Injecting security in CI/CD pipelines with SonarQube, WhiteSource, OWASP DC and OWASP ZAP 

Injecting security in CI/CD pipelines with SonarQube, WhiteSource, OWASP DC and OWASP ZAP 

his article spans around injecting good security practices to CI/CD pipelines with few of the good open source tools available in the market. The same approach can be applied to most of the projects developed in other programming languages out there.

This article spans around injecting good security practices to CI/CD pipelines with few of the good open source tools available in the market. The same approach can be applied to most of the projects developed in other programming languages out there. For the illustration purpose, I have used .NetCore App. Mainly below are the set of security tools that is used in the build pipeline (CI) and in the release pipeline (CD)

  • Build Pipeline
  • 1. SonarQube — Sonar is for executing static code analysis
  • 2. White Source — Scanning vulnerabilities in open source third party libraries (Node js, typescripts, nugget..)
  • 3. OWASP Dependency-Check (DC) — Used to scan for security vulnerability (dll, jar..)
  • Release Pipeline
  • 1. OWASP Zed Attack Proxy (ZAP) — Tool for doing penetration testing on the websites

A representation of the entire pipeline will look something like the screenshot below;

The Azure Devops Agents must be installed on the build machine of yours, so that Azure Devops ( SaaS) can communicate with the machine. The installation procedure can be found here. The pipelines start with a code check-in trigger, which in turn starts the build process.

SonarQube

SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. I am using a dockerized version of sonar, running in my build machine. You may get started with the procedure mentioned here. Once the sonar portal is set up, we need to create Auth token for talking with Azure DevOps. To create one, go to the user settings screen in Sonar Portal and create a token from there. Make sure that the token has the necessary permission to update the portal.

devops security owasp whitesource owasp dc owasp zap

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

OWASP Top 10 API Security - DZone Security

Take a look at the top 10 OWASP security risks, learn what each of them means, and how you can mitigate them.

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

What Is DevOps and Is Enterprise DevOps Any Good?

What is DevOps? How are organizations transitioning to DevOps? Is it possible for organizations to shift to enterprise DevOps? Read more to find out!

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

Automating Security in DevOps: Top 15 Tools

Cybersecurity is a big concern for many companies. With data breaches happening more and more as attacks increase in sophistication, teams are looking at all of the options they have to prevent them.