Prevent CI/CD misconfiguration
What is Allero?
Allero is a policy tool that prevents misconfigurations in CI/CD pipelines.
This helps prevent failures and security risks from reaching production. It also allows R&D teams be less dependent on DevOps engineers when building and maintaining CI/CD pipelines.
Allero comes with built-in rules, and developed to be as friendly as possible for you to create your own rules!
Here are a few use-cases that can be mitigated with Allero:
- Prevent Log4shell vulnerability by making sure SCA runs in every pipeline.
- Prevent the use of deprecated language versions. (e.g. Node version <= 12)
- Ensure all IaC manifests are scanned for misconfigurations. (e.g. Run checkov on any terraform file)
Quick Start!
Allero supports GitHub Actions and GitLab Pipelines.
1. Install the latest release in your terminal
Linux & MacOS: curl https://get.allero.io | /bin/bash
Brew: brew install allero-io/allero/allero
Windows: iwr -useb https://get.allero.io/windows_install.ps1 | iex
2. Validate your pipelines
Validate pipelines in a local directory
- Run
allero validate {DIRECTORY_PATH}
Validate pipelines from a remote source control
- Fetch your organizations and/or repositories:
allero fetch github dapr/dapr
- Validate your pipelines across all your fetched data:
allero validate
Fetching private repositories from Github
Fetching data from a private GitHub organization requires a personal access token (PAT).
-
Create a GitHub PAT with access to the repos you want to scan. More information about how to create a Github PAT can be found here Generate the token with the following read permissions:
- repo:
- repo:status
- repo_deployment
- public_repo
- repo:invite
- security_events
- repo:
-
Once the token is generated, run
export ALLERO_GITHUB_TOKEN={YOUR_TOKEN}
.
- When running Allero from GitHub Actions, the PAT should be stored as an encrypted secret.
- Fetch your private repositories:
allero fetch github {your_repo}
Fetching private repositories from Gitlab
Fetching data from a private GitLab group requires an access token.
- Create a GitLab Access Token with access to the repos you want to scan. More information about how to create a GitLab Token can be found here
Generate the token with the following permissions:
- read_api
- Once the token is generated, run
export ALLERO_GITLAB_TOKEN={YOUR_TOKEN}
. - Fetch your private repositories:
allero fetch gitlab {your_repo}
Next Steps
βοΈ Fail a PR on violation
Allero can fail a PR if the repo's pipelines don't meet the policy. Use this GitHub Action to trigger allero validation on a PR event.
π‘ Continuously assess all your piplines on a daily basis
To achieve a continuous assessment, allero needs to periodically scan the entire organization.
Implementing with GitHub Actions: We created a GitHub Action that runs Allero everyday at 8am on your entire organization.
- Fork Allero repo
- Create a GitHub Personal Access Token and store it in your forked repo as an encrypted secret named
ALLERO_GITHUB_TOKEN
. - GitHub disables scheduled Actions on a forked repo by default. To enable the Allero Action, browse to your forked allero repo, navigate to GitHub Actions and enable the workflow.
Using any other scheduler: as a CLI tool, Allero can be easily run in - CI/CD, docker scheduler, crontab, kubernetes - anywhere!
π¨ Rules
Some rules apply to everyone, while others are very stack-specific. That is why some rules are enabled by default and others are disabled. Learn how to enable and disable rules here.
Supported Rules
Unique Id | Rule Name | Description | Default State | Reason |
---|---|---|---|---|
1 | ensure-github-action-version | Ensure github action version is set | Enabled | Avoid unexpected behavior |
2 | ensure-node-version | Make sure a specific version is set when using a node image | Enabled | Avoid unexpected behavior |
3 | ensure-npm-ignore-scripts | Ensures that pre/post-install scripts are not run by NPM | Enabled | link |
4 | ensure-python-version | Make sure a specific version is set when using a python image | Enabled | Avoid unexpected behavior |
5 | prevent-kubectl-apply | Prevents the usage of kubectl apply in pipelines. We recommend using helm or any other k8s deployment tool | Enabled | link |
6 | prevent-npm-install | Prevents the usage of npm install in pipelines. We recommend using npm ci instead |
Enabled | link |
7 | prevent-password-plain-text | Prevent use of password as plain text | Enabled | Keep passwords from leaking |
8 | snyk-prevent-continue-on-error | Prevent continuing workflows when snyk detects vulnerabilities | Enabled | Keep production secured |
9 | prevent-using-uncontrolled-values | Avoid running malware commands through repository names | Enabled | Keep production secured |
10 | ensure-sca-scanner | Make sure every repository has at least one pipeline with (Trivy, BlackDuck, Grype) | Disabled | Keep production secured |
11 | ensure-terraform-scanner | Make sure every repository has at least one pipeline with terraform scanner (Checkov ,Snyk, Tenable) | Disabled | Keep production secured |
12 | prevent-action-setup-java-v1 | Prevent using deprecated java version | Disabled | Keep production secured |
13 | prevent-adopt-distributions-on-setup-java | Prevent using deprecated java distribution | Disabled | Keep production secured |
14 | ensure-code-coverage | Make sure every repository has at least one pipeline with Codecov | Disabled | Keep Code Quality |
15 | ensure-secrets-scanner | Make sure every repository has at least one pipeline with secrets scanner (Truffles ,GitGuardian, Gitleaks, Trivy) | Disabled | Keep production secured |
16 | ensure-linter | Make sure every repository has at least one pipeline with linter (Wemake, SuperLinter, MegaLinter, Renovate) | Disabled | Keep Code Quality |
17 | ensure-code-quality | Make sure every repository has at least one pipeline with code cuality checker (CodeClimate, SonarQube, SonarCloud) | Disabled | Keep Code Quality |
Enabling and disabling rules
A policy is a set of rules, and it is represented by a token.
To generate a token, go to this page, choose the rules you want and generate the token. The token will be sent to your email.
To run the policy, you need to set the token by running allero config set token {your_token}
and re-run allero validate
.
Temporarily ignore a token
Tokens can be temporarily ignored during a single validation by running allero validate --ignore-token
Clear a token
Tokens can be cleared from the CLI by running allero config clear token
| ensure-sca-scanner | Make sure every repository has at least one pipeline with sca scanner | Keep production secured
| ensure-terraform-scanner | Make sure every repository has at least one pipeline with terraform scanner | Keep production secured
π Adding your own rules
Rules can be defined using the Json Schema format. Json Schema rules should be based on our data schema. An example of our data schema structure can be found here.
- Create a new json file and define your rule. Example rules can be found here. Make sure to update the rule description and failureMessage.
- Copy-paste the rule-files to
~/.allero/rules/github/
and~/.allero/rules/gitlab/
. - Run
allero validate
Contribution π©π½βπ»
We encourage you to contribute to Allero!
Created a new rule and want to give back to the community?
- Fork our repo
- Read how to add your own rule here
- Add your rule to pkg/rulesConfig/github or to pkg/rulesConfig/gitlab directories
- Create a PR!
Interested in contributing more to the CLI? We will provide a more detailed explanation on how to contribute soon. If you're intrested, you can contact us to get our help with your first PR!
π Privacy
Your privacy and code integrity are very important to us. That's why our CLI operates locally only, and doesn't save any sensitive information related to your code anywhere. We only track metrics that reflect your usage of the CLI :)
Contact Us
Open an issue or shoot us an email.