This article spans around injecting good security practices to CI/CD pipelines with few of the good open source tools available in the market. The same approach can be applied to most of the projects developed in other programming languages out there. For the illustration purpose, I have used .NetCore App. Mainly below are the set of security tools that is used in the build pipeline (CI) and in the release pipeline (CD)
A representation of the entire pipeline will look something like the screenshot below;
The Azure Devops Agents must be installed on the build machine of yours, so that Azure Devops ( SaaS) can communicate with the machine. The installation procedure can be found here. The pipelines start with a code check-in trigger, which in turn starts the build process.
SonarQube
SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. I am using a dockerized version of sonar, running in my build machine. You may get started with the procedure mentioned here. Once the sonar portal is set up, we need to create Auth token for talking with Azure DevOps. To create one, go to the user settings screen in Sonar Portal and create a token from there. Make sure that the token has the necessary permission to update the portal.
#devops #security #owasp #whitesource #owasp dc #owasp zap