Contact UsGet started

Application security requirements

Written by
Improved by
Updated at April 23, 2025

6. Application security

Bot protection

6.1 Yandex SmartCaptcha is used

To mitigate the risks associated with automated attacks on applications, we recommend using Yandex SmartCaptcha. The service checks user requests with its ML algorithms and only shows challenges to those users whose requests it considers suspicious. You do not have to place the "I’m not a robot" button on the page.

  1. In the management console, select the folder.
  2. Select Yandex SmartCaptcha.
  3. Make sure at least one CAPTCHA is created for your application.

Guides and solutions to use:

Guide on creating a CAPTCHA in Yandex SmartCaptcha.

Building a secure pipeline

Yandex Cloud allows customers to achieve compliance of software they develop at all Supply-chain Levels for Software Artifacts (SLSA), provided that they follow the guidelines given in this section. When using Yandex Managed Service for GitLab, a customer automatically achieves SLSA Level 2 compliance.

6.2 When creating a registry in Yandex Container Registry, keep the safe registry settings by default

When creating a new registry, use the default options to make sure it meets the Yandex Cloud security standard:

  • Docker images are automatically scanned as they are uploaded to the registry.
  • Docker images in the registry are regularly re-scanned, i.e., every 7 days with an option to switch to daily scanning in the settings.

Guides and solutions to use:

  1. In the management console, select the folder to create a registry in.

  2. From the list of services, select Container Registry.

  3. Click Create registry.

  4. In the Name field, enter a name for the registry, The naming requirements are as follows:

    • It must be from 2 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  5. Under Automatic scanning:

    • Keep Scan Docker images on push enabled to scan Docker images at their upload to the repository.
    • Keep Scan all Docker images in the registry enabled. Adjust the scanning frequency if you need to.

  6. Click Create registry.

To create a registry with safe image scanning settings used by default, run this command:

yc container registry create \
  --name <registry_name> \
  --secure

6.3 Docker images are scanned when uploaded to Container Registry

Auto scans of Docker images on push are critical for early detection and elimination of vulnerabilities to ensure secure deployment of containers. Reports on completed scans provide a brief description of detected vulnerabilities and issues and help you set priorities and eliminate security risks in containerized applications.

  1. In the management console, select the folder the registry with Docker images belongs to.
  2. Select the appropriate registry in Container Registry.
  3. Navigate to the Vulnerability scanner tab and click Edit settings.
  4. Make sure Docker image scans on push are enabled.

Guides and solutions to use:

Guide on scanning Docker images on push.

6.4 Docker images stored in Container Registry are regularly scanned

Scheduled scanning of Docker images is an automated process that checks containerized images for vulnerabilities and compliance with security standards. Such scans are regular and automatic to ensure the consistency of image checks for vulnerabilities and maintain a high security level in the long run. Reports on completed scans provide a brief description of detected vulnerabilities and issues and help you set priorities and eliminate security risks in containerized applications.

We recommend setting up a schedule for scans to be run at least once a week.

  1. In the management console, select the folder the registry with Docker images belongs to.
  2. Select the appropriate registry in Container Registry.
  3. Navigate to the Vulnerability scanner tab and click Edit settings.
  4. Make sure that scheduled Docker image scans are enabled with a frequency of at least once a week.

Guides and solutions to use:

Guide on scheduled scanning of Docker images.

6.5 Container images used in the production environment have the last scan date of one week ago or less

Checking Docker images used in production environments with the last scan date not older than a week ensures that you continuously monitor and update security measures, eliminating potential vulnerabilities that might have occurred since the last scan. This also helps you make sure you are not deploying containers with recently detected vulnerabilities and enhance the security level. You can automate this process by setting up a schedule in the Vulnerability scanner.

Run the command below to search for containerized images with the last scan date a week ago or less:

export ORG_ID=<organization_ID>
for CLOUD_ID in $(yc resource-manager cloud list --organization-id=${ORG_ID} --format=json | jq -r '.[].id');
do for FOLDER_ID in $(yc resource-manager folder list --cloud-id=$CLOUD_ID --format=json | jq -r '.[].id'); 
do for REGISTRY_ID in $(yc container registry list --folder-id $FOLDER_ID --format=json | jq -r '.[].id');
do for IMAGE_ID in $(yc container image list --registry-id $REGISTRY_ID --format=json | jq -r '.[].id';)
do LAST_SCAN_DATE=$(yc container image get-last-scan-result --image-id $IMAGE_ID --format=json 2>/dev/null | jq -r '.scanned_at');
[ ! -z "$LAST_SCAN_DATE" ] && [ $(date --date "$LAST_SCAN_DATE" +'%s') -lt $(date --date '7 days ago' +'%s') ] && echo "Regitry ID - $REGISTRY_ID, Image ID - $IMAGE_ID, Last scan date - $LAST_SCAN_DATE"
done;
done;
done;
done

6.6 Attestations are used when building artifacts

Attestations used when building software artifacts help ensure a secure and verifiable record of an artifact's origin, integrity, and SBOM compliance. This helps ensure the artifact reliability throughout its lifecycle. A software bill of materials (SBOM) is required to secure a supply chain, manage vulnerabilities, comply with requirements, assess risks, ensure transparency, and respond to incidents in an effective way.

With Managed Service for GitLab, attestations are easier to use, as the service has a feature for generating a provenance attestation. An SBOM can be generated using syft, a third-party software tool.

Make sure that artifact attestation is performed while building an application.

Guides and solutions to use:

Gitlab guide for software artifact attestation.

6.7 Artifact integrity is ensured

Signing artifacts enhances security to ensure your software validity, integrity, reliability, and compliance with the requirements.

Make sure that artifacts are signed while building an application.

Guides and solutions to use:

To sign artifacts within a pipeline, you can use Cosign, a third-party command line utility for signing artifacts, images, and in-to-to attestations. Then you can upload these artifacts to Yandex Container Registry.

A special build of Cosign allows you to store the created digital signature key pair in Yandex Key Management Service, sign files and artifacts with the private key of the pair, and verify a digital signature using its public key.

To learn more, see Signing and verifying Container Registry Docker images in Yandex Managed Service for Kubernetes.

6.8 Artifacts are checked for authenticity on deployment

To ensure the reliability, security, and compatibility of applications in Managed Service for Kubernetes, a service for automatic scaling and deployment of applications, you need to minimize the risk of issues, vulnerabilities, and failures during your application deployment and runtime. To do this, use signatures and signature verification in Managed Service for Kubernetes with Cosign and Kyverno.

Make sure that artifacts are verified while building an application.

Guides and solutions to use:

Guide on setting up the artifact signature.

6.9 Protected secure pipeline templates are used

When working with Managed Service for GitLab, make sure you use built-in GitLab security mechanisms to secure your pipeline. You can integrate a pipeline into your projects in the following ways:

  • Creating a pipeline in an individual project and connecting it to other projects using the include function. This option is available for all license types.
  • Using the Compliance framework and pipeline mechanism that you can run in any group project. It is available for the Ultimate license.
  • Copying pipeline sections to .gitlab-ci.yml files in your projects.

6.10 A Yandex Smart Web Security security profile is used

Yandex Smart Web Security protects you against DDoS attacks, web attacks, and bots at application level L7 of the OSI model. Smart Web Security connects to Yandex Application Load Balancer.

In a nutshell, the service checks the HTTP requests sent to the protected resource against the rules configured in the security profile. Depending on the results of the check, the requests are forwarded to the protected resource, blocked, or sent to Yandex SmartCaptcha for additional verification.

  1. In the management console, select the folder where you want to check the Smart Web Security status.
  2. From the list of services, select Smart Web Security.
  3. Make sure you have security profiles created.
  4. If you have security profiles, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.

Run this command:

yc smartwebsecurity security-profile list

If the command returns information about the existing security profiles, the recommendation is fulfilled. Otherwise, proceed to Guides and solutions to use.

Guides and solutions to use:

Creating a security profile and connecting it to a virtual host of an L7 load balancer.

6.11 A web application firewall is used

To mitigate risks associated with web attacks, we recommend using the Yandex Smart Web Security web application firewall (WAF). A web application firewall analyzes HTTP requests to a web app according to pre-configured rules. Based on the analysis results, certain actions are applied to HTTP requests.

You can manage the web application firewall using a WAF profile that connects to a security profile in Smart Web Security as a separate rule.

  1. In the management console, select the folder where you want to check a security profile for a WAF rule.
  2. From the list of services, select Smart Web Security.
  3. Make sure your security profile has a security rule of the web application firewall type.

Guides and solutions to use:

Creating a WAF profile and connecting it to a security profile in Smart Web Security.

6.12 Advanced Rate Limiter is used

Advanced Rate Limiter (ARL) is a Yandex Smart Web Security module used to monitor and limit web app loads. The module allows you to set a limit on the number of HTTP requests over a certain period of time. All requests above the limit will be blocked. You can set a single limit for all traffic or configure specific limits to segment requests by certain parameters. For the purposes of limits, you can count requests one by one or group them together based on specified characteristics.

You need to connect your ARL profile to the security profile in Smart Web Security.

  1. In the management console, select the folder you want to check for ARL profiles.
  2. From the list of services, select Smart Web Security.
  3. In the left-hand panel, select ARL profiles and make sure you have ARL profiles connected to your security profile.

Guides and solutions to use:

Creating an ARL profile and connecting it to a security profile in Smart Web Security.

6.13 Approval rules are configured

With Yandex Managed Service for GitLab, you can flexibly set up mandatory approval rules for adding code to the target project branch. This feature is an alternative to the GitLab Enterprise Edition’s Approval Rules tool and is available regardless of the GitLab version.

If a GitLab instance has the approval rules enabled, Managed Service for GitLab analyzes approvals from reviewers for compliance with the specified rules. If there are not enough approvals, a thread is created in a merge request that blocks it from being merged to the target branch. Editing the merge request creates or updates a comment in the thread with its current compliance status. Once all the required approvals are obtained, the thread is closed.

If you close a thread manually, it will be created again. If a merge request is approved regardless of the existing rules, users with the Maintainer role or higher will receive an email notification about the violated code approval workflow.

  1. In the management console, select the folder where your GitLab instance is located.
  2. In the list of services, select Managed Service for GitLab.
  3. Select the instance you need and click Edit in the top-right corner of the page.
  4. Make sure to select a configured approval rule configuration in the Approval rules field.

Guides and solutions to use:

Enabling approval rules in the GitLab instance

6.14 Trusted and unwanted IP addresses are grouped into lists

Yandex Smart Web Security supports grouping IP addresses into custom lists. Add those lists as conditions in rules to allow, block, or forward some traffic to SmartCaptcha during IP address verification.

  1. Open the Yandex Cloud console in your browser.
  2. Go to the appropriate folder.
  3. From the list of services, select Smart Web Security.
  4. Go to Lists.
  5. Check that the lists have been created.
  6. If there are such lists, the recommendation is fulfilled. Otherwise, proceed to "Guides and solutions to use".

Contact your account manager to make sure you have Smart Web Security lists.

Guides and solutions to use:

Whitelist and blacklist IP addresses to filter traffic. To learn more, see Managing address lists.

Previous
Collecting, monitoring, and analyzing audit logs
Next
Security Kubernetes