DevOps Blog - Nicolas Paris

Where to start with DevSecOps


DevSecOps is a broad subject, so where to start this journey. You do not have choice now to include security on your projects, enterprise reputation is on stake. You cannot add this to the end of project, with thoses stuff that are never done.

Security is built brick upon brick, one of them is DevSecOps. What does this mean behind a fancy word is automation of tests in regular DevOps CI/CD pipeline.

If unit tests could be considering a kind of security. If those unit tests are run automatically on every run, this could be call DevSecOps in a sense.

It does not have to be difficult, but it should be automatized. Now let's consider that most language tools provide some dependence audit check for known vulnerability. Have vulnerability of vendors inside your CI/CD pipeline is DevSecOps. This is more entry level that ninja level, but it is a start.

Let's see the case for npm audit on your Gitlab, with a .gitlab-ci.yaml that could have the following.

stage: audit
image: ${IMAGE}:${TAG}
- gcp-docker
- develop
- apk add --update nodejs npm jq
- if [ $(npm audit --package-lock-only --json | jq .metadata.vulnerabilities.critical) == '0' ] ; then exit 0; else npm audit; fi

This will break every pipeline in the develop branch that contains some critical vulnerabilities according to npm.

To understand what's going on, I previously build a docker image based on alpine of the web site. I'm adding in the before_script some dependency to get the npm up and running. Once this is done, I’m launch the npm audit that break on critical vulnerabilities.

This easy setup does not require any fancy security scanner. This setup is only a first step to build a security on your project.