Where to start with DevSecOps
GitlabDevSecOpsDevSecOps is a broad subject, so where to start this journey. You do not have choice now to include security on your projects, enterprise reputation is on stake. You cannot add this to the end of project, with thoses stuff that are never done.
Security is built brick upon brick, one of them is DevSecOps. What does this mean behind a fancy word is automation of tests in regular DevOps CI/CD pipeline.
If unit tests could be considering a kind of security. If those unit tests are run automatically on every run, this could be call DevSecOps in a sense.
It does not have to be difficult, but it should be automatized. Now let's consider that most language tools provide some dependence audit check for known vulnerability. Have vulnerability of vendors inside your CI/CD pipeline is DevSecOps. This is more entry level that ninja level, but it is a start.
Let's see the case for npm audit
on your Gitlab, with a .gitlab-ci.yaml
that could have the following.
npm_audit:
stage: audit
image: ${IMAGE}:${TAG}
tags:
- gcp-docker
only:
- develop
before_script:
- apk add --update nodejs npm jq
script:
- if [ $(npm audit --package-lock-only --json | jq .metadata.vulnerabilities.critical) == '0' ] ; then exit 0; else npm audit; fi
This will break every pipeline in the develop branch that contains some critical vulnerabilities according to npm
.
To understand what's going on, I previously build a docker image based on alpine of the web site. I'm adding in the before_script
some dependency to get the npm up and running. Once this is done, I’m launch the npm audit
that break on critical vulnerabilities.
This easy setup does not require any fancy security scanner. This setup is only a first step to build a security on your project.
- Next: How to Become a DevOps Engineer
- Previous: Docker Best Practice latest tag