Skip to content

Roadmap: Improve Rule Identity #6437

Description

@evankanderson

Please describe the enhancement

This is a Roadmap Epic, and needs further design and breakdown into work items

Minder datasources support
using the providerAuth field
to authenticate rules to the API which manages the entity, but do not support
any form of other authentication. Rule identity would be useful for calling
third-party or custom API endpoints to collect security data (either
company-specific like approved security exceptions, or paid-access such as
vulnerability feeds). Minder should consider defining identities for executing
rule types (based on the enclosing project), and using
OIDC or
SPIFFE to provide a unique identity for each Minder
project or rule executing in the project. For APIs which require static secrets
like API keys, secret stores such as Vault, OpenBao, or cloud provider APIs can
avoid the need for building secret storage directly into Minder.

GitHub Actions may
provide an example
of the data which might be presented alongside a Minder rule identity.

Solution Proposal

  • Define a standard mechanism for adding a Minder-attested identity to outbound HTTP requests from rules (in either datasources or via http.send)
    • TODO: should this authentication should be explicitly requested by the rule?
  • Build a rule which uses attested identity to fetch and use a secret from an existing secrets manager (OpenBao / Vault or a cloud provider)
  • Document usage of the Minder-attested identity on the documentation site

Describe alternatives you've considered

No response

Additional context

No response

Acceptance Criteria

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    epiclarge bodies of work that can be broken down into a number of smaller tasksfeature-request

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions