This repo is used for testing DevSecOps practices and tool sets, and is used for demonstration purposes only. If there is a tool you would like to see added, please submit a Feature Request Issue with the details about the tool.

This repo contains both Azure Pipeline YAML files and GitHub Actions YAML files, for comparison purposes.

The application code is based on the Microsoft eShopOnWeb sample application. This is self-contained within the Application-Source-Code directory.

Warning This repo contains code that is purposefully vulnerable and insecure. Use at your own risk!

There are several directories that contain additional/other sample code, specific to infrastructure and security pipelines.

For example, the Infrastructure-Source-Code directory, contains ARM templates, Bicep templates, and Terraform code, that is not specific to the application source code itself. The Security-Source-Code directory, contains files that include credentials and secrets, again, not specific to the application source code itself.

The Threat-Modeling directory contains examples of threat-modeling-as-code tools, which is not related to the application source code.

The pipelines are grouped into the following categories:

• APP - Application pipelines (ie. unit tests, builds, source code analysis, etc.)
• DATA - Data pipelines (ie. data quality tests, data migrations, ETLs, etc.)
• INFRA - Infrastructure pipelines (ie. Terraform scans, ARM/Bicep template tests, etc.)
• SEC - Security pipelines (ie. security scans, credential/secret scans, container image scans, etc.)

The GitHub Action Workflows use the pipeline categories as a prefix, for grouping purposes.

The following YAML-based Azure DevOps (ADO) pipelines have been created and tested.

• Unit, Integration, Functional Tests
• Build Docker Containers (using Docker Compose)
• Azure Resource Manager (ARM) Template Tool Kit (TTK)
• Azure Bicep
• SonarCloud
• WhiteSource
  • Note: This pipeline is no longer working since WhiteSource has been acquired by Mend.

• PENDING EXAMPLES / SAMPLE CODE
  • If you would like to contribute, and have some example data pipelines (ie. data quality tests, data migrations, ETLs, etc.), please submit a Feature Request Issue with the details.

Note: The majority of these are based on Terraform code

• Accurics TerraScan
• GitHub Super-Linter
• Checkmarx KICS
• Bridgecrew Checkov
• Terraform-Compliance
• TFLint
• TFSec

• Anchore
  • NOTE: Anchore is deprecated in favour of Grype
• AquaSec Trivy
• Microsoft CredScan
  • NOTE: CredScan is deprecated (as an individual tool), in favour of the Microsoft Secure Azure DevOps extension
• Microsoft Secure Azure DevOps
• OWASP ZAP
• Snyk
• YELP Detect-Secrets
• TruffleHog
• ShiftLeftScan

The following YAML-based GitHub Actions (GHA) Workflows have been created and tested.

• CodeQL Analysis
• Azure Resource Manager (ARM) Template Tool Kit (TTK) (NOT WORKING)
• Codacy

• PENDING EXAMPLES / SAMPLE CODE
  • If you would like to contribute, and have some example data pipelines (ie. data quality tests, data migrations, ETLs, etc.), please submit a Feature Request Issue with the details.

• Accurics TerraScan
• Checkmarx KICS
• Bridgecrew Checkov
• GitHub Super-Linter
• TFLint
• TFSec

• Anchore
• AquaSec Trivy
• Microsoft Security DevOps (MSDO)
• ShiftLeftScan
• TruffleHog
• YELP Detect-Secrets

• PlantUML
• PyTM
• Threagile