I tried to created a end to end DevSecOps pipeline for Node.js project

アクシャイラオ

2022.10.11

この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。

Introduction

Hi this Akshay Rao from Annotation.Inc, I tried to create the DevSecOps pipeline including some security scans. These security scans are very important as the vulnerability is found before the Application is the production, because if the vulnerability are found in the production the cost of rectifying is very high.

Let's start

Lets start by understanding the pipeline

the developers commit the App code to the remote repository like GitHub, GitBucket and others.

code has to built, run unit test and pass it.

we will have to scan the whole code for vulnerabilities, for that we will be conducting SAST (Static Application Security testingTesting),SCA(Software Composition Analysis) and DAST (Dynamic Application Security Testing).

The SAST is a methodology to find security vulnerabilities in the application. I have used Sonar cloud to perform SAST in this pipeline.

The SCA is performed to evaluate security, license compliance, imported package vulnerabilities or the deprecated packages and code quality. I have used Snyk tool in the pipeline.

The DAST is similar to SAST but he scan is done when the application is running in the production environment. I have used OWASP ZAP tool in pipeline.

After the scans are done then the reports and issues are generated. if any vulnerability found can be rectified immediately or can be communicated to the developers.

I have take nodejs project in the Github, write a workflow.yml In this yml file i have created

Three jobs (build, security and zap_scan)

In build job ,I have built the application and performed SAST scan in the name of Sonar cloud scan.

In Security job, I have run the SCA scan with Snyk tool.

In Zap_scan, I have performed the DAST with OWASP ZAP tool. In the Target key we can put the url of the Application.

I had to generate a token form Synk and Sonar cloud (SYNK_TOKENS & SONAR_TOKEN) in the Github repository settings. Then commit the workflow and the scans will start running in the actions tab in the Github.

name: Build code, run unit test, run SAST, SCA, DAST security scans for NodeJs App
on: push

jobs:
  build:
    runs-on: ubuntu-latest
    name: Run unit tests and SAST scan on the source code 
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
      with:
        node-version: 16
        cache: npm
    - run: npm install
    - name: SonarCloud Scan
      uses: sonarsource/sonarcloud-github-action@master
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      with:
        args: >
          -Dsonar.organization=<PUT YOUR ORGANIZATION NAME>
          -Dsonar.projectKey=< PUT YOUR PROJECT KEY NAME>
  security:
    runs-on: ubuntu-latest
    needs: build
    name: Run the SCA scan on the source code
    steps:
      - uses: actions/checkout@master
      - name: RunSnyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKENS }}
  zap_scan:
    runs-on: ubuntu-latest
    needs: security
    name: Run DAST scan on the web application
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.6.1
        with:
          docker_name: 'owasp/zap2docker-stable'
          target: 'http://example.com/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

The reports will be genarated as artifacts or in the actions by clicking on scan names or through dashboard url which will be mentioned.
SAST Report

SCA Report

DAST Report