-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation for signed pipelines #2279
Closed
123sarahj123
wants to merge
2
commits into
main
from
PDP-1128_bk-documentation-for-command-step-signature
Closed
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Signed pipelines | ||
|
||
handy links for writing docs: | ||
https://3.basecamp.com/3453178/buckets/27608512/messages/5774300120 | ||
https://3.basecamp.com/3453178/buckets/27608512/messages/5725400045 | ||
|
||
|
||
We know that builds and deploys can be run on highly privileged machines, and that an attacker convincing that machine to run a malicious command could compromise production infrastructure. | ||
As customer secuirty is paramount to Buildkite, and we wish to ensure thata all customers are immune by default from our control plane being compromised. | ||
|
||
Signed pipelines allow users to sign the pipelines they upload, which means that agents can refuse to run jobs that are not signed by a trusted public key. This makes it impossible for Buildkite (or an attacker thereof) to tamper with the workload that Buildkite orchestrates onto customer infrastructure. | ||
|
||
* link to best practices? | ||
* mention exisitng tool on github? https://github.com/buildkite/buildkite-signed-pipeline | ||
* Maybe this should live in security? Not sure | ||
|
||
Sensitive data, such as source code and secrets, remain within your own environment and are not seen by Buildkite. We are aware that many customers invest heavily in configuring their agents to reject jobs that don't match some set of expectations, such as pipeline/repo/branch filtering, limiting to in-repo scripts not arbitrary commands etc. | ||
|
||
|
||
|
||
We know that customers choose Buildkite because our hybrid model gives them a world-class SaaS control plane while keeping most of the trust/risk behind their firewall on their own infrastructure. We encourage customers to not trust Buildkite's control plane, but the tools to do that (agent hooks, allow-listing etc) aren't ergonomic nor robust. | ||
|
||
Cryptographically signing and verifying build steps by default would close a big gap in our “you don't even need to trust our servers” story. And if we were ever breached, it could save our customers and enough of our reputation to survive. | ||
|
||
Customers can optionally sign pipeline uploads using just the buildkite-agent | ||
The buildkite-agent can optionally verify job signatures, and reject jobs if they don't have the right signature | ||
A malicious actor using buildkite to target an attack against one of our customers cannot successfully run malicious actions on customer agents | ||
|
||
Making a pipeline public provides read-only public/anonymous access to: | ||
|
||
Targets for signed pipelines includes | ||
|
||
- Command | ||
- Pipeline build logs | ||
- Environment variables from the uploaded pipeline | ||
- Plugins | ||
|
||
|
||
## Pretty diagram of agent/bk interaction with signed pipeline? | ||
|
||
## Attack Scenarios (maybe) | ||
|
||
Make a pipeline public in the _Pipeline Settings_ in the _General_ tab: | ||
|
||
<%= image "settings.png", width: 1960/2, height: 630/2, alt: "Public pipeline settings" %> | ||
|
||
## Random headings we might use: | ||
|
||
## Handy links about signutures/signing |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't you use a code block here?