone

Requires Drone server version 1.4 or higher.

This is a simple validation extension that performs pipeline type validations.

When a user prepared a Drone configuration file using a pipeline that was not supported by our platform, the build used to hang and users did not receive any error or feedback. Whith this validation extension enabled, the same build would instantly fail and an error message returned to the UI informing the reason why the build has failed.

Implementation details

The validation process relies on an OPA policy written in rego and is integrated via OPA Go API.

Although the main purpose of this extension's policy is to validate supported pipeline types, it can be easily modified to check different attributes of the Drone configuration, including secrets.

This application runs a simple rego query that requires the policy to return a boolean value on the path data.drone.validation.deny and an error message on data.drone.validation.out.

The default policy is based on the following workflow:


                 ┌───────────────────┐         ┌──────────────────────┐        ┌───────────────────┐
 Config document │                   │  Yes    │                      │  No    │                   │
      ──────────►│ Is it a pipeline? ├────────►│ Is the type allowed? ├───────►│ Return: deny=true │
                 │                   │         │                      │        │                   │
                 └─────────┬─────────┘         └───────────┬──────────┘        └───────────────────┘
                           │                               │
                           │ No                            │ Yes
                           │                               │
                           ▼                               ▼
                ┌────────────────────┐          ┌────────────────────┐
                │                    │          │                    │
                │ Return: deny=false │          │ Return: deny=false │
                │                    │          │                    │
                └────────────────────┘          └────────────────────┘

Usage

This is for demonstration purposes only and will need to be adapted for real world deployments.

See Drone docs for more info.

docker build -t drone-validation .

SHARED_SECRET=$(openssl rand -hex 16)

docker run \
  --publish=3000:3000 \
  --env=DRONE_DEBUG=true \
  --env=DRONE_VALIDATE_PLUGIN_SECRET=$SHARED_SECRET \
  drone-validation

Update your `drone-server`` environment variables to include the plugin endpoint and shared secret.

DRONE_VALIDATE_PLUGIN_ENDPOINT=http://<service-name>:3000
DRONE_VALIDATE_PLUGIN_SECRET=<your_shared_secret>

Auditing

Drone doesn't offer audit logging at the moment, so we can use this validation extension to generate log entries for both build and promotion job executions.

Log messages are opinionated and don't contain the full list of build attributes by default.

FAQs

Package last updated on 02 Nov 2023

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts