-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: IAST configurations for scan scheduling and restrictions #2645
base: main
Are you sure you want to change the base?
Conversation
Security Agent requires new configurations for upcoming release. Please take a look. |
Requires unit test to be added. Closing now |
/** | ||
* Unique test identifier when runnning IAST with CI/CD | ||
*/ | ||
iast_test_identifier: '', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like an anti-pattern to me. Why would the agent have configuration specific to a CI/CD environment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In case of CI/CD, IAST scan result will be fetched based on iast_test_identifier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That does not answer the question. Why would the agent need to know it is running in a CI/CD environment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a requirement where Validator(Security Engine) requires an identifier whenenver an application runs with IAST in CI/CD to generate IAST result on basis of iast_test_identifier. It's an requirement at Security Engine to get the test identifier that's why the config is added.
unit test cases added for new configurations |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2645 +/- ##
==========================================
- Coverage 97.21% 97.19% -0.03%
==========================================
Files 291 291
Lines 45928 46069 +141
==========================================
+ Hits 44650 44777 +127
- Misses 1278 1292 +14
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@jsumners-nr Can you please check why the test for cassandra-driver is failing. |
Description
This PR contains config for IAST scan scheduling and restrictions.
You can configure your IAST to handle scan scheduling. These configurations allow you to exclude certain APIs, parameters, and vulnerability categories from IAST analysis. You can also delay IAST scans or schedule them for specific times of the day.
Example config is given below:
security: { iast_test_identifier: '1008', scan_controllers: { iast_scan_request_rate_limit: 3600, scan_instance_count: 1 }, scan_schedule: { delay: 0, duration: 300, schedule: '', always_sample_traces: false }, exclude_from_iast_scan: { api:[] http_request_parameters: { header: [], query: [], body: [] }, iast_detection_category: { insecure_settings: false, invalid_file_access: false, sql_injection: false, nosql_injection: false, ldap_injection: false, javascript_injection: false, command_injection: false, xpath_injection: false, ssrf: false, rxss: false } } }
Reference: IAST-CONFIGURATION