I tried to created a end to end DevSecOps pipeline for Node.js project

Introduction

Hi this Akshay Rao from Annotation.Inc, I tried to create the DevSecOps pipeline including some security scans. These security scans are very important as the vulnerability is found before the Application is the production, because if the vulnerability are found in the production the cost of rectifying is very high.

Let's start

Lets start by understanding the pipeline

  • the developers commit the App code to the remote repository like GitHub, GitBucket and others.
  • code has to built, run unit test and pass it.
  • we will have to scan the whole code for vulnerabilities, for that we will be conducting SAST (Static Application Security testingTesting),SCA(Software Composition Analysis) and DAST (Dynamic Application Security Testing).
  • The SAST is a methodology to find security vulnerabilities in the application. I have used Sonar cloud to perform SAST in this pipeline.
  • The SCA is performed to evaluate security, license compliance, imported package vulnerabilities or the deprecated packages and code quality. I have used Snyk tool in the pipeline.
  • The DAST is similar to SAST but he scan is done when the application is running in the production environment. I have used OWASP ZAP tool in pipeline.
  • After the scans are done then the reports and issues are generated. if any vulnerability found can be rectified immediately or can be communicated to the developers.

  • I have take nodejs project in the Github, write a workflow.yml In this yml file i have created

  • Three jobs (build, security and zap_scan)
  • In build job ,I have built the application and performed SAST scan in the name of Sonar cloud scan.
  • In Security job, I have run the SCA scan with Snyk tool.
  • In Zap_scan, I have performed the DAST with OWASP ZAP tool. In the Target key we can put the url of the Application.
  • I had to generate a token form Synk and Sonar cloud (SYNK_TOKENS & SONAR_TOKEN) in the Github repository settings. Then commit the workflow and the scans will start running in the actions tab in the Github.

    name: Build code, run unit test, run SAST, SCA, DAST security scans for NodeJs App
    on: push
    
    jobs:
      build:
        runs-on: ubuntu-latest
        name: Run unit tests and SAST scan on the source code 
        steps:
        - uses: actions/checkout@v3
        - uses: actions/setup-node@v3
          with:
            node-version: 16
            cache: npm
        - run: npm install
        - name: SonarCloud Scan
          uses: sonarsource/sonarcloud-github-action@master
          env:
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          with:
            args: >
              -Dsonar.organization=<PUT YOUR ORGANIZATION NAME>
              -Dsonar.projectKey=< PUT YOUR PROJECT KEY NAME>
      security:
        runs-on: ubuntu-latest
        needs: build
        name: Run the SCA scan on the source code
        steps:
          - uses: actions/checkout@master
          - name: RunSnyk to check for vulnerabilities
            uses: snyk/actions/node@master
            continue-on-error: true
            env:
              SNYK_TOKEN: ${{ secrets.SNYK_TOKENS }}
      zap_scan:
        runs-on: ubuntu-latest
        needs: security
        name: Run DAST scan on the web application
        steps:
          - name: Checkout
            uses: actions/checkout@v2
            with:
              ref: master
          - name: ZAP Scan
            uses: zaproxy/action-baseline@v0.6.1
            with:
              docker_name: 'owasp/zap2docker-stable'
              target: 'http://example.com/'
              rules_file_name: '.zap/rules.tsv'
              cmd_options: '-a'

    The reports will be genarated as artifacts or in the actions by clicking on scan names or through dashboard url which will be mentioned.
    SAST Report

    SCA Report

    DAST Report

    Conclusion

    I thank AsecurityGuru's udemy course who helped me in understanding DevSecOps pipeline.
    Thank You