This week's articles
Malicious Rego: OPA Supply Chain Attacks
Rego is designed to be utilised for a very specific purpose, and thus its standard library is understandably not huge. Despite this, much like Terraform, there are still features which can be leveraged by an attacker for supply-chain attack vectors. If a consumer takes advantage of policies published by a third party, they should be aware of the following.
OPA Rego + tfsec: Custom security policies for your infrastructure
Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of information in the event of a failure, such as path, line numbers, and highlighted code snippets.
HashiCorp Vault 1.10 Released
Vault 1.10 adds login MFA support, makes Vault an OIDC provider, adds support for PKI to use HSMs, and more.