Please describe the enhancement
This is a Roadmap Epic, and needs further design and breakdown into work items
Minder datasources support
using the providerAuth field
to authenticate rules to the API which manages the entity, but do not support
any form of other authentication. Rule identity would be useful for calling
third-party or custom API endpoints to collect security data (either
company-specific like approved security exceptions, or paid-access such as
vulnerability feeds). Minder should consider defining identities for executing
rule types (based on the enclosing project), and using
OIDC or
SPIFFE to provide a unique identity for each Minder
project or rule executing in the project. For APIs which require static secrets
like API keys, secret stores such as Vault, OpenBao, or cloud provider APIs can
avoid the need for building secret storage directly into Minder.
GitHub Actions may
provide an example
of the data which might be presented alongside a Minder rule identity.
Solution Proposal
- Define a standard mechanism for adding a Minder-attested identity to outbound HTTP requests from rules (in either datasources or via
http.send)
- TODO: should this authentication should be explicitly requested by the rule?
- Build a rule which uses attested identity to fetch and use a secret from an existing secrets manager (OpenBao / Vault or a cloud provider)
- Document usage of the Minder-attested identity on the documentation site
Describe alternatives you've considered
No response
Additional context
No response
Acceptance Criteria
No response
Please describe the enhancement
This is a Roadmap Epic, and needs further design and breakdown into work items
Minder datasources support
using the
providerAuthfieldto authenticate rules to the API which manages the entity, but do not support
any form of other authentication. Rule identity would be useful for calling
third-party or custom API endpoints to collect security data (either
company-specific like approved security exceptions, or paid-access such as
vulnerability feeds). Minder should consider defining identities for executing
rule types (based on the enclosing project), and using
OIDC or
SPIFFE to provide a unique identity for each Minder
project or rule executing in the project. For APIs which require static secrets
like API keys, secret stores such as Vault, OpenBao, or cloud provider APIs can
avoid the need for building secret storage directly into Minder.
GitHub Actions may
provide an example
of the data which might be presented alongside a Minder rule identity.
Solution Proposal
http.send)Describe alternatives you've considered
No response
Additional context
No response
Acceptance Criteria
No response