Hi this Akshay Rao, I tried to create the whole devops pipeline including some security scans. These security scans are very important as the vulnerability is found before the Application is the production, because if the vulnerability are found in the production the cost of rectifying is very high.
Lets start by understanding the pipeline
- the developers commit the App code to the remote repository like GitHub, GitBucket and others.
- code has to built, run unit test and pass it.
- we will have to scan the whole code for vulnerabilities, for that we will be conducting SAST (Static Application Security testingTesting),SCA(Software Composition Analysis) and DAST (Dynamic Application Security Testing).
- The SAST is a methodology to find security vulnerabilities in the application. I have used Sonar cloud to perform SAST in this pipeline
- The SCA is performed to evaluate security, license compliance, imported package vulnerabilities or the deprecated packages and code quality. I have used Snyk tool in the pipeline.
- The DAST is similar to SAST but he scan is done when the application is running in the production environment. I have used OWASP ZAP tool in pipeline.
- After the scans are done then the reports and issues are generated. if any vulnerability found can be rectified immediately or can be communicated to the developers.
I have take nodejs project in the Github, write a workflow.yml
In this yml file i have created
- Three jobs (build, security and zap_scan)
- In build job ,I have built the application and performed SAST scan in the name of Sonar cloud scan.
- In Security job, I have run the SCA scan with Snyk tool.
- In Zap_scan, I have performed the DAST with OWASP ZAP tool. In the Target key we can put the url of the Application. I had to generate a token form Synk and Sonar cloud (SYNK_TOKENS & SONAR_TOKEN) in the github repository settings. Then commit the workflow and the scans will start running in the actions tab in the github.
name: Build code, run unit test, run SAST, SCA, DAST security scan for NodeJs App
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Run unit tests and SAST scan on the source code
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm
- run: npm install
- name: SonarCloud Scan
uses: sonarsource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.organization=<PUT YOUR ORGANIZATION NAME>
-Dsonar.projectKey=< PUT YOUR PROJECT KEY NAME>
security:
runs-on: ubuntu-latest
needs: build
name: Run the SCA scan on the source code
steps:
- uses: actions/checkout@master
- name: RunSnyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKENS }}
zap_scan:
runs-on: ubuntu-latest
needs: security
name: Run DAST scan on the web application
steps:
- name: Checkout
uses: actions/checkout@v2
with:
ref: master
- name: ZAP Scan
uses: zaproxy/action-baseline@v0.6.1
with:
docker_name: 'owasp/zap2docker-stable'
target: 'http://example.com/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
The reports will be genarated as artifacts or in the actions by clicking on scan names or through dashboard url which will be mentioned.
SAST Report
the github repo-https://github.com/asecurityguru/devsecops-with-github-actions-end-to-end-nodejs-project
I hope this helps you find solutions to problems
Thank you
Top comments (0)