Skip to content

fix: terrascan compliance #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 11, 2022
Merged

fix: terrascan compliance #127

merged 7 commits into from
Oct 11, 2022

Conversation

@penguinjournals
Copy link
Contributor

@penguinjournals penguinjournals commented Oct 6, 2022

Why: Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
How to avoid security issues: As in the next implementation scanning will be run from within cloudrun which has needed permissions and won't need a token.
Warning: Organization users musn't be able to impersonate as the created service account.

@penguinjournals penguinjournals requested a review from a team as a code owner October 6, 2022 08:28
wideawakening
wideawakening reviewed Oct 6, 2022
View reviewed changes
modules/infrastructure/cloud_build_permission/main.tf Outdated
Comment on lines 3 to 6
# Why: Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
# How to avoid security issues: As in the next implementation scanning will be run from within cloudrun which has needed permissions and won't need a token.
# Warning: Organization users musn't be able to impersonate as the created service account.
#ts:skip=AC_GCP_0006
Copy link
Contributor

@wideawakening wideawakening Oct 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocking, but just to enhance understandably, would change order of the comments

ex.:

# AC_GCP_006
# Warning: Organization users musn't be able to impersonate as the created service account.
# Why: Image scanning is run from inside a container. As it needs to get the image from the registry it needs a token to get it from the registry.
# How to avoid security issues: As in the next implementation scanning will be run from within cloudrun which has needed permissions and won't need a token.
#ts:skip=AC_GCP_0006

wideawakening
wideawakening previously approved these changes Oct 6, 2022
View reviewed changes
@penguinjournals penguinjournals enabled auto-merge (squash) October 7, 2022 07:15
@hayk99 hayk99 self-requested a review October 7, 2022 07:19
@jprieto92 jprieto92 self-requested a review October 11, 2022 10:52
@penguinjournals penguinjournals merged commit 595d1a6 into master Oct 11, 2022
@penguinjournals penguinjournals deleted the fix-terrascan-compliance branch October 11, 2022 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hayk99 hayk99 hayk99 approved these changes

+2 more reviewers

@jprieto92 jprieto92 jprieto92 approved these changes

@wideawakening wideawakening wideawakening left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@penguinjournals @wideawakening @hayk99 @jprieto92