Security Policies

Artifact Keeper allows you to define security policies that automatically block, warn, or allow artifacts based on vulnerability scan results and other security criteria.

Overview

Security policies provide automated governance over which artifacts can be deployed or downloaded from your registry.

Policy Actions

• Block: Prevent artifact download/deployment
• Warn: Allow with warning notification
• Allow: Permit without restrictions
• Quarantine: Mark artifact as quarantined for review

Policy Configuration

Policy Definition

Policies are defined in YAML or JSON format:

policy.yaml

name: "production-security-policy"
description: "Security policy for production artifacts"
enabled: true
scope:
  repositories:
    - "production/*"
    - "stable/*"
  artifact_types:
    - docker
    - helm

rules:
  - name: "block-critical-vulnerabilities"
    action: block
    conditions:
      vulnerability_severity:
        critical: 0
        high: 0
    message: "Artifacts with critical or high vulnerabilities are not allowed"

  - name: "warn-medium-vulnerabilities"
    action: warn
    conditions:
      vulnerability_severity:
        medium:
          max: 5
    message: "This artifact contains medium severity vulnerabilities"

  - name: "block-malware"
    action: block
    conditions:
      malware_detected: true
    message: "Malware detected in artifact"

  - name: "require-signature"
    action: block
    conditions:
      signed: false
    message: "All production artifacts must be signed"

Severity Thresholds

Define maximum allowed vulnerabilities by severity:

rules:
  - name: "vulnerability-threshold"
    action: block
    conditions:
      vulnerability_severity:
        critical: 0      # No critical vulnerabilities
        high: 0          # No high vulnerabilities
        medium: 5        # Max 5 medium vulnerabilities
        low: 20          # Max 20 low vulnerabilities

CVE Allowlisting

Allow specific CVEs that have been accepted as risks:

rules:
  - name: "allowed-cves"
    action: allow
    conditions:
      cve_exceptions:
        - "CVE-2023-1234"  # False positive
        - "CVE-2023-5678"  # Risk accepted by security team
    metadata:
      reason: "Approved by security team"
      approved_by: "security@example.com"
      approved_date: "2024-01-15"
      review_date: "2024-04-15"

Time-Based Policies

Different policies based on time windows:

rules:
  - name: "grace-period-for-new-cves"
    action: warn
    conditions:
      vulnerability_age_days: 7  # CVEs disclosed in last 7 days
      vulnerability_severity:
        high: 3
    message: "Recent high severity CVEs detected. Remediation grace period active."

Repository-Level Policies

Assign policies to specific repositories:

repositories:
  - name: "production/frontend"
    policy: "strict-security"

  - name: "production/backend"
    policy: "strict-security"

  - name: "staging/*"
    policy: "moderate-security"

  - name: "development/*"
    policy: "permissive"

Policy Inheritance

Policies can inherit from parent policies:

policies:
  - name: "base-security"
    rules:
      - name: "no-critical"
        action: block
        conditions:
          vulnerability_severity:
            critical: 0

  - name: "production-security"
    inherits: "base-security"
    rules:
      - name: "no-high"
        action: block
        conditions:
          vulnerability_severity:
            high: 0
      - name: "require-signature"
        action: block
        conditions:
          signed: false

Policy Enforcement

Upload Time Enforcement

Policies are evaluated when artifacts are uploaded:

# Push container image
docker push localhost:8080/production/app:1.0.0

# If policy violations found:
Error: Policy violation: "production-security-policy"
- Rule "block-critical-vulnerabilities" failed
- Found 2 critical vulnerabilities: CVE-2024-1234, CVE-2024-5678
- Artifact upload blocked

Download Time Enforcement

Policies can also be enforced on download:

# Pull container image
docker pull localhost:8080/production/app:1.0.0

# If policy violations found:
Warning: Policy violation: "production-security-policy"
- Rule "warn-medium-vulnerabilities" triggered
- Found 3 medium severity vulnerabilities
- Download proceeding with warning

API Enforcement

Policy checks via API:

POST /api/v1/security/policies/check
Content-Type: application/json

{
  "artifact": {
    "name": "my-app",
    "version": "1.0.0",
    "repository": "production/apps"
  },
  "policy": "production-security-policy"
}

Response:

{
  "allowed": false,
  "action": "block",
  "violations": [
    {
      "rule": "block-critical-vulnerabilities",
      "severity": "critical",
      "message": "Artifacts with critical or high vulnerabilities are not allowed",
      "details": {
        "critical_count": 2,
        "cves": ["CVE-2024-1234", "CVE-2024-5678"]
      }
    }
  ],
  "scan_results": {
    "scanner": "trivy",
    "scanned_at": "2024-01-15T10:30:00Z",
    "summary": {
      "critical": 2,
      "high": 5,
      "medium": 10,
      "low": 15
    }
  }
}

Policy Management API

Create Policy

POST /api/v1/security/policies
Content-Type: application/json

{
  "name": "strict-security",
  "description": "Strict security policy for production",
  "enabled": true,
  "rules": [...]
}

Update Policy

PUT /api/v1/security/policies/strict-security
Content-Type: application/json

{
  "enabled": true,
  "rules": [...]
}

Delete Policy

DELETE /api/v1/security/policies/strict-security

List Policies

GET /api/v1/security/policies

Get Policy Details

GET /api/v1/security/policies/strict-security

Assign Policy to Repository

POST /api/v1/repositories/production/frontend/policy
Content-Type: application/json

{
  "policy": "strict-security"
}

Quarantine Mode

Artifacts that violate policies can be quarantined:

rules:
  - name: "quarantine-unverified"
    action: quarantine
    conditions:
      vulnerability_severity:
        critical: 1  # Any critical vulnerability
    quarantine:
      require_review: true
      notify:
        - "security@example.com"
      allow_override: true
      override_roles:
        - "security-admin"

Quarantine Workflow

1. Artifact violates policy
2. Artifact is marked as quarantined
3. Notifications sent to security team
4. Security team reviews findings
5. Team approves or rejects artifact
6. If approved, artifact is released from quarantine

Quarantine API

# Get quarantined artifacts
GET /api/v1/security/quarantine

# Review quarantined artifact
POST /api/v1/security/quarantine/review
{
  "artifact": "my-app:1.0.0",
  "action": "approve",
  "reviewer": "security@example.com",
  "notes": "CVE-2024-1234 is not exploitable in our context"
}

Policy Templates

Artifact Keeper provides pre-configured policy templates:

Strict Production Policy

name: "strict-production"
rules:
  - action: block
    conditions:
      vulnerability_severity:
        critical: 0
        high: 0
  - action: block
    conditions:
      signed: false
  - action: block
    conditions:
      license_compliance: false

Moderate Staging Policy

name: "moderate-staging"
rules:
  - action: block
    conditions:
      vulnerability_severity:
        critical: 0
  - action: warn
    conditions:
      vulnerability_severity:
        high: 5

Permissive Development Policy

name: "permissive-development"
rules:
  - action: warn
    conditions:
      vulnerability_severity:
        critical: 10
        high: 50

Advanced Features

License Compliance

Enforce license compliance policies:

rules:
  - name: "allowed-licenses"
    action: block
    conditions:
      license_compliance:
        allowed:
          - "MIT"
          - "Apache-2.0"
          - "BSD-3-Clause"
        denied:
          - "GPL-3.0"
          - "AGPL-3.0"
    message: "Only approved open source licenses allowed"

Supply Chain Security

Enforce supply chain policies:

rules:
  - name: "require-sbom"
    action: warn
    conditions:
      sbom_present: false
    message: "Software Bill of Materials (SBOM) recommended"

  - name: "require-provenance"
    action: block
    conditions:
      provenance_present: false
    message: "Build provenance required for production artifacts"

Custom Metadata

Policy decisions based on custom metadata:

rules:
  - name: "require-security-review"
    action: block
    conditions:
      metadata:
        security_reviewed: false
    message: "Security review required before deployment"

Exemptions

Grant temporary exemptions:

exemptions:
  - artifact: "legacy-app:2.1.0"
    rule: "block-critical-vulnerabilities"
    reason: "Legacy app under migration"
    expires: "2024-06-30"
    approved_by: "cto@example.com"

Notifications

Configure notifications for policy violations:

notifications:
  enabled: true
  channels:
    - type: email
      recipients:
        - "security@example.com"
      events:
        - policy_violation
        - quarantine

    - type: slack
      webhook_url: "https://hooks.slack.com/..."
      events:
        - policy_violation
        - critical_vulnerability

    - type: webhook
      url: "https://api.example.com/security/alerts"
      events:
        - policy_violation
        - quarantine

Audit Logging

All policy decisions are logged:

GET /api/v1/security/policies/audit

# Response
{
  "logs": [
    {
      "timestamp": "2024-01-15T10:30:00Z",
      "artifact": "my-app:1.0.0",
      "policy": "strict-production",
      "action": "blocked",
      "rule": "block-critical-vulnerabilities",
      "user": "ci-system",
      "details": {
        "critical_cves": ["CVE-2024-1234"]
      }
    }
  ]
}

Integration with CI/CD

GitHub Actions

name: Build and Security Check
on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t my-app:${{ github.sha }} .

      - name: Check security policy
        run: |
          docker push registry.example.com/my-app:${{ github.sha }}
          # Policy check happens automatically on push

Policy Gate

- name: Security Policy Gate
  run: |
    RESULT=$(curl -X POST http://registry.example.com/api/v1/security/policies/check \
      -H "Content-Type: application/json" \
      -d '{"artifact": "my-app:${{ github.sha }}", "policy": "production"}')

    if [ "$(echo $RESULT | jq -r '.allowed')" != "true" ]; then
      echo "Security policy check failed"
      echo $RESULT | jq '.violations'
      exit 1
    fi

Troubleshooting

Policy Not Enforcing

Check policy is enabled:

GET /api/v1/security/policies/my-policy
# Verify "enabled": true

Check repository assignment:

GET /api/v1/repositories/my-repo/policy

False Positives

Add CVE to allowlist:

rules:
  - name: "allowed-cves"
    conditions:
      cve_exceptions:
        - "CVE-2024-1234"

Performance Issues

Enable policy caching:

cache:
  enabled: true
  ttl: 300  # 5 minutes

Best Practices

Policy Design

• Start with permissive policies and tighten gradually
• Use different policies for different environments
• Document all policy exceptions
• Regularly review and update policies

Severity Thresholds

• Production: Block critical and high
• Staging: Block critical, warn on high
• Development: Warn on critical and high

Exception Management

• Require approval for all exceptions
• Set expiration dates on exceptions
• Regular review of active exceptions
• Document business justification

Automation

• Integrate with CI/CD pipelines
• Automate policy enforcement
• Use webhooks for real-time notifications
• Monitor policy violation trends

See Also

• Vulnerability Scanning - Configure artifact security scanning
• Artifact Signing - Verify artifact authenticity
• Docker Guide - Container image management