This is sample code for a one-off tool, not an official product. As such, it is not supported, though issues will be addressed on a best-effort basis.
To ensure quality and maintain trust, AppDev teams typically agree to safety procedures established by AppSec representatives. The most powerful of these blocks a build, with the intent of preventing a disaster (for example, inadvertent sharing of AWS keys publicly). Yet inevitably, situations arise that require emergency bypassing of established policies because the importance of getting a release out takes precedence over the risk to safety. The ability to bypass OX's safeguards can be controlled by creating an Exclusion.
The requirement is to not force the dev team to login to OX and instead use a familiar tools, their CI/CD pipeline and Slack, to create a temporary exemption, which then on a re-run of the build, allows it to proceed. This workflow delivers that.
- clone this repo, cd into the ox-break-glass directory
- make sure you've the necessary permissions by running
slack auth list
(reach out to your Slack admin if you don't have the proper permissions) - gather two tokens: an OX API Token from the Ox Dashboard & a Slack OAuth
token with
users.profile:read
Bot Token Scope from a Slack app - run
slack install
from within theox-break-glass
directory and follow the prompts - run
slack env add OX_API_KEY <your_api_key_here>
- run
slack env add SLACK_TOKEN <your_slack_xoxb*_token_here>
- check that the environment variables were deployed with
slack env list
- run
slack deploy
to deploy the application - when prompted to
Choose a trigger definition file
accept the listed option (triggers/create_exclusion_trigger.ts
) - you will then be provided a link to the Workflow which you should then copy
and paste into an appropriately secured channel with only trained,
authorized, and vetted members. The link will looks something like this:
https://slack.com/shortcuts/Ft07661HPM0U/a30ad178a0227bd7d37c23274cb6a15f
- create a Slack channel (i.e. Break Glass Workflow)
- add the workflow link and pin that message to the channel for easy future access
- use
Start Workflow
and enter in the "all issues" link from the OX output in your CI/CD platform
One option for retrieving the input (YAML scans):
Second option (GitHub App):
Third option (GitLab App):
Fourth option (BitBucket App):
- check the output, which if successful will look something like this:
Success! status: 200 response: {"data":{"excludeAlert":{"exclusions":[{"id":"6646e659d706ddad04646729", "issueName":"K8s container should not be privileged"}]}}}
- check in Ox for a newly created Exclusion. The
excluded by
field should sayapi@ox.security
and the comments will have the Slack user's information. By default, the Exclusion has a hard coded 3 hour expiration. - if instead you see an error, follow the advice from it. Usually errors arise from malformed or previously used data
Here's a recording demonstrating how to use it:
- use
slack run
to create a locally running instance of the app - examine the output in the terminal where you ran
slack run
as you test the workflow/app - add
console.log()
statements as needed to the/functions/create_exclusion.ts
Follow this tutorial. You'll need to deviate slightly from their outdated instructions about custom inputs and use Forms instead. Add a form from the Steps area and then the rest should work.
- from the app's directory, run
slack uninstall
- to fully remove, run
slack delete
You may need to remove the app from both the Deployed
and Local
environments
Here's a screenshot of the workflow's form:
The custom Create Exclusion
step is the key here that links the workflow to
the code in the /functions/create_exclusion.ts
file. You'll also need to add
your OX_API_KEY and create a channel to run the workflow within.
- from Slack -> ... More, choose Automations -> Workflow builder -> Create Workflow
- start from scratch and select
From a link in Slack
- collect info from a form (the All Issues link)
- use the "Custom Step" to select the
ox-break-glass
app and use theCreate Exclusion
function from that app - add a variable and choose
{} Answer to: What is the All Issues link
for the input andSubmitting User
as{} Person who used this workflow
- add a send a message step, send it to the channel where the workflow was used and informative text
- use the
{} Output
variable to confirm the Exclusion API's output