From: lhinds Date: Wed, 5 Jul 2017 14:19:29 +0000 (+0100) Subject: Readme window dressing X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=5e0e1b8fcc200c0a72e08feb65ba2a6c65d978d9;hp=9af99d2cc199d6095a4512c4d6a80e38fc1e763e;p=releng-anteater.git Readme window dressing This is mainly to provide some information to users landing on the github mirror of releng-anteater Change-Id: I7ef27dd2b313e9ff0e7e103d547d07252235f128 Signed-off-by: lhinds --- diff --git a/README.md b/README.md index 0df3e5c..2cbfe5b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -======== -Anteater -======== +# Anteater + +![anteater](http://i.imgur.com/BPvV3Gz.png) CI Gate Security for Gerrit --------------------------- @@ -8,8 +8,35 @@ CI Gate Security for Gerrit Description ----------- -Searches repositories for compiled binaries, private keys, passwords and senstive strings +Anteater performs scanning of any commited patches sent to a gerrit code review +site. Each time a patch is pushed to a repository, jenkins instantiates +anteater, who then performs a series of security checks to each file proposed +in a patch. + +Checks consist of verification that no binary / blobs are present. If they are, +they are immediately voted as '-1' (do not merge), until a review has occurred +to insure the binary is safe and its origins are known. Once agreed as safe, a +sha256 checksum is entered into anteaters 'exception' list to insure it is not +maliciously replaced at any given time in the future. + +Checks are made to insure the file are not of a sensitive nature, for example +cryptographic keys or application configuration files known to contain +sensitive details, are all blocked from merge. + +Finally a deep scan is performed to look for suspect patterns, such as scripts +pulling in file / objects from untrusted sites, or various patterns such as +shell executions. + +Anteater uses an open framework to allow users to add new additions easily, +without having to touch any code. -Provides exception / waiver lists to whitelist files, data. +Anteater was developed to address concerns of recent high profile attacks that +have occurred against CI environments, where hackers have backdoor'ed build / +DevOps systems by various means (such as stealing a users ssh key and self +approving patches). By having automated non-human checks in place, it adds an +extra layer of security review with the ability to block a patch merge at gate. -Provides option to add own file types for white / blacklisting +The project is mainly used in the Linux Foundations OPNFV platform, which has +over 40 repositories that need monitoring. Plans are in place to port it to the +github API where it can operate as a review bot as part of a github hosted +project. \ No newline at end of file