This article spans around injecting good security practices to CI/CD pipelines with few of the good open source tools available in the market. The same approach can be applied to most of the projects developed in other programming languages out there. For the illustration purpose, I have used .NetCore App. Mainly below are the set of security tools that is used in the build pipeline (CI) and in the release pipeline (CD)
- Build Pipeline
- 1. SonarQube — Sonar is for executing static code analysis
- 2. White Source — Scanning vulnerabilities in open source third party libraries (Node js, typescripts, nugget…)
- 3. OWASP Dependency-Check (DC) — Used to scan for security vulnerability (dll, jar…)
- Release Pipeline
- 1. OWASP Zed Attack Proxy (ZAP) — Tool for doing penetration testing on the websites
A representation of the entire pipeline will look something like the screenshot below;
The Azure Devops Agents must be installed on the build machine of yours, so that Azure Devops ( SaaS) can communicate with the machine. The installation procedure can be found here. The pipelines start with a code check-in trigger, which in turn starts the build process.
SonarQube
SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. I am using a dockerized version of sonar, running in my build machine. You may get started with the procedure mentioned here. Once the sonar portal is set up, we need to create Auth token for talking with Azure DevOps. To create one, go to the user settings screen in Sonar Portal and create a token from there. Make sure that the token has the necessary permission to update the portal.
#devops #security #owasp #whitesource #owasp dc #owasp zap
