Skip to main content

Simple and easy to use security checks for the Heroku platform.

Project description

Heroku Guardian

Simple and easy to use security checks for the Heroku platform.

continuous-integration Downloads Twitter

Heroku Guardian

Purpose and functionality

  • Provide you with the ability to see various configurations within Heroku that help secure your app/spaces/users
  • Give users a simple CLI tool that can quickly evaluate the security of how they are deploying in Heroku
  • Validate your own compliance requirements against your Heroku infrastructure

What is Guardian?

Heroku Guardian was a tool that was created out of a need to further enable engineers with the ability to validate their configurations against a security baseline. When using any PaaS or platform to run your infrastructure or code, applying security best practice is a must. The Heroku platform itself has some great functionality built in to further reduce any potential attack surface that may be used by attackers.

What does Guardian check for?

App Based Security

Build Pack: Docs

  • Heroku applications are deployed on dynos, these dynos can utilize build packs to support their underlying infrastructure. There are many official build packs that can be used and this is taken into consideration when looking at the security of your app. Using official buildpacks and trusted images is an important factor in keeping your code running free from potential vulnerabilites that may be introduced into your app.

Internal Routing: Docs

  • Internal routing is a feature you can use to prevent your apps from receiving external web traffic when they are used within private spaces. This is a great feature if you know you don't need certain apps being exposed over the internet and should be considered for sensitive workloads.

Add Ons: Docs

  • Heroku supports a robust array of add ons both official and community driven, these add ons can be used in conjunction with your apps to let your apps run with any supporting infrastructure they need. Heroku Postgres is one example of an add on that can be used with your app. Add ons should be limited to their use case and you may also have a need to only run verified and approved add ons that you have agreed on with your engineering teams.

Untrusted vs Trusted Plans: Docs

  • Depending on what you are running in Heroku you may only want your engineers to run known and approved plan types. Plan types vary vastly in feature set and there may be certain security functionalities that you always want to have. Being aware of which apps are using what plan is important to validate that they are all running in compliance to what has been approved by your security team.

Locked Apps: Docs

  • Locked apps can be used to prevent unwanted modification or tampering of existing apps your team, you can lock an app if you do not want modification of the app once it is deployed. This can be used to prevent production level apps from tampering or preventing potential issues with sensitive or critical apps from being changed while in flight.

Stack Images: Docs

  • Stack images are the underlying OS image that code will run on. Ensuring you are using the right stack images for your app is important to security, ensuring that approved and up to date stack images are used is a good check to have in place.

Maintainence Mode: Docs

  • Apps can be marked as in "maintenance mode" which temporarily disables access to the app, they will normally display a static page to all visitors at this point. If you have apps with this enabled, they may need to be removed if they are no longer needed or taken a further look at to ensure normal traffic is flowing correctly to the right apps.

Domain Names: Docs

  • Apps can have custom CNAME domains assigned to them so that you can point your customers or end users where you want them to go. Custom domain names can be great to prevent potential for domain based attacks and minimize risk of your own users going to the wrong site. This functionality should be considered when deploying a production level app.

Configuration Variables: Docs

  • A rule of thumb in security is that secrets or other sensitive variables should never be stored within source code itself. You can leverage configuration variables within Heroku to store your credentials or API tokens so that your app can utilize them from runtime. Config vars should always be used when your deployment includes these types of variables.

TLS Configuration: Docs

  • Heroku supports both TLS 1.2 and 1.3, ensuring you are using the right version of TLS when deploying your app is good security practice and can help to limit the number of TLS based vulnerabilites that may be used against your infrastructure.

Space Based Security

Private Space: Docs

  • Private spaces can be used within Heroku to restrict apps and infrastructure only to your own infrastructure. These are dedicated environments for your resources which are completed isolated on the back end thus enhancing the overall security of the platform usage.

IP Ranges: Docs

  • You can easily control which IP ranges should be allowed to talk to your apps. This is a great way to limit unwanted access or traffic being sent to your app, and can be useful in cases where you may already know what ranges should be communicating with your deployments.

User Based Security

Email Check:

  • All users should have an email correctly assigned to their user.

Domain Email Being Used Docs:

  • In a config file you can specify what your companies email domain is, and validate if the user is correctly assigned an email from that domain within Heroku.

SSO and MFA Checks: Docs:

  • Users can be validated to ensure they are using the correct federated login as well as having MFA enabled. Both of these checks help to prevent against account compromise.

SSO Preferred:

  • Ideally, SSO should be the preferred method of logon where possible.

Requirements

In order to use Heroku Guardian, you must create an API token with either the Heroku console or the Heroku CLI. You can create an API token with the following command from the Heroku CLI:

heroku authorizations:create

Once you have the token, you can add it to your configuration file which Heroku Guardian will use to scan your environment. The configuration file is a simple config.ini file that lives in the current directory as config.ini.

Your basic configuration will define what Heroku Guardian should scan for and validate as it compares the API return objects against a known good configuration. This is an example of what your configuration file at that path may look like:

WARNING!!! - Make sure not to check in your API key, I've included it in the .gitignore file but make sure to double check this before modifying and pushing code into your own repo.

[AUTH]
api_key = "<your API token>"

# trusted Heroku add-ons
[ADDONS]
heroku_addon_providers = ["heroku-postgresql","heroku-kafka","heroku-redis"]

# multi-tenant heroku add-ons are untrusted 
[PLANS]
untrusted_plans = ["hobby","basic","standard","premium", "developer", "dev"]

# Heroku official build-packs should be used
[BUILDPACKS]
allowed_buildpacks = ["heroku/","https://github.com/heroku/"]

# Allowed IP ranges
[RANGES]
allowed_ranges = ["52.47.73.72/29", "13.55.255.216/29", "52.15.247.208/29"]

# Company email domain
[USER]
email_domain = "@salesforce.com"

Usage & Installation

Install via pip

pip3 install --user heroku-guardian

Install via Github

$ git clone https://github.com/salesforce/heroku-guardian
$ cd heroku-guardian
$ pip install .

$ heroku-guardian
Usage: heroku-guardian [OPTIONS] COMMAND [ARGS]...

  Heroku guardian is a tool used to validate that your deployment,
  spaces, and user configuration are secure.

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  app    Perform app security checks within Heroku
  space  Perform space security checks within Heroku
  user   Perform user security checks within Heroku

Commands

heroku-guardian app

heroku-guardian app --help
Usage: heroku-guardian app [OPTIONS]

Options:
  -a, --app-name TEXT    App name that you would like to perform security
                         checks for
  -s, --space-name TEXT  Space that you would like to perform security checks
                         for all apps in that space
  -l, --links            Findings with links to Heroku API documentation
  -j, --json-output      Output JSON findings
  --help                 Show this message and exit.

heroku-guardian space

heroku-guardian space --help
Usage: heroku-guardian space [OPTIONS]

Options:
  -s, --space-name TEXT  Space name that you would like to perform security
                         checks for
  -j, --json-output      Space check with JSON output
  --help                 Show this message and exit.

heroku-guardian user

heroku_guardian heroku-guardian user --help
Usage: heroku-guardian user [OPTIONS]

Options:
  -j, --json-output  User check with JSON output
  --help             Show this message and exit.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

heroku-guardian-0.1.0.tar.gz (16.2 kB view details)

Uploaded Source

Built Distribution

heroku_guardian-0.1.0-py3-none-any.whl (17.3 kB view details)

Uploaded Python 3

File details

Details for the file heroku-guardian-0.1.0.tar.gz.

File metadata

  • Download URL: heroku-guardian-0.1.0.tar.gz
  • Upload date:
  • Size: 16.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.27.1 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.9

File hashes

Hashes for heroku-guardian-0.1.0.tar.gz
Algorithm Hash digest
SHA256 3f240095c728a091306b1a9c0a92ac499d48ee04b87bf176aa72c149abb29f63
MD5 75c2e2716fa35bf9f9313156f6c362c2
BLAKE2b-256 6aef6531ccdee0116404a5094cc4008731ec72018175e7f641fc03b5473fdea3

See more details on using hashes here.

File details

Details for the file heroku_guardian-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: heroku_guardian-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 17.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.27.1 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.9.9

File hashes

Hashes for heroku_guardian-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c887837def491e3b38f6cfaab8e3c65613cbbd1de8a0908e8f035f72e908785c
MD5 03ae8879d6f191103ed25062f16b140f
BLAKE2b-256 cf4afc7604c5b4670aae632e34006cb398e70a460415cde7430b1675ecf3b679

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page