sethvargo/ratchet sethvargo/ratchet

  • Stars
    star
    771
  • Rank 58,711 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated about 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sethvargo/ratchet
github

sethvargo

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for securing CI/CD workflows with version pinning.

Ratchet

ratchet logo

Ratchet is a tool for improving the security of CI/CD workflows by automating the process of pinning and unpinning upstream versions. It's like Bundler, Cargo, Go modules, NPM, Pip, or Yarn, but for CI/CD workflows. Ratchet supports:

  • Circle CI
  • GitHub Actions
  • GitLab CI
  • Google Cloud Build
  • Harness Drone

⚠️ Warning! The README corresponds to the main branch of ratchet's development, and it may contain unreleased features.

Problem statement

Most CI/CD systems are one layer of indirection away from curl | sudo bash. Unless you are specifically pinning CI workflows, containers, and base images to checksummed versions, everything is mutable: GitHub labels are mutable and Docker tags are mutable. This poses a substantial security and reliability risk.

What you're probably doing:

uses: 'actions/checkout@v3'
# or
image: 'ubuntu:20.04'

What you should really be doing:

uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b'
# or
image: 'ubuntu@sha256:47f14534bda344d9fe6ffd6effb95eefe579f4be0d508b7445cf77f61a0e5724'

But resolving those checksums and managing the update lifecycle is extremely toilsome. That's what ratchet aims to solve! Ratchet resolves and updates unpinned references to the latest version that matches their constraint, and then keeps a record of the original constraint.

uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b' # ratchet:actions/checkout@v3
# or
image: 'ubuntu@sha256:47f14534bda344d9fe6ffd6effb95eefe579f4be0d508b7445cf77f61a0e5724' # ratchet:ubuntu:20.04

Installation

There are a few options for installing ratchet:

  • As a single-static binary from the releases page.
  • As a container image from the container registry.
  • Compiled from source yourself. Note this option is not supported.

Usage

For more information about available commands and options, run a command with -help to use detailed usage instructions. Also see CLI Options.

Pin

The pin command pins to specific versions:

# pin the input file
./ratchet pin workflow.yml

# pin a circleci file
./ratchet pin -parser circleci circleci.yml

# pin a cloudbuild file
./ratchet pin -parser cloudbuild cloudbuild.yml

# pin a drone file
./ratchet pin -parser drone drone.yml

# pin a gitlab file
./ratchet pin -parser gitlabci gitlabci.yml

# output to a different path
./ratchet pin -out workflow-compiled.yml workflow.yml

Unpin

The unpin command unpins any pinned versions:

# unpin the input file
./ratchet unpin workflow.yml

# output to a different path
./ratchet unpin -out workflow.yml workflow-compiled.yml

Update

The update command updates all versions to the latest matching constraint:

# update the input file
./ratchet update workflow.yml

# update a circleci file
./ratchet update -parser circleci circleci.yml

# update a cloudbuild file
./ratchet update -parser cloudbuild cloudbuild.yml

# output to a different path
./ratchet pin -out workflow-compiled.yml workflow.yml

Check

The check command checks if all versions are pinned, exiting with a non-zero error code when entries are not pinned:

./ratchet check workflow.yml

CLI Options

Use these options to configure the default behavior of Ratchet.

Option - Experimental Keep Newlines

Experimental functionality to enable keeping newlines in the output. Only applies to cli commands that modify output.

Usage

Enable via environment variable RATCHET_EXP_KEEP_NEWLINES=true.

Examples

CI/CD workflow

Ratchet is distributed as a very small container, so you can use it as a step inside CI/CD jobs. Here is a GitHub Actions example:

jobs:
  my_job:
    runs-on: 'ubuntu-latest'
    name: 'ratchet'
    steps:
      - uses: 'actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b' # ratchet:actions/checkout@v3

      # Example of pinning:
      - uses: 'docker://ghcr.io/sethvargo/ratchet:0.3.1'
        with:
          args: 'pin .github/workflows/my-workflow.yml'

      # Example of checking versions are pinned:
      - uses: 'docker://ghcr.io/sethvargo/ratchet:0.3.1'
        with:
          args: 'check .github/workflows/my-workflow.yml'

This same pattern can be extended to other CI/CD systems that support container-based runtimes. For non-container-based runtimes, download the ratchet binary from GitHub Releases.

Runnable container CLI

Ratchet can run directly from a container on your local system:

docker run -it --rm -v "${PWD}:${PWD}" -w "${PWD}" ghcr.io/sethvargo/ratchet:0.3.1 COMMAND

Create a shell alias to make this easier:

function ratchet {
  docker run -it --rm -v "${PWD}:${PWD}" -w "${PWD}" ghcr.io/sethvargo/ratchet:0.3.1 "$@"
}

Auth

  • The container resolver uses default "keychain" auth, which looks for local system auth, similar to the Docker and gcloud CLIs.

  • The GitHub resolver defaults to public github.com. Provide an oauth access token with appropriate permissions via the ACTIONS_TOKEN environment variable. To use a GitHub Enterprise installation, set the ACTIONS_BASE_URL and ACTIONS_UPLOAD_URL environment variables to point your instance.

Excluding

There may be instances in which you want to exclude a particular reference from being pinned. You can use the ratchet:exclude annotation as a line comment and ratchet will not process that reference:

uses: 'actions/checkout@v3' # ratchet:exclude

There cannot be any spaces in the exclusion string, and the exclusion string only applies to the line on which it appears.

Terminology

  • Unpinned version - An unpinned version is a non-absolute reference to a floating tag or label, such as actions/checkout@v3 or ubuntu:20.04.

  • Pinned version - A pinned version is an absolute hashed reference, such as actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b or ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3.

Known issues

  • Indentation is always set to 2 spaces. The upstream YAML library does not capture pre-parsing indentation. Thus, all files will be saved with 2 spaces for indentation.

  • Leading and trailing whitespace between nodes is not preserved (to preserve newlines try using Experimental Keep Newlines). Similar to indentation, the upstream YAML library does not capture truly empty nodes. Thus, blank lines may be removed between nodes. This will not affect multi-line values.

  • Does not support resolving values in anchors or aliases. This is technically possible, but most CI systems also don't support these advanced YAML features.

    Similarly, Ratchet does not support matrix-style expansion, since those values cannot be guaranteed to be known at compile time. For example, Ratchet will error on the following GitHub Actions workflow:

    jobs:
  my_job:
    strategy:
      matrix:
        version:
        - '1'
        - '2'

    steps:
      - uses: 'actions/checkout@v${{ matrix.version }}'

More Repositories

1

go-envconfig

A Go library for parsing struct tags from environment variables.
Go
1,037
star
2

go-password

A Golang library for generating high-entropy random passwords similar to 1Password or LastPass.
Go
642
star
3

go-retry

Go library for retrying with configurable backoffs
Go
631
star
4

go-limiter

A supersonic rate limiting package for Go with HTTP middleware.
Go
526
star
5

vault-on-gke

Run @HashiCorp Vault on Google Kubernetes Engine (GKE) with Terraform
HCL
497
star
6

go-githubactions

Go SDK for GitHub Actions - easily author GitHub Actions in Go
Go
434
star
7

vault-secrets-gen

A Vault secrets plugin for generating high entropy passwords and passphrases.
Go
338
star
8

go-signalcontext

Create Go contexts that cancel on signals.
Go
260
star
9

bootstrap_forms

Bootstrap Forms makes Twitter's Bootstrap on Rails easy!
Ruby
253
star
10

vault-kubernetes-authenticator

An app and container for authenticating services to @HashiCorp Vault's via the Kubernetes auth method
Go
205
star
11

powify

Powify is an easy-to-use wrapper for 37 signal's pow
Ruby
189
star
12

vault-kubernetes-workshop

Steps and scripts for running @HashiCorp Vault on @GoogleCloudPlatform Kubernetes
Shell
154
star
13

chef-sugar

143
star
14

terraform-provider-googlecalendar

A @HashiCorp Terraform provider for managing Google Calendar events.
Go
136
star
15

go-diceware

Golang library for generating passphrases via the diceware algorithm.
Go
99
star
16

secrets-in-serverless

A collection of examples for doing secrets management in serverless lambda or cloud functions.
Go
91
star
17

vault-init

Automate the initialization and unsealing of @HashiCorp Vault on @GoogleCloudPlatform
Go
82
star
18

atlantis-on-gke

A set of @HashiCorp Terraform configurations for running Atlantis on @GoogleCloud GKE
HCL
68
star
19

vault-token-helper-osx-keychain

An example @HashiCorp Vault token helper for Mac OS X Keychain.
Go
65
star
20

vault-demo

Walkthroughs and scripts for my @HashiCorp Vault talks
Shell
65
star
21

terraform-provider-filesystem

A @HashiCorp Terraform provider for interacting with the filesystem
Go
62
star
22

hashicorp-installer

Script and Docker container for installing @HashiCorp tools
Shell
50
star
23

vault-auth-slack

A @HashiCorp Vault plugin for authenticating and receiving policies via Slack.
Go
50
star
24

cleanroom

(More) safely evaluate Ruby DSLs with cleanroom
Ruby
44
star
25

go-cache

Cache implementations in Go, with support for generics.
Go
44
star
26

cloud-run-docker-mirror

Mirror images from one Docker repository to another, as a service.
Go
38
star
27

vault-puppet

Using @HashiCorp Vault with Puppet
Shell
36
star
28

gcs-cacher

Utility for saving and restoring caches backed by Google Cloud Storage.
Go
35
star
29

base64-is-not-encryption

Demo repo showing Kubernetes secrets being sad
Shell
31
star
30

fast

A CLI tool for testing download speed using Netflix's fast.com service.
Go
27
star
31

isbndb

Ruby ISBNdb is a simple, Ruby library that connects to ISBNdb.com's Web Service and API.
Ruby
26
star
32

go-redisstore

Go rate limiter interface for Redis
Go
18
star
33

terraform-provider-berglas

A Terraform provider for Berglas
Go
17
star
34

vault-fluentd-configurations

Fluentd configurations for @HashiCorp Vault
17
star
35

go-gcpkms

Wrappers around Google Cloud KMS that implement Go's crypto.Signer and crypto.Verifier interfaces.
Go
16
star
36

now-or-never-resource-optimizer

A resource optimizer for Now or Never, written in Go, compiled to WASM, run in the browser.
Go
16
star
37

go-gcslock

A Go library for acquiring a forward-looking lock in Google Cloud Storage.
Go
14
star
38

terraform-cloud-run-demo

Sample Terraform configurations for creating a publicly accessible Cloud Run service
HCL
13
star
39

vault-token-helper-gcp-kms

A @HashiCorp Vault token helper for encrypting/decrypting via @GoogleCloudPlatform KMS
Go
12
star
40

kubecon18

Scripts and demo for my Kubecon 2018 talk
HCL
10
star
41

go-malice

A malicious package to demonstrate the importance of software supply chain security.
Go
7
star
42

zapw

Finds common errors for the zap logger using static analysis.
Go
7
star
43

powify.dev

The official web-management tool for Powify
Ruby
7
star
44

envjector

Exec a subprocess with an environment specified in a file. Like env, but a single static binary across multiple operating systems.
Go
6
star
45

go-hello-githubactions

Sample code for GitHub Actions with Go
Dockerfile
5
star
46

gcpkms-rand

Use Google Cloud KMS as an io.Reader and rand.Source.
Go
5
star
47

serverless-secrets-talk

Demo script and code for secrets in serverless talk.
Go
4
star
48

envserver

A webserver that prints the environment it was spawned in
Go
3
star
49

community-zero

3
star
50

spellingbee

A small Go program to generate solutions to the NYT Spelling Bee.
Go
2
star
51

cloud-run-empathy-sms-hello-world

Sample code for sending text messages via Twilio on Cloud Run.
Python
2
star
52

go-redisstore-opencensus

Go rate limiter interface for Redis with instrumentation.
Go
2
star
53

chatty

Go
1
star
54

terraform-secret-manager-demo

HCL
1
star
55

terraform-0.13-google-cloud-demo

Sample for Terraform 0.13 unique features on Google Cloud
HCL
1
star
56

docker-postgres-pgaudit

A Docker image for postgres with pgAudit available
Makefile
1
star