Remediations
Remediate issues one by one to achieve zero misconfigurations.
Overview
The audit pane lists all misconfigurations. This can be seen a TO-DO list of identified issues, helping you tackle each problem one at a time. Monokle Cloud helps ease the process of remediating misconfigurations through problem descriptions, auto-fixes, suppressions, and more.
You can use hotkeys within the audit pane to remediate faster?
j
to select the next problem.k
to select the previous problem.e
to edit by focusing on the problem in the editor.esc
to return to the misconfiguration list after editing.a
to apply an auto-fix.s
to request a suppression.
Basics
Edit
Edit your source code within our editor to see whether your fixes remediate the misconfiguration in real-time.
To edit a problem you can click on the editor or press e
.
Auto-fix
When you edit several problems you will notice that many issues can be fixed by adding or removing a property. Monokle automates this process by suggesting fixes for each error and applying the accepted update to the source code for you.
To auto-fix a problem, click the magic wand or press f
.
Suppressions
When addressing a misconfiguration, you might decide that a specific misconfiguration doesn't need to be fixed or you might notice that your service actually needs a specific permission, meaning you are dealing with a case specific false positive. In these cases, suppressions allow you to hide the problem until further notice.
Fingerprint-based Suppressions
Fingerprint-based suppressions are external suppressions that work without any modifications to the source code. Each misconfiguration has a unique fingerprint. Requesting a suppression will store this in a database. Behind the scenes, all of Monokle's Policy Enforcement Points will stay up to date by fetching updates from said database. In Monokle, you can only use fingerprint-based suppressions within projects.
You can click the eye icon or press s
for fingerprint-based suppressions.
Annotation-based Suppressions
This inline suppression works by adding the monokle.io/suppress
annotation. There are two possible formats: either you add the rule identifier or the plugin identifier together with the human-friendly name of the rule as seen below. You will have to commit these changes to the repository to persist them.
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: happy-cms-database
annotations:
monokle.io/suppress.PSS205: false positive
monokle.io/suppress.kbp.no-latest-image: wont fix
spec:
serviceName: database-headless
replicas: 1
...
You can edit the source code for annotation-based suppressions.
Asking for help
Suppressions aren't always a good idea. When it's unclear if or how a misconfiguration should be handled, Monokle allows you to collaborate with your colleagues to decide what action to take by sharing these instances in real-time. Simply copy the URL and share it with a colleague to work together on remediating it.
Advanced
Suppression Approval Flows
To ensure quality, project developers themselves cannot suppress misconfigurations. Instead they will request for a suppression which can be approved by a project operator. As an operator you can navigate to the project's dashboard and see all the suppressions of your project. Once approved, suppressions will be synchronised across all policy enforcement points.