added req and limit to tekton task

[sheril5]

No description provided.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this GitHub Pull Request cover several Tekton Cluster Tasks, with a focus on improving the security and reliability of the application deployment and container image build processes. The key security-related changes include:

1. Resource Limits and Requests: The majority of the changes introduce resource limits and requests for the various steps within the Tekton tasks. This is a best practice to prevent resource exhaustion attacks and ensure that the tasks do not consume excessive system resources, potentially impacting the overall performance and stability of the Tekton cluster.

2. Secure Credential Handling: The code uses workspaces to store sensitive information, such as Git credentials and ArgoCD authentication tokens, which is a secure way to manage these credentials and prevent them from being exposed in the codebase or environment variables.

3. Input Validation and Sanitization: The code generally appears to handle user-provided inputs, such as repository names and Git revisions, in a secure manner by properly encoding and validating them before using them in API requests or command executions.

4. Error Handling and Logging: The code includes robust error handling and logging, which helps with debugging and identifying potential issues, including security-related problems.

5. Dependency Management: The code uses specific versions of tools like Git, Cosign, and ArgoCD CLI, which is a good practice to ensure consistent and reproducible deployments. However, it's important to regularly review and update these dependencies to address any known security vulnerabilities.

Overall, the changes in this Pull Request appear to be focused on improving the security and reliability of the application deployment and container image build processes, which is a positive step from an application security perspective. However, it's always important to review the entire codebase and consider potential security implications beyond the specific changes provided.

Files Changed:

1. cicd/tekton-cluster-tasks/templates/cosign-verify.yaml: The changes rearrange the steps and add resource limits and requests for the cosign-sign step, which is a positive security enhancement.

2. cicd/tekton-cluster-tasks/templates/get-changed-files.yaml: The changes introduce resource limits and requests, and also handle sensitive information exposure and potential command injection vulnerabilities.

3. cicd/tekton-cluster-tasks/templates/cosign.yaml: The changes add resource limits and requests, handle Cosign login, and ensure secure key storage and credential management.

4. cicd/tekton-cluster-tasks/templates/deploy.yaml: The changes focus on secure credential management, dependency version management, and resource limits.

5. cicd/tekton-cluster-tasks/templates/get-commit-id.yaml: The changes introduce resource limits and requests, and handle the secure use of the GitHub authorization token.

6. cicd/tekton-cluster-tasks/templates/github-set-status.yaml: The changes focus on secure token handling, input validation, and resource limits.

7. cicd/tekton-cluster-tasks/templates/gitclone.yaml: The changes enhance the security and reliability of the Git cloning process, including handling of authentication credentials, SSL/TLS verification, and proxy settings.

8. cicd/tekton-cluster-tasks/templates/gitlab-set-status.yaml: The changes demonstrate good practices for handling sensitive information and input validation.

9. cicd/tekton-cluster-tasks/templates/qt-test.yaml: The changes are focused on resource management and do not directly address any specific security concerns.

10. cicd/tekton-cluster-tasks/templates/helm-deploy.yaml: The changes highlight the importance of secure credential management, image tag verification, and ArgoCD integration security.

11. cicd/tekton-cluster-tasks/templates/kaniko.yaml: The changes introduce resource limits and requests, and address the security context for the Kaniko tool.

Powered by DryRun Security