X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=README.md;h=2cbfe5b23a998a859fdae16f5f47517f767517df;hb=e650b176f46b94999bc42ea9e6f3478060ebe4bc;hp=0df3e5c43671b8589b9184975a11907aeb20cbc4;hpb=0142c227fca974fb65561d0aeb9b38c8683e22e6;p=releng-anteater.git diff --git a/README.md b/README.md index 0df3e5c..2cbfe5b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -======== -Anteater -======== +# Anteater + +![anteater](http://i.imgur.com/BPvV3Gz.png) CI Gate Security for Gerrit --------------------------- @@ -8,8 +8,35 @@ CI Gate Security for Gerrit Description ----------- -Searches repositories for compiled binaries, private keys, passwords and senstive strings +Anteater performs scanning of any commited patches sent to a gerrit code review +site. Each time a patch is pushed to a repository, jenkins instantiates +anteater, who then performs a series of security checks to each file proposed +in a patch. + +Checks consist of verification that no binary / blobs are present. If they are, +they are immediately voted as '-1' (do not merge), until a review has occurred +to insure the binary is safe and its origins are known. Once agreed as safe, a +sha256 checksum is entered into anteaters 'exception' list to insure it is not +maliciously replaced at any given time in the future. + +Checks are made to insure the file are not of a sensitive nature, for example +cryptographic keys or application configuration files known to contain +sensitive details, are all blocked from merge. + +Finally a deep scan is performed to look for suspect patterns, such as scripts +pulling in file / objects from untrusted sites, or various patterns such as +shell executions. + +Anteater uses an open framework to allow users to add new additions easily, +without having to touch any code. -Provides exception / waiver lists to whitelist files, data. +Anteater was developed to address concerns of recent high profile attacks that +have occurred against CI environments, where hackers have backdoor'ed build / +DevOps systems by various means (such as stealing a users ssh key and self +approving patches). By having automated non-human checks in place, it adds an +extra layer of security review with the ability to block a patch merge at gate. -Provides option to add own file types for white / blacklisting +The project is mainly used in the Linux Foundations OPNFV platform, which has +over 40 repositories that need monitoring. Plans are in place to port it to the +github API where it can operate as a review bot as part of a github hosted +project. \ No newline at end of file