Whether you want to get started with Governance or improve your current process, this talk will show you how to improve your compliance by implementing policy-based CI/CD (Continuous Integration / Continuous Delivery) with GitLab CI and Open Policy Agent. Philippe and Nico will tell you all the details about Open Policy Agent and how you can easily integrate it into your existing CI/CD pipelines. Join our session to learn how to improve compliance, from gating your dependencies to controlling your infrastructure.

1. 1
#GitLabCommit
Enhance Your Compliance and Governance With Policy-Based CI/CD

2. 2
#GitLabCommit
Philippe Lafoucrière
Nico Meisenzahl
Senior Cloud & DevOps Consultant
white duck
@nico-meisenzahl
@nmeisenzahl
Distinguished Security Engineer
GitLab
@plafoucriere
@plafoucriere

3. 3
#GitLabCommit
Agenda

4. 4
#GitLabCommit
Agenda
● Why do we need compliance and governance in CI/CD?
● What is Open Policy Agent and how does it work?
● How to get started – some examples

5. 5
#GitLabCommit
Why do we need compliance
and governance in CI/CD?

6. 6
#GitLabCommit
What is Compliance?
“Adherence to standards, regulations, and other requirements”
(wikipedia)

7. 7
#GitLabCommit
Types of Software compliance
● Statutory/Regulatory compliance: comply with
relevant laws, policies, and regulations.
● Standards: adhere to established and standard
requirements
● Contractual obligations: Vendor agreements,
customers contracts, ...
● Corporate: Set of rules and policies defined by the
company to comply with the needs of HR, Security,
Communication, ...

8. 8
#GitLabCommit
Compliance frameworks
Regulatory Compliance
Frameworks are mandatory for
some industries.
Source: GitLab current Security Certifications and Attestations

9. 9
#GitLabCommit
The way to Compliance
You can do all of these without
Compliance, but doing
Compliance without them will
turn out to be extremely hard.
They are intimately tied together.
Automation
Testing
Quality
Compliance

10. 10
#GitLabCommit
Compliance and Governance in CI/CD?
- Define the “how” around the “what” of the pipelines
- Security and Compliance gates
- Ensure the requirements are always met, during all
the lifecycle of the project
- Iteration is key (start small!)
- OPA to the rescue

11. 11
#GitLabCommit
What is Open Policy Agent
and how does it work?

12. 12
#GitLabCommit
Open Policy Agent (OPA)
“policy-based control for cloud native environments”
● general-purpose policy engine across your stack
● graduated CNCF project introduced by styra
● declarative policy language
● decoupled the application logic from policy decisions
○ REST API with sidecar or daemon
○ golang library
○ Wasm module
● provides APIs for easy management

13. 13
#GitLabCommit

14. 14
#GitLabCommit
Ecosystem
● API and service authorization with Envoy, Kong, Traefik and others
● authorization policies for SQL, Kafka and others
● container network authorization with Istio and Linkerd
● test policies for Terraform infrastructure changes
● policies for SSH and sudo
● policy and Governance for Kubernetes
● and many more
○ https://www.openpolicyagent.org/docs/latest/ecosystem

15. 15
#GitLabCommit
How OPA works

16. 16
#GitLabCommit
How OPA works

17. 17
#GitLabCommit
Rego
● “ray-go”
● declarative Policy Language
○ ”is Nico allowed to POST a payload to /api”
● rules commonly return true/false
○ but may return any
● 140+ build-in functions
○ date/time, string, ...
○ Regex
○ JWT validation
○ ...

18. 18
#GitLabCommit
How OPA works

19. 19
#GitLabCommit
How to get started?
● OPA playground
○ https://play.openpolicyagent.org
● docs
○ https://www.openpolicyagent.org/docs
● OPA CLI
○ opa run
○ opa test
○ opa eval

20. 20
#GitLabCommit
How to get started – some
examples

21. 21
#GitLabCommit
Demo: Policy-Based CI/CD with OPA
● Infrastructure-As-Code change validation (Terraform)
○ https://gitlab.com/nico-meisenzahl/terraform-opa-policy-demo
● GitLab project validation
○ https://gitlab.com/gitlab-com/gl-security/engineering-and-rese
arch/inventory-example/-/merge_requests/7

22. 22
#GitLabCommit
Further examples
● Kubernetes manifest validation
● Allow/Deny Lists for library dependencies
● Docker Authorization
● Envoy Authorization
● And more

23. 23
#GitLabCommit
Philippe Lafoucrière
Nico Meisenzahl
Senior Cloud & DevOps Consultant
white duck
@nico-meisenzahl
@nmeisenzahl
Distinguished Security Engineer
GitLab
@plafoucriere
@plafoucriere

24. 24
#GitLabCommit
Thank You!