Giter Site home page Giter Site logo

lreimer / secure-devex22 Goto Github PK

View Code? Open in Web Editor NEW
7.0 3.0 3.0 131 KB

Demo repository for my talk at the Heise Developer Experience 2022 conference.

License: MIT License

Java 56.99% Dockerfile 6.80% Python 12.58% HCL 23.62%
checkov clean-code docker kubernetes security security-tools snyk terraform tilt trivy

secure-devex22's Introduction

Quality Gate Status

Secure Developer Experience

Demo repository for my talk at the Heise Developer Experience 2022 conference.

Usage

# build and run the service, or use Tilt
./gradlew assemble bootRun
tilt up

# call the service endpoints
http get localhost:8080/openapi/
http get localhost:8080/api/cves/CVE-2021-44228

http get localhost:8081/actuator
http get localhost:8081/actuator/health

Google ErrorProne

Find common programming mistakes early during development as part of the Java compile phase. See https://errorprone.info

plugins {
    id 'java'
    id "net.ltgt.errorprone" version "2.0.2"
}

dependencies {
    // dependency for the javac compiler plugin
    errorprone "com.google.errorprone:error_prone_core:2.15.0"
}

tasks.named("compileJava").configure {
    options.errorprone.enabled = true
    // and many other options
}

SonarCloud Security Analysis

Sonar can detect 54 security vulnerabilities and 38 security hotspots using static code analysis. See https://rules.sonarsource.com/java/type/Vulnerability

plugins {
    id "jacoco"
    id "org.sonarqube" version "3.4.0.2513"
}

jacocoTestReport {
    reports {
        xml.enabled true
    }
}

sonarqube {
  properties {
    property "sonar.projectKey", "lreimer_secure-devex22"
    property "sonar.organization", "lreimer"
    property "sonar.host.url", "https://sonarcloud.io"
  }
}

See https://sonarcloud.io/project/overview?id=lreimer_secure-devex22 Also, it can easily be integrated into your CI build as well as your IDE (e.g. VS Code) using SonarLint.

Dependency Vulnerability Scanning

The compile time and runtime dependencies of your applications and services can be checked for CVEs regularly using the OWASP dependency check plugins for Gradle or Maven.

plugins {
    id "org.owasp.dependencycheck" version "7.2.1"
}

dependencyCheck {
    cveValidForHours=24
    failOnError=true
}

Docker Image Vulnerability Scanning

Several suitable tools can be used to scan your Docker images for vulnerable OS packages and other software components.

# to manually build the Docker image use on of the following commands
./gradlew bootBuildImage
docker build -t secure-devex22:1.0.0 .

# Installation and usage instructions for Docker Lint
# https://github.com/projectatomic/dockerfile_lint
dockerfile_lint -f Dockerfile -r src/test/docker/basic_rules.yaml
dockerfile_lint -f Dockerfile -r src/test/docker/security_rules.yaml

# Installation and usage instructions for Trivy
# https://github.com/aquasecurity/trivy
trivy image -s HIGH,CRITICAL secure-devex22:1.0.0

# Installation and usage instructions for Snyk
# https://docs.snyk.io/snyk-cli/install-the-snyk-cli
snyk container test --file=Dockerfile secure-devex22:1.0.0

Kubernetes Security Scanning

Many security misconfigurations are possible when deploying Kubernetes workloads. Most can be found easily via static code analysis using different tools.

# see https://www.kubeval.com
kubeval k8s/base/microservice-deployment.yaml

# see https://github.com/yannh/kubeconform
kubeconform k8s/base/microservice-deployment.yaml

# see https://github.com/zegl/kube-score
kubectl score k8s/base/microservice-deployment.yaml

# Checkov, see https://github.com/bridgecrewio/checkov
checkov --directory k8s/base
checkov --directory k8s/overlays/int

# Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli
snyk iac test k8s/base
snyk iac test k8s/overlays/int

# Trivy, see https://github.com/aquasecurity/trivy
trivy k8s -n default --report summary all
trivy k8s -n default --report all all

Terraform Security Scanning

Many security misconfigurations of your cloud infrastructure are possible when working with Terraform. Most can be found easily via static code analysis using different tools.

# TFLint und Rule Sets
# see https://github.com/terraform-linters/tflint
# see https://github.com/terraform-linters/tflint-ruleset-aws
terraform init
terraform plan
tflint

# Checkov, see https://github.com/bridgecrewio/checkov
checkov --directory aws

# Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli
snyk iac test aws/

Continuous Developer Experience

The linters and static analysis tools are ideally run before and with every Git commit and push.

# see https://github.com/pre-commit/pre-commit
brew install pre-commit

# see https://pre-commit.com/hooks.html
# see https://github.com/gruntwork-io/pre-commit
# see https://github.com/antonbabenko/pre-commit-terraform

# install the Git hook scripts
pre-commit install
pre-commit run --all-files

Continuous Integration

GitHub and many other platforms provide CI and security integration functionality that can be used.

# see https://github.com/lreimer/secure-devex22/actions
# see https://github.com/lreimer/secure-devex22/actions/new?category=security

Continuous Security Scanning

# installing the Starboard Operator and CLI
# see https://aquasecurity.github.io/starboard/
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update

helm install starboard-operator aqua/starboard-operator \
  --namespace starboard-system \
  --create-namespace \
  --set="trivy.ignoreUnfixed=true" \
  --version 0.10.8

kubectl get vulnerabilityreports --all-namespaces -o wide

kubectl krew install starboard
kubectl starboard install
kubectl starboard scan vulnerabilityreports deployment.apps/nginx-deployment
kubectl starboard get vulnerabilityreports deployment/nginx-deployment -o yaml

# see https://github.com/lreimer/continuous-zapk8s
# see https://www.zaproxy.org/getting-started/
# see https://www.zaproxy.org/docs/docker/api-scan/

Maintainer

M.-Leander Reimer (@lreimer), [email protected]

License

This software is provided under the MIT open source license, read the LICENSE file for details.

secure-devex22's People

Contributors

lreimer avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

msiips qaware

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.