この記事は公開されてから1年以上経過しています。情報が古い可能性がありますので、ご注意ください。
Introduction
Hi this Akshay Rao from Annotation.Inc, I tried to create the DevSecOps pipeline including some security scans. These security scans are very important as the vulnerability is found before the Application is the production, because if the vulnerability are found in the production the cost of rectifying is very high.
Let's start
Lets start by understanding the pipeline
I have take nodejs project in the Github, write a workflow.yml
In this yml file i have created
I had to generate a token form Synk and Sonar cloud (SYNK_TOKENS & SONAR_TOKEN) in the Github repository settings. Then commit the workflow and the scans will start running in the actions tab in the Github.
name: Build code, run unit test, run SAST, SCA, DAST security scans for NodeJs App
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Run unit tests and SAST scan on the source code
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm
- run: npm install
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.organization=<PUT YOUR ORGANIZATION NAME>
-Dsonar.projectKey=< PUT YOUR PROJECT KEY NAME>
security:
runs-on: ubuntu-latest
needs: build
name: Run the SCA scan on the source code
steps:
- uses: actions/checkout@master
- name: RunSnyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKENS }}
zap_scan:
runs-on: ubuntu-latest
needs: security
name: Run DAST scan on the web application
steps:
- name: Checkout
uses: actions/checkout@v2
with:
ref: master
- name: ZAP Scan
uses: zaproxy/action-baseline@v0.6.1
with:
docker_name: 'owasp/zap2docker-stable'
target: 'http://example.com/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
The reports will be genarated as artifacts or in the actions by clicking on scan names or through dashboard url which will be mentioned.
SAST Report
SCA Report
DAST Report
Conclusion
I thank AsecurityGuru's udemy course who helped me in understanding DevSecOps pipeline.
Thank You