Wizard - IaC Scan for Github Enterprise Server - Non internet routable

Introduction

Github Enterprise Server is a virtual appliance from GitHub installed on the company's private network. Suppose the GitHub Enterprise Server is only available within the intranet (non-internet routable). In that case, we need to run prancer CLI within the company's network and send the results back to the Prancer SaaS solution.

This walkthrough applied to the following scenario: - GitHub Enterprise Server containing the code repos - GitHub Enterprise Server is not reachable from the internet

Collection Creation

  • Go to Prancer Portal

../img/github_enterprise_non_routable/image01.png

  • from the sidebar select configuration wizard to create a new collection

../img/github_enterprise_non_routable/image02.png

  • Provide a name of the collection and select IAC type and click next for next configurations.

../img/github_enterprise_non_routable/image03.png

  • Select the type of the collection from items like aws cloudformation, aws terraform, Azure Arm templates etc.
  • Select Github Enterprise from the git provider section
  • There will be only monitor mode will be available for non internet routable github enterprise server
  • Disable internet routable github enterprise address toggle button.
  • Provide repository url and branch name.
  • Copy the prancer run command from the note section. we require it during pipeline setup process

../img/github_enterprise_non_routable/image04.png

  • Click on finish button and new collection will be created.

Create Prancer Access Token

  • Now we will require Prancer Access Token. to generate it do following steps. ../img/github_enterprise_non_routable/image16/1.png

  • Select User Access Token from the right top menu. ../img/github_enterprise_non_routable/image16/2.png

  • Click New Token button. ../img/github_enterprise_non_routable/image17.png

  • Provide a proper name for future identification, then click Save. ../img/github_enterprise_non_routable/image18.png

  • Save the generated token. it will require to setup the pipeline.

Create Github Access Token

  • Now we will require github enterprise personal access token with repo and user access. to get token do following steps:
  • ../img/github_enterprise_non_routable/image05.png
  • Now go to github enterprise server and click on the profile button from the right top section and select settings from the dropdown menu. ../img/github_enterprise_non_routable/image06.png
  • Select Developer settings from left sidebar. ../img/github_enterprise_non_routable/image07.png
  • Select Personal Access Token form left sidebar then select Generate New Token, it will open a form to generate a new token. ../img/github_enterprise_non_routable/image08.png
  • Provide a name to token to identify it later
  • Select user, admin:repo_hook and repo with all permissions
  • Then click on the Generate Token button. ../img/github_enterprise_non_routable/image09.png
  • It will generate a token as shown in above image, copy it and save it for later use.

Create Azure Pipeline

  • Now have all the required items to create a pipeline for github enterprise.
  • We have provided sample pipeline code for github actions and Azure Devops Pipeline.
  • We will setup Azure pipeline to communicate with Github Enterprise server. ../img/github_enterprise_non_routable/image10.png
  • Go to Azure Devops Account and select Pipeline from left sidebar.

../img/github_enterprise_non_routable/image11.png

  • Select Github Enterprise Server from the list

../img/github_enterprise_non_routable/image12.png

  • Click on the Connect to Github Enterprise Server button to connect your github Enterprise server.

../img/github_enterprise_non_routable/image13.png

  • Enter your github enterprise server URL and Github personal access token which we have generated.

../img/github_enterprise_non_routable/image14.png

  • Select the repository which you want to save the pipeline yaml file.

../img/github_enterprise_non_routable/image15.png

  • Select Starter pipeline option to setup a new pipeline. for prancer commands refer Prancer CLI

  • Since the GitHub Enterprise server is non routable, user has to select a self hosted agent with an access to the GitHub Enterprise Server. Microsoft provided agents won't have access to Github Enterprise Server.

Note: Make sure to change the name of the company and collection in the following code before using it

Running prancer-basic pipeline script

trigger:
  - master

resources:
  - repo: self

stages:
  - stage: prancer_static_code_analysis_for_iac
    displayName: "Prancer Static Code Analysis for IaC"
    jobs:
      - job: prancer_basic
        displayName: "Prancer Static Code Analysis for IaC"
        pool: "Default"
        steps:
          - bash: |
              echo "Setup start"

              binary="pip3"
              ispresent=`which $binary`
              if [ -z $ispresent ]; then
              apt-get -y install python3-pip
              else
              echo "using existing pip3 path: $ispresent"
              fi

              pip3 install -U prancer-basic
              binary="opa"
              ispresent=`which $binary`
              if [ -z $ispresent ]; then
              curl -L -o /usr/local/bin/opa https://openpolicyagent.org/downloads/v0.36.1/opa_linux_amd64_static
              chmod 755 /usr/local/bin/opa
              else
              echo "using existing opa binary path: $ispresent"
              fi

              binary="helm"
              ispresent=`which $binary`
              if [ -z $ispresent ]; then
              snap install helm --classic
              else
              echo "using existing helm binary path: $ispresent"
              fi

              export APITOKEN=${APITOKEN}
              export GITTOKEN=${GITTOKEN}
              prancer --db REMOTE --company liquware --apitoken "${APITOKEN}" --gittoken "${GITTOKEN}" scenario_aws_githubEntNon
            env:
              GITTOKEN: $(GITTOKEN)
              APITOKEN: $(APITOKEN)

Running prancer-basic inside a docker image pipeline script

trigger:
  - master

resources:
  - repo: self

stages:
  - stage: prancer_basic_setup_pipeline
    displayName: "Prancer Static Code Analysis for IaC"
    jobs:
      - job: prancer_basic
        displayName: "prancer basic install in agent"
        pool: "Default"
        steps:
          - bash: |
              echo "Setup start"

              # Creating Working Directory
              mkdir prancer
              cd prancer

              # Downloading setup.py from prancer-basic to find latest version
              curl -L -o setup.py https://raw.githubusercontent.com/prancer-io/cloud-validation-framework/master/setup.py
              version=`cat setup.py  | grep -i 'version=' | sed -e "s/version='//" | sed -e "s/',//" | sed -e 's/ //g'`

              echo $version

              # Creating temp dir for opa and helm
              mkdir helmdir opadir

              # Download opa binary
              curl -L -o opadir/opa https://openpolicyagent.org/downloads/v0.36.1/opa_linux_amd64_static
              chmod 755 opadir/opa

              # Download helm binary
              curl -L -o helmdir/helm-v3.8.1-linux-amd64.tar.gz https://get.helm.sh/helm-v3.8.1-linux-amd64.tar.gz
              tar -zxvf helmdir/helm-v3.8.1-linux-amd64.tar.gz -C helmdir
              chmod 755 helmdir/linux-amd64/helm

              # Creating Docker File

              cat << EOF >> Dockerfile
              FROM python:3.9-alpine3.15
              ENV APP_VERSION=$version
              RUN apk update     && apk upgrade     && apk add git build-base libffi-dev openssl-dev
              COPY opadir/opa /usr/local/bin/opa
              RUN chmod +x /usr/local/bin/opa
              COPY helmdir/linux-amd64/helm /usr/local/bin/helm
              RUN chmod +x /usr/local/bin/helm
              RUN pip install ply    
              RUN pip install prancer-basic==$version
              EOF

              # Building Docker image with prancer-basic as per version
              docker build -t prancer-basic:${version} -f Dockerfile .

              # Running Prancer-basic docker image with remote for scenario_aws_githubEntNon collection
              docker container run prancer-basic:${version} prancer --db REMOTE --company liquware --apitoken "${APITOKEN}" --gittoken "${GITTOKEN}" scenario_aws_githubEntNon
            env:
              GITTOKEN: $(GITTOKEN)
              APITOKEN: $(APITOKEN)

../img/github_enterprise_non_routable/image25.png

  • From the Samples copy the code of Azure pipeline and peast it here then click on the Variables button from the right top corner.

../img/github_enterprise_non_routable/image26.png

  • Create above shown variables using Github Enterprise's Personal Access Token with name GITTOKEN and use Prancer's User Access Token to create APITOKEN variables.

../img/github_enterprise_non_routable/image27.png

  • Save an run the pipeline. the pipeline will install following items if its not available in the agnet's machine
  • Pip3
  • Opa
  • Helm
  • Prancer-basic
  • Then it will run the prancer-basic and it will send output to prancer Infra Findings. ../img/github_enterprise_non_routable/image28.png
  • User can check prancer logs from the pipeline output console.

../img/github_enterprise_non_routable/image29.png

  • User can checkout result from the Infra Finding page of the prancer portal.