From 89b3586030b11a929888ffa5491d7662b3ad2022 Mon Sep 17 00:00:00 2001 From: Elizabeth W Date: Sun, 19 Apr 2026 21:17:14 -0600 Subject: [PATCH] noted outdated features --- docs/pipeline-overview.md | 7 ++++--- docs/semgrep.md | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/pipeline-overview.md b/docs/pipeline-overview.md index 0f84939..2958c1d 100644 --- a/docs/pipeline-overview.md +++ b/docs/pipeline-overview.md @@ -24,15 +24,15 @@ To achieve this, the architecture utilizes "Defense in Depth," split across seve --- -2. Part 1: Local Development & Repository Tooling -2.1 Secret Scanning: Gitleaks (Local) +## 2. Part 1: Local Development & Repository Tooling +### 2.1 Secret Scanning: Gitleaks (Local) What it does: Fast, static regex matching for secrets. Where it runs: Local developer machine (via Pre-commit hook). Detailed Rationale: Developers make human errors. Gitleaks runs in milliseconds and acts as a "spell-check for secrets." It prevents accidentally committing a .env file or hardcoded token before it ever enters the local Git history. Trade-offs: It relies on the developer actively using the pre-commit hook. If a commit is forced (--no-verify), the local check is bypassed. -2.2 Supply Chain Defense: Socket CLI (Local Wrapper) +### 2.2 Supply Chain Defense: Socket CLI (Local Wrapper) What it does: Intercepts package installation to check for malicious code, typosquatting, and hijacked packages. Where it runs: Local machine (aliased: alias pnpm="socket pnpm"). @@ -62,6 +62,7 @@ To achieve this, the architecture utilizes "Defense in Depth," split across seve * **Detailed Rationale:** Traditional CVE scanners check for accidental developer mistakes. Socket checks for active malice (install scripts that steal SSH keys, typosquatting, hijacked maintainer accounts). Because AI agents regularly pull in new dependencies to solve coding problems, Socket ensures neither the local machine nor the pipeline executes malicious code during dependency resolution. * **Trade-offs:** API-dependent. To conserve free-tier API quotas, the pipeline step must be strictly configured to trigger *only* when lockfiles (`pnpm-lock.yaml`) change, requiring careful CI optimization. +**outdated, using pulumi crossguard** ### 2.5 Infrastructure Validation (IaC): Checkov * **What it does:** Parses Kubernetes manifests, Terraform, and Dockerfiles to ensure they adhere to security best practices. * **Detailed Rationale:** A homelab exposed to the internet cannot afford basic infrastructure misconfigurations, such as running containers as `root` or mapping sensitive host volumes. Checkov acts as an automated senior cloud architect, validating the AI's generated Kubernetes manifests before Argo CD syncs them. diff --git a/docs/semgrep.md b/docs/semgrep.md index 3eab0a9..33fdc5c 100644 --- a/docs/semgrep.md +++ b/docs/semgrep.md @@ -23,6 +23,7 @@ To maintain developer velocity (the "Friction" principle), pipeline feedback mus * **Tool:** `eslint` with `eslint-plugin-security` and `@typescript-eslint`. * **Reasoning:** Linters are "dumb" but instantaneous. They will catch AI agents generating immediately dangerous syntax (like `eval()` or unsafe Regex) before a commit is even made. +**outdated, using pulumi crossguard** ### Layer 2: Infrastructure as Code (IaC) Scanning * **Tool:** Checkov (Open Source) * **Reasoning:** Lightweight CLI tool to ensure the AI agents do not accidentally expose internal homelab ports to the internet or misconfigure container permissions. @@ -47,6 +48,7 @@ To maintain developer velocity (the "Friction" principle), pipeline feedback mus | **Snyk Code** | Great UX, but lacks the ability to write custom rules. If the AI agent develops a specific bad habit unique to this codebase, Snyk cannot be easily tuned to block it. | | **Checkmarx / Veracode** | Built for massive legacy enterprise compliance. Far too expensive, slow, and noisy for a modern, agile homelab setup. | +**outdated using harvester default registry** ## 5. Future Considerations / Phase 2 * **Build Caching:** If actual container build steps (`docker build`, `npm install`) become the bottleneck in Argo Workflows, evaluate adding open-source caching layers like **Kaniko** or **BuildKit** inside Argo pods before purchasing paid caching solutions. * **Custom Semgrep Rules:** If the AI agent repeatedly makes domain-specific logic errors (e.g., misusing a specific custom Monad), write lightweight custom Semgrep YAML rules to permanently block those specific anti-patterns.