Cloud Build, Packer, and Qualys (Automated Golden Images with Vuln Scanning POC)

  1. This is the POC using a Slack bot not Cloud Scheduler
  2. This is only for the building a golden image. The Slack bot has some other functionalities but I wanted to keep the diagram more focused.
  1. The user initialize the process with a slash command (/imagebot build:debian-9) in Slack. This sends over a JSON payload to a waiting Cloud Function.
  2. This Cloud Function serves as a checkpoint. It will only forward the payload to the next Cloud Function if it meets a few requirements. The initializing slash command must come from me, from within my channel and contain only a key-value pair with specific commands and operating systems. Build is one accepted command, and Debian-9 is one accepted operating system. With both of those, and the other two checks, the payload can then be passed to the next Cloud Function to start the building process.
  3. The Build command in the payload will run the Cloud Build trigger for the Debian-9 branch in my Github repository.
└── Github Repo
├── debian-9-branch
│ ├── cloudbuild.yml
│ ├── debian-9.json
│ ├── scripts/harden.sh
├── debian-10-branch
│ ├── cloudbuild.yml
│ ├── debian-10.json
│ ├── scripts/harden.sh
├── master branch
├── dev branch
  • Since these hosts are just base images and shouldn’t contain any sensitive info, I plan to export the scan results directly to Slack during completion.
  • Since all GCP instances come with gsutil built in, during the hardening scripts, I could potentially validate with Chef Inspec and upload the results to GCS.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store