Chalk allows you to follow code from development, through builds and into production.
Download binaries at https://crashoverride.com/downloads
us-east-1
if the AWS_REGION
or AWS_DEFAULT_REGION
environment variables were not set (#246)docker
is not installed. Previously, any chalk sub-scan such as during chalk exec
had misleading error logs (#248)chalk docker ...
now exits with a non-zero exit code when docker
is not installed (#256)chalk
executable was renamed to docker
(in order to wrap docker
) and a docker command had a "docker" argument (#257)Commits since the previous tag: https://github.com/crashappsec/chalk/compare/v0.3.4...v0.3.5
Download binaries at https://crashoverride.com/downloads
Attestation key generation/retrieval was refactored to use key providers. As such, all previous config values related to signing backup service have changed (#239). The removed attributes are:
use_signing_key_backup_service
signing_key_backup_service_url
signing_key_backup_service_auth_config_name
signing_key_backup_service_timeout
signing_key_location
Instead, now each individual key provider can be separately configured:
attestation {
key_provider: "embed" # or "backup" which enables key backup provider
# as previously configured by
# `use_signing_key_backup_service`
attestation_key_embed {
location: "./chalk." # used to be `signing_key_location`
}
attestation_key_backup {
location: "./chalk." # used to be `signing_key_location`
uri: "https://..." # used to be `signing_key_backup_service_url`
auth: "..." # used to be `signing_key_backup_service_auth_config_name`
timeout: << 1 sec >> # used to be `signing_key_backup_service_timeout`
}
}
ENTRYPOINT
when base image has it defined (#147).chalk setup
(#220).http://
URL to a sink instead of https://
(#223).CHALK_PASSWORD
in all operations (#232).chalk load
not honoring default parameter value after any incorrect previous value was provided (#242).memoize
, which allows caching function callback result into chalk mark for future lookups (#239).auth_headers
, which allows getting auth headers for a specific auth config (#239).parse_json
, which parses JSON string (#239).get
attestation key provider which allows retrieving key-material over API (#239).chalk exec
no longer requires --exec-command-name
and can get command name to exec directly from args (#155):
chalk exec -- echo hello
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.3.3...v0.3.4
Download binaries at https://crashoverride.com/downloads
Chalk can now write two new keys to chalk marks and reports:
COMMIT_MESSAGE
: the entire commit message of the most recent commit.TAG_MESSAGE
: the entire tag message of an annotated tag, if the current repo state has such a tag.
If the commit or tag is signed, the COMMIT_MESSAGE
or TAG_MESSAGE
value does not contain the signature. #211
Chalk falls back to bundled Mozilla CA Store when there are no system TLS certs to use (e.g. busybox container). #196
exec
do not interact with the backup service. #191
--build-context
on older docker versions which did not support that flag. #207
echo foo | chalk docker login --password-stdin
as stdin
was not being closed in the pipe to docker
process. #209
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.3.2...v0.3.3
Download binaries at https://crashoverride.com/downloads
chalk version
for the build date. #148
TERM=dumb
renders without colors #163
AWS_REGION
env var is honored in s3
sinks #164
chalk extract
#166
chalk help docgen
shows help for docgen
command #173
chalk load
would duplicate already loaded components in the config #176
chalk setup
would not honor existing keys, if present #184
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.3.1...v0.3.2
Download binaries at https://crashoverride.com/downloads
--no-api-login
option (https://github.com/crashappsec/chalk/pull/137). It was no longer relevant, since the chalk setup flow changed and no longer requires an interactive OIDC authentication.ENTRYPOINT
defined, docker.wrap_cmd
will break it as it overwrites its own ENTRYPOINT
. A future release will correctly inspect all base images and wrap ENTRYPOINT
correctly.Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.3.0...v0.3.1
Download binaries at https://crashoverride.com/downloads
_OP_CLOUD_METADATA
is now a JSON object vs a string containing JSON data. In addition cloud metadata is now
nested to allow to include more metadata about running cloud instances (https://github.com/crashappsec/chalk/pull/112).
The signing key backup service has been completely overhauled and no longer uses the OIDC Device Code Flow to authenticate to the API. Instead a pre-generated API access token is passed in chalk profile and that value is used as the bearer token. The setup
command still generates keys for signing but will no longer prompt with a QR code to authenticate to the API.
As a result of the above the login
and logout
commands have been removed.
A number of signing key backup related configuration values and variables have had their names changed to be more descriptive:
CHALK_API_KEY
-> CHALK_DATA_API_KEY
use_secret_manager
-> use_signing_key_backup_service
secret_manager_url
-> signing_key_backup_service_url
secret_manager_timeout
-> signing_key_backup_service_timeout
Added support for git context for docker build commands (https://github.com/crashappsec/chalk/pull/86).
Added new git metadata fields about:
See https://github.com/crashappsec/chalk/pull/86 and https://github.com/crashappsec/chalk/pull/89.
Improved pretty printing for various commands (https://github.com/crashappsec/chalk/pull/99).
Added github_json_group
for printing chalk marks in GitHub Actions (https://github.com/crashappsec/chalk/pull/86).
Added presign
sink to allow uploads to S3 without hard-coded credentials in the chalk configuration (https://github.com/crashappsec/chalk/pull/103).
Added JWT/Basic auth authentication options to sinks (https://github.com/crashappsec/chalk/pull/111).
Added docker.wrap_cmd
to allow to customize whether CMD
should be wrapped when ENTRYPOINT
is missing
in Dockerfile
(https://github.com/crashappsec/chalk/pull/112).
Added minimal AWS lambda metadata collection. It includes only basic information about lambda function such as its ARN and its runtime environment (https://github.com/crashappsec/chalk/pull/112).
Added experimental support for detection of technologies used at chalk and runtime (programming languages, databases, servers, etc.) (https://github.com/crashappsec/chalk/pull/128).
semgrep
when SAST is enabled (https://github.com/crashappsec/chalk/pull/94).docker build --push -t one -t two ...
(https://github.com/crashappsec/chalk/pull/110)._ACTION_ID
during push
command (https://github.com/crashappsec/chalk/pull/116).993
(https://github.com/crashappsec/chalk/pull/112).CMD
wrapping supports wrapping shell scripts, for example CMD set -x && echo hello
(https://github.com/crashappsec/chalk/pull/132).If a docker base image has ENTRYPOINT
defined, docker.wrap_cmd
will break it as it overwrites its own ENTRYPOINT
. A future release will correctly inspect all base images and wrap ENTRYPOINT
correctly.
This release does not support:
We will add back support for these platforms in the future.
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.2.2...v0.3.0
Download binaries at https://crashoverride.com/downloads
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.2.1...v0.2.2
Download binaries at https://crashoverride.com/downloads
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.2.0...v0.2.1
Download binaries at https://crashoverride.com/downloads
Added a module so that most users can easily install complex configurations without editing any configuration information whatsoever. Modules can be loaded from https URLs or from the local file system. Our recipes will host modules on chalkdust.io.
Modules can have parameters that you provide when installing them, and can have arbitrary defaults (for instance, any module importing the module for connecting to our demo web server defaults to your current IP address).
We do extensive conflict checking to ensure that modules that are incompatible will not run (and generally won't even load).
We will eventually do an in-app UI to browse and install modules.
For more details, see https://github.com/crashappsec/chalk/pull/47 and https://github.com/crashappsec/chalk/pull/67.
Added initial metadata collection for GCP and Azure, along with a metadata key to provide the current cloud provider, and a key that distinguishes the cloud provider's environments. Currently, this only does AWS (eks, ecs, ec2). See https://github.com/crashappsec/chalk/pull/59 and https://github.com/crashappsec/chalk/pull/65.
Added OIDC token refreshing, along with chalk login
and chalk logout
commands to log out of auth for the secret manager (https://github.com/crashappsec/chalk/pull/51, https://github.com/crashappsec/chalk/pull/55, https://github.com/crashappsec/chalk/pull/60).
The initial rendering engine work was completed. This means chalk help
, chalk help metadata
are fully functional. This engine is effectively most of the way to a web browser, and will enable us to offload a lot of the documentation, and do a little storefront (once we integrate in notcurses). See https://github.com/crashappsec/chalk/pull/58.
If you're doing multi-arch binary support, Chalk can now pass your native binary's configuration to other arches, though it does currently re-install modules, so the original module locations need to be available.
Snap
(https://github.com/crashappsec/chalk/pull/9).Dockerfile
uses USER
directive, chalk can now wrap entrypoint in that image (docker.wrap_entrypoint = true
in chalk config). See https://github.com/crashappsec/chalk/pull/34.insert
) in empty git repo without any commits (https://github.com/crashappsec/chalk/pull/39)ENTRYPOINT
/COMMAND
wrapping now preserves all named arguments from original ENTRYPOINT
/COMMAND
, e.g. ENTRYPOINT ["ls", "-la"]
(https://github.com/crashappsec/chalk/issues/70).There are still embedded docs that need to be fixed now that the entire rendering engine is working well enough.
When a Dockerfile
does not use the USER
directive but base image uses it to change default image user, chalk cannot wrap the image as it on legacy Docker builder (not buildx) as it will fail to chmod
permissions of chalk during the build.
Commits since previous tag: https://github.com/crashappsec/chalk/compare/v0.1.2...v0.2.0
Download binaries at https://crashoverride.com/downloads
This is the first open source release of Chalk. For those who participated in the public preview, there have been massive changes from those releases, based on your excellent feedback. There's a summary of those changes below.
At release time, here are known issues:
We have not yet produced any developer documentation. We will do so soon.
The in-command help
renderer did not get finished before
release. Everything should display, but the output will have some
obvious problems (spacing, wrapping, formatting choices, etc). If
it's insufficient, use the online docs, which use the same core
source material.
Our support for container marking is currently limited to Docker.
Chalk does not yet have any awareness of docker compose
, bake
or
similar frameworks atop Docker. We only process containers created
via direct docker invocation that's wrapped by chalk.
Similarly, Chalk does not yet capture any metadata around orchestration layers like Kubernetes or cloud-provider managed container solutions.
Chalk does not yet handle Docker HEREDOCs (which we've found aren't yet getting heavy use).
Chalk currently will refuse to automatically wrap or sign multi-architecture builds. It still will produce the desired container with a chalk mark, however.
We are not supporting running chalk on Windows at this time (even under WSL2).
In fact, we are currently on supporting Linux and macOS for both x86_64 and arm64. More Posix platforms may work, but we are making no effort there at this point.
We currently do not handle any form of PE binaries, so do not chalk .NET or other Windows applications.
There are other platforms we hope to mark that we don't yet support; see the roadmap section below.
The bash autocomplete script installs on macOS, but because it's not a zsh script, it will not autocomplete file arguments, etc.
The signing functionality does download the cosign
binary if not
present and needed; this can take a bit of time, and should
eventually be replaced with a native in-toto implementation.
Dy default, Chalk uses an advisory file lock to avoid overlapping writes to files by multiple chalk instances (particularly meant for protecting log files). This can lead to chalk instances giving up on obtaining the lock if you run multiple instances in the same environment at once.
We've added automatic signing; run chalk setup
; if you create a
free account for our secret service, it'll generate a keypair for
you, encrypt the private key, and automatically sign whenever
possible. If you don't want to use the service, you'll have to
provide a secret via environment variable, and should run setup with
the --no-api-login
flag.
We added automatic wrapping of container entry points, so that you
can get beacon data when containers start up (via the chalk exec
command).
We've additionally added the ability to have chalk exec
send
periodic heartbeat
reports, so you can collect metadata about
runtime workloads after startup.
There were several config file format changes based on feedback. Please contact us if you want help migrating, but things are even easier now.
ELF Chalk marks are now put into their own ELF section in the
binary, so they will survive a strip
operation.
We added / changed a number of metadata keys around Docker images and containers, and enhanced the interface for extracting data from containers.
We added an AWS IMDSv2 collection module, and associated metadata keys.
We added proc file system collection module.
We are now officially supporting arm64 Linux builds and macOS (arm64 and x86_64) builds of Chalk.
You can inject environment variables into docker images (previously we only supported labels)
Linux builds will now always fully statically compile with
musl-built shared libraries. On macOS, libc
is still dynamically
loaded.
We are actively developing Chalk, and listening closely to the people already using it. Below are a number of key items in our backlog that we're considering. However, we have made no decisions on the order we'll work on these things, and may add or drop items from the list. For a more up-to-date view, please check our issues list in GitHub.
All of the below are targets for our Open Source; we also will soon be releasing services around Chalk (with a free tier).
A TUI (using Python 3) to make it very easy to build custom configurations for most needs, without having to touch a configuration file.
On-demand data collection from runtime environments (via triggers).
Heartbeat reports should be more flexible, to only report when some sort of condition(s) is(/are) met (both per-metadata key, and per-report).
Many changes / enhancements to make to the underlying configuration file format to benefit Chalk and its users.
Data collection modules for other cloud providers.
Data collection modules for orchestration systems, particularly k8s.
A chalk log
command that can pretty-print (and search?) log
entries from any readable source you configure (not just the default
log file).
Better handling for multi-architecture builds.
Wrapping / data collection for docker compose
and docker bake
Better OS X support (right now, it's just good enough for us to develop on; Linux is the primary target)
More off-the-shelf integrations (including third party tools)
Support for CI/CD data collection modules that are longer-running (requiring them to work on a copy of the dev or build environment)
Chalk mark support for in-the-browser JavaScript (we have an approach we know works, we just need to build it out).
Better support for specific platforms for serverless apps.
Note that Windows support is not a priority for us currently. We'd love to get there eventually, but do not expect to get to it any time soon, unless contributed by the community.