构建安全的 DevSecOps Pipeline
之前我写过关于Devcloud的内容,这是我华为云上的一个DevSecOps云服务,现已更名为CodeArts。本篇准备写下开源方式的实现 。
In today’s rapidly evolving threat landscape, ensuring the security of software applications is of paramount importance. One way to achieve this is by implementing a robust DevSecOps pipeline that integrates security practices seamlessly into the software development lifecycle. In this article, we will explore how to integrate different security tools into each stage of the DevSecOps pipeline, ensuring code security from the very beginning.
在当今快速发展的威胁环境中,确保软件应用程序的安全性至关重要。实现这一目标的方法是实施强大的 DevSecOps Pipeline,将安全无缝集成到软件开发生命周期中。在本文中,我们将探讨如何将不同的安全工具集成到 DevSecOps 管道的每个阶段,从一开始就确保代码安全。
一、Jenkins实现
These are just examples, and you can customize them based on the specific tools and configurations you use in your environment. Remember to install the required tools and plugins in your Jenkins instance or CI/CD platform。
以下这些只是示例,您可以根据您在环境中使用的特定工具和配置来自定义使用。以下是通过 Jenkins 实例安装所需的工具和插件来实现。
1. Checkout Project (e.g — Git)
1stage('Checkout Project') {
2 steps {
3 // Add steps to clone the repository
4 // For example, using Git
5 git url: 'https://github.com/your/repository.git'
6 }
7}
2. Git Secret Check (e.g — Git Secrets)
1stage('Git Secret Check') {
2 steps {
3 // Install and run Git Secrets
4 sh 'git secrets --scan'
5 }
6}
3. SAST (e.g — SonarQube)
1stage('Static Code Analysis (SAST)') {
2 steps {
3 // Execute SonarQube analysis using the SonarQube Scanner
4 withSonarQubeEnv('SonarQube Server') {
5 sh 'sonar-scanner'
6 }
7 }
8}
4. SCA (e.g — OWASP Dependency check)
1stage('Software Composition Analysis (SCA)') {
2 steps {
3 // Execute an SCA tool, such as OWASP Dependency Check or Snyk
4 sh 'dependency-check --project your-project --scan .'
5 }
6}
5. Container Audit (e.g — Trivy / Docker Security Scan)
1stage('Container Audit') {
2 steps {
3 // Scan the container image for vulnerabilities
4 sh 'docker scan your-container-image'
5 }
6}
6. DAST(e.g — OWASP ZAP)
1stage('Dynamic Application Security Testing (DAST)') {
2 steps {
3 // Execute DAST tool against the application
4 sh 'zap-cli --start --spider your-application-url && zap-cli --scan --policy your-policy-file'
5 }
6}
7. System Security Audit (e.g — lysis)
1stage('System Security Audit') {
2 steps {
3 // Run system security audit tool
4 sh 'lynis audit system'
5 }
6}
8. Vulnerability Tracking and Compliance (e.g -Bugzilla, jira)
1stage('Vulnerability Tracking and Compliance') {
2 steps {
3 // Create tickets or issues for identified vulnerabilities
4 sh 'jira-cli create-issue --project your-project --summary "Vulnerability found" --description "Details of the vulnerability"'
5 }
6}
二、Github实现
Github is a code warehouse management tool that is balanced between open source and business. It can also realize DevSecOps capabilities through marketplace enhancements.
Github属于介于开源和商业之间平衡的一个代码仓管理工具,其通过应用市场增强,也可以实现DevSecOps的能力。
GitHub DevSecOps Pipeline with GitSecret, SAST, SCA, Container Audit, DAST, and System Security Audit. Lets see the complete Yaml file for this DevSecOps Pipeline
1name: DevSecOps Pipeline
2
3on:
4 push:
5 branches:
6 - main
7
8jobs:
9 build:
10 runs-on: ubuntu-latest
11 steps:
12 - name: Checkout code
13 uses: actions/checkout@v2
14
15 - name: GitSecret check
16 uses: gitsecret/action@v1
17 with:
18 secret-file: .gitsecret
19
20 - name: SAST for SonarQube
21 uses: sonarsource/sonarcloud-github-action@v1
22 with:
23 sonar-project-key: [your-sonar-project-key]
24 sonar-login: [your-sonar-login]
25
26 - name: SCA (Dependency Check)
27 uses: owasp/dependency-check-action@v1
28 with:
29 dependency-check-report: ./dependency-check-report.xml
30
31 - name: Container Audit (Trivy)
32 uses: aquasec/trivy-action@v1
33 with:
34 image: [your-image-name]
35
36 - name: DAST (WASP Zap)
37 uses: owasp/zap-action@v1
38 with:
39 zap-url: http://[your-zap-url]
40 zap-token: [your-zap-token]
41
42 - name: System Security Audit (Lynis)
43 uses: github/lyses-action@v1
44 with:
45 lyses-url: https://[your-lyses-url]
46 lyses-token: [your-lyses-token]
47
48 - name: Bugzilla for tracking
49 uses: bz-action/bugzilla-action@v1
50 with:
51 bugzilla-url: https://[your-bugzilla-url]
52 bugzilla-user: [your-bugzilla-user]
53 bugzilla-password: [your-bugzilla-password]
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/devsecops-jenkins-github/8479.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.