Checks -> Policy. Remove GraphQL

Author: kipz

docs/getting-started.md

@@ -1,9 +1,9 @@
-Atomist for DevSecOps is available in early access now. 
+Atomist for DevSecOps is available in early access now.
 Keep up to date with supported, current Docker base images and keep new vulnerabilities at bay.
 
 [early-access]: https://atomist.com/devsecops (Request early access)
 
-To get up and running quickly, simply sign up, select repositories, then get a summary of your 
+To get up and running quickly, simply sign up, select repositories, then get a summary of your
 Docker security and start improving it.
 
 ### Create an account
@@ -18,7 +18,7 @@ Docker security and start improving it.
 
 ### Configure Image Registry
 
-Start scanning images in your registry by enabling a [Registry Integration](https://dso.atomist.com/r/auth/integrations).  
+Start scanning images in your registry by enabling a [Registry Integration](https://dso.atomist.com/r/auth/integrations).
 Specific instructions about each integration are included below.
 
 | Integration | link to documentation |
@@ -61,8 +61,8 @@ Atomist is now tracking new container images.  This includes updates to bills of
 
 Teams use Atomist to protect downstream workloads from new vulnerabilities.  It's also used to help teams track and remediate new vulnerabilities that impact existing workloads.  In the next sections, we'll look at how teams can use atomist to gain visibility into container workload systems like Kubernetes.
 
-* [Set up Checks](getting_started/checks.md) that will run whenever a new Image is pushed to your registry
+* [Set up Image Policies](getting_started/checks.md) with rules that will run whenever a new Image is pushed to your registry
 * [Create a Slack notification channel](integration/slack.md) to receive notifications about new security advisories impacting workloads.
 * Atomist watches for new advisories from [public sources](getting_started/sources.md), but you can also add your own internal advisories.  Checkout how to [get started with your own advisories](getting_started/private-advisories.md).
-* Use [kubernetes admission control](integration/kubernetes.md) to ensure that images are fully checked before being admitted into different clusters or namespaces.
-* Try adding another check to add [secret scanning](getting_started/add-secret-scanner-check.md) to make sure that the sources used to build an image are always scanned for leaked secrets.
+* Use [kubernetes admission control](integration/kubernetes.md) to ensure that images conform to your policy before being admitted into different clusters or namespaces.
+* Try adding another rule to add [secret scanning](getting_started/add-secret-scanner-check.md) to make sure that the sources used to build an image are always scanned for leaked secrets.

docs/getting_started/add-secret-scanner-check.md

@@ -1,73 +1,21 @@
-## Adding code Secret Scanning GitHub check
+## Adding code Secret Scanning GitHub Check
 
 ### Overview
 
 Prevent leaking API keys, access tokens, passwords and other sensitive data by keeping them out of your codebase. Secret Scanner detects and alerts you when secrets are committed in your code and configuration in a GitHub repository. It helps prevent secrets from being exposed by adding a failed GitHub Check when a secret is detected.
 
+GitHub Checks like this one can be used as Image Policy Rules to protect workloads (e.g. Kubernetes Admission Control).
+
 Secret Scanner automatically scans for access and API keys for Twitter, Facebook, Google, Stripe, Square, PayPal, AWS, Twilio, Mailchimp, Mailgun and Picatic API. Secret Scanner supports adding patterns to detect other secrets not detected by default. Add scanning support for other tools with a simple regular expression.
 
 ### Configuration
 
-Enable the Secret Scanner [here](https://go.atomist.com/catalog/skills/atomist/github-secret-scanner-skill), selecting the repositories for which you would like a a created.
-
-Add `github/github-secret-scanner-skill` to your Image Policy by following the instructions for [image checks](checks.md)
-
-### Configuration via GraphQL
-
-It's also possible to configure Secret Scanning via the GraphQL api.
-
-Save the following GraphQL snippet to a file
-
-```shell
-cat <<'EOF' > secrets.graphql
-mutation enableSecretScanner {
-  saveSkillConfiguration(name: "github-secret-scanner-skill",
-                         namespace: "atomist",
-                         configuration: {
-                           name: "default",
-                           parameters: [{
-                            repoFilter: {
-                              name: "repos",
-                              value: {}}}],
-                           enabled: true}) {__typename}}
-EOF
-```
-
-And use `curl` to send to the Atomist API.
-
-Now execute the script below. You’ll need to set the TEAM and the API_KEY to your `workspace-id` and an `api-key`.
-
-```shell
-ATOMIST_API_KEY=<api-key>
-ATOMIST_WORKSPACE_ID=<workspace-id>
-
-curl -X POST \
-     -d '{"query": "'"$(sed 's/"/\\"/g' < secrets.graphql)"'" }' \
-     -H "Authorization: Bearer ${ATOMIST_API_KEY}" \
-     -H "Content-Type: application/json" \
-     https://automation.atomist.com/graphql/team/${ATOMIST_WORKSPACE_ID}
-```
-
-* `workspace-id`
-    * Grab your workspace ID from https://dso.atomist.com/r/auth/policies
-* `api-key`
-    * Used to authenticate with the Atomist API and managed here https://dso.atomist.com/r/auth/integrations
-
-#### Adding to Image Policy
+Enable the Secret Scanner [here](https://dso.atomist.com/r/auth/policies)
 
-To add this check to your Image Policy for an environment, it's just a case of adding the `github-secret-scanner-skill` GitHub check to the policy as configured at [Image Checks](checks.md). For example, if your policy previously looked like this:
+![enable-check-run](../img/getting-started/enable-secret-scanning.png)
 
-```shell
-cat <<'EOF' > rules.json
-{"rules": ["demo/production:github/docker-vulnerability-policy"]}
-EOF
-```
+Add Secret Scanning to your Image Policy by following the instructions for [configuring image policy rules](checks.md).
 
-requiring secret scanning in the `demo/production` policy would look like:
+Once configured, the policy should looking like this:
 
-```shell
-cat <<'EOF' > rules.json
-{"rules": ["demo/production:github/docker-vulnerability-policy", 
-           "demo/production:github/github-secret-scanner-skill"]}
-EOF
-```
+![configured-policy](../img/getting-started/configured-policy.png)

docs/getting_started/checks.md

@@ -1,81 +1,35 @@
 ### Background
 
-Atomist keeps tracks of checks that are performed on container images.  Examples of checks include the following.
+Atomist keeps track of the state of container images by continuously evaluating rules in your Image Policy. For example:
 
 * Does the image have the required `LABEL`s?
 * Was the image created by a trusted builder?
 * Was the image created from a known git commit sha?
 * Has the image been scanned for vulnerabilities?
 * Does the image contain any vulnerabilities that are not already present in the currently running version?
 
-Each workload can define a set of mandatory checks.  This allows Atomist to wait for a new image to have all the necessary checks and then signal to a workload that a new candidate version is ready.  This works well with a gitops workflow where new candidate images can be pulled into a workload once they are ready.  Failing checks are made available to developers to indicate why a change was rejected, and these same checks drive tools like kubernetes admission controllers, to ensure that only fully checked images are admitted to selected namespaces.  The combination of gitops controllers, admission controllers, and pluggable image checks, gives teams the ability to plug consistent validation into their cloud native delivery.
+Each workload can define a set of mandatory rules.  This allows Atomist to wait for a new image to have all the necessary rules satisifed and then signal to a workload that a new candidate version is ready.  This works well with a gitops workflow where new candidate images can be pulled into a workload once they are ready. Failing rules can be made available to developers via GitHub Checks to indicate why a change was rejected, and these same rules drive tools like kubernetes admission controllers, to ensure that only images that fully satisfy your policy are admitted to selected namespaces.  The combination of gitops controllers, admission controllers, and pluggable image policy, gives teams the ability to plug consistent validation into their cloud native delivery.
 
-### Enable Vulnerability Check
+### Enable Vulnerability GitHub Check
 
 Start by checking whether a candidate image has additional vulnerabilities when compared to other versions already in existing workloads.  If you're building an image from a pull request commit, this policy will also compare vulnerabilites against any image built from the HEAD commit of your default branch.  [Enable the policy][settings] by navigating to your [settings page][settings].
 
-In the section called `New Image Vulnerabilites`, select the check box that controls whether a GitHub check run should fail when _new_ critical or high severitare found.
+In the section called `New Image Vulnerabilites`, select the check box that controls whether a GitHub Check should fail when _new_ critical or high severitare found.
 
 ![enable-check-run](../img/getting-started/enable-check-run.png)
 
-[settings]: https://dso.atomist.com/r/auth/policies
-
-### Choose Admission Checks
-
-Now that we are checking images for new vulnerabilities, we can begin requiring that certain sets of checks pass before an image is ready to be admitted into an existing workload (for example, see the [section on kubernetes admission control](admission-control.md)).  We can select different checks for different environments.  For example, let's start with the requirement that a kubernetes cluster named `demo` with a namespace `production` requires the check configured above.  
-
-This can be done by editing the [Deployment Policy](https://go.atomist.com/r/auth/manage/integrations/s/l/atomist/deploy-integration) and adding:
-
-`demo/production:github/docker-vulnerability-policy` to the list of checks in the **Image Policy**:
 
-![image-policy-checks](../img/image-policy-checks.png)
 
-#### Configuration via GraphQL
+### Choose Admission Rules
 
-We can also configure by calling a GraphQL mutation.  Copy the following mutation into a file (e.g. rules.json)
+Policies are made up of sets of rules. Atomist comes with some built-in rules, but GitHub Checks can also be used directly as rules in policies. This makes it easy to compose policies from GitHub Checks created by other processes, such as CI/CD systems, to ensure for example, that images have been properly tested, that commits have been signed and so on.
 
-```bash
-cat <<'EOF' > rules.json
-{"rules": ["demo/production:github/docker-vulnerability-policy"]}
-EOF
-```
+Now that we are checking images for new vulnerabilities, we can begin requiring that certain sets of rules pass before an image is ready to be admitted into an existing workload (for example, see the [section on kubernetes admission control](admission-control.md)).  We can select different rules for different environments.  For example, let's start with the requirement that a Kubernetes cluster named `demo` with a namespace `production` requires the GitHub Check configured above.
 
-Now execute the scripts below:
+From the [policy view][settings], click the "Add first deployment policy" and and add the new GitHub Check we created above:
 
-```bash
-ATOMIST_WORKSPACE_ID=<workspace-id>
-ATOMIST_API_KEY=<api-key>
-```
-
-* `workspace-id`
-    * Grab your workspace ID from https://dso.atomist.com/r/auth/policies
-* `api-key`
-    * Used to authenticate with the Atomist API and managed here https://dso.atomist.com/r/auth/integrations
-
-
-```bash
-cat <<'EOF' > policy.graphql
-mutation setPolicy($rules: [String!]!) {
-  setConfigurationParameter(
-    name: "deploy-integration", 
-    namespace: "atomist", 
-    parameter: {stringArray: 
-                {name: "check-names", 
-                 value: $rules}}, 
-    configurationName: "policy-cfg") 
-  {
-    configured {
-      skills {id}
-    }
-  }
-}
-EOF
-
-curl -X POST \
-     -d '{"query": "'"$(sed 's/"/\\"/g' < policy.graphql)"'", "variables": '"$(< rules.json)"'}' \
-     -H "Authorization: Bearer ${ATOMIST_API_KEY}" \
-     -H "Content-Type: application/json" \
-     https://automation.atomist.com/graphql/team/${ATOMIST_WORKSPACE_ID}
-```
+![add-first-policy](../img/getting-started/add-first-policy.png)
 
+![configure-policy](../img/getting-started/configure-new-policy.png)
 
+[settings]: https://dso.atomist.com/r/auth/policies

docs/img/getting-started/add-first-policy.png

@@ -1,6 +1,6 @@
 ## Tracking Image Deployments
 
-Atomist compares recent image vulnerabilty scans against the scans of images that are currently deployed.  
+Atomist compares recent image vulnerabilty scans against the scans of images that are currently deployed.
 This level of tracking gives developers contexts about when security debt is both increasing and decreasing.  This can be integrated in several ways:
 
 * steps in continuous deployment pipelines
@@ -16,7 +16,7 @@ Each Atomist workspace exposes an endpoint that can be called whenever an Image
 !!! Note
     you must create an api-key to use this endpoint.
 
-The simplest form of interation is to call this api whenever a new image is deployed.  The default environment name is `deployed` - if you want to image scans, and GitHub checkruns to start comparing against a "deployed" image, then call:
+The simplest form of interation is to call this api whenever a new image is deployed.  The default environment name is `deployed` - if you want to image scans, and GitHub Checks to start comparing against a "deployed" image, then call:
 
 ```
 $ curl \\
@@ -48,7 +48,6 @@ The payload supports additional fields to support additional use cases.
 }
 ```
 
-* use custom environment names to track different image versions in environments like `staging` and `production` 
+* use custom environment names to track different image versions in environments like `staging` and `production`
 * multi-platform image manifest lists are supported.  Add the platform details for the environments. Vulnerability scans are dependent on the platform.
 * if you are deploying multiple images from the same container repository into one environment, it is mandatory that each `image` have a unique `name`.
-

docs/img/configure-new-policy.png renamed to docs/img/getting-started/configure-new-policy.png

@@ -32,7 +32,7 @@ url=<replace this>
 team=<replace this>
 ```
 
-The `apiKey` and `url` must be filled in with your values from your Atomist workspace.  You can find these values in the [integrations tab](https://dso.atomist.com/r/auth/integrations). 
+The `apiKey` and `url` must be filled in with your values from your Atomist workspace.  You can find these values in the [integrations tab](https://dso.atomist.com/r/auth/integrations).
 You'll also need your the id for your atomist `team`.  This is the nine character value that you'll find at the top of [this page](https://dso.atomist.com/r/auth/policies).
 
 ![workspace id](./img/kubernetes/settings.png)
@@ -93,10 +93,10 @@ kubectl apply -f resources/k8s/admission/admission.yaml
 kubectl apply -f resources/k8s/jobs/patch.yaml
 ```
 
-## Enable image check policy
+## Enable Image Policy
 
 The admission controller will still be admitting all pods.  Reject pods with un-checked images by enabling the policy one namespace at a time.
-For example, start verifying that new pods in namespace `production` must have passed all necessary checks by annotating the namespace with the 
+For example, start verifying that new pods in namespace `production` must have passed all necessary rules by annotating the namespace with the
 annotation `policy-controller.atomist.com/policy`.
 
 ```bash
@@ -110,4 +110,3 @@ kubectl annotate namespace production policy-controller.atomist.com/policy-
 ```
 
 [dynamic-admission-control]: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
-

docs/img/configured-policy.png renamed to docs/img/getting-started/configured-policy.png

@@ -2,21 +2,21 @@
 
 ## Policy:  Docker Vulnerability
 
-We'll start by enabling the 
+We'll start by enabling the
 [Docker Vulnerability Policy](https://go.atomist.com/catalog/skills/atomist/docker-vulnerability-policy?stability=unstable).
 This policy illustrates how data can effectively flow back to developers to help make better decisions about promoting
 change. There are several concepts involved:
 
-1. using Checks to push data back to developers
+1. using GitHub Checks to push data back to developers
 2. using Checks to inform github branch protection rules, and code reviews
 3. setting baselines for cases where we want to start "improving" (reducing "noise" for existing projects)
-4. integrating vulnerability data into GitOps promotion, and kubernetes admission control policies 
+4. integrating vulnerability data into GitOps promotion, and kubernetes admission control policies
 
 As usual, the first step is to [enable the policy][docker-vulnerability-policy].
 
 ![img/docker-vulnerability-policy/14.png](img/docker-vulnerability-policy/14.png)
 
 For this policy, you should also be able to enable it using the default settings.  The default settings use GitHub
-checks to ensure that image vulnerabilties in a development branch do not get "worse" than the ones already in main.
+Checks to ensure that image vulnerabilties in a development branch do not get "worse" than the ones already in main.
 
 [docker-vulnerabilty-policy]: https://go.atomist.com/catalog/skills/atomist/docker-vulnerability-policy?stability=unstable