Light

supriyo-roy / project-2-devsecops Goto Github PK

Dockerfile 16.83% Java 38.86% CSS 4.89% HTML 39.42%

project-2-devsecops's Introduction

DevSecOps Project

Tools Used: GitHub Actions, SonarCloud (SAST), Snyk (SCA), OSWAP ZAP (DAST), Argo CD, Docker, Minikube (Kubernetes Locally)

Security is an integral part of an workflow. It's always recommended to integrate the shift to left security pattern in your pipelines. Better to find security vulnerabilty in the eary stages of SDLC rather than in Production.

Created this project to impletement the Security in our DevOps pipeline.

Step 1: Developer pushes code to GitHub

Step 2: Workflow gets triggered due to push action

Step 3: SAST is performed with SonarCloud

Step 4: SCA is done with Snyk

Step 5: Docker image is built and pushed to DockerHub

Step 6: Application is deployed to Kubernetes Cluster

Step 7: DAST scan is performed on the application URL with OSWAP ZAP

Step 8: You can find the reports of SCA scan in Code Scanning tab, and an artifact is created after a ZAP scan

project-2-devsecops's People

Contributors

Stargazers

Watchers

project-2-devsecops's Issues

ZAP Scan Baseline Report

Site: https://www.zaproxy.org
New Alerts
- PII Disclosure [10062] total: 3:
  - https://www.zaproxy.org/docs/desktop/addons/websockets/pscanrules/
  - https://www.zaproxy.org/faq/details/setting-up-zap-to-test-owasp-pixi/
  - https://www.zaproxy.org/search/index.json
- Absence of Anti-CSRF Tokens [10202] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/blog/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - ..
- Application Error Disclosure [90022] total: 10:
  - https://www.zaproxy.org/docs/desktop/addons/database/
  - https://www.zaproxy.org/docs/desktop/addons/graphql-support/index.xml
  - https://www.zaproxy.org/docs/desktop/addons/graphql-support/options/
  - https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/
  - https://www.zaproxy.org/docs/desktop/addons/websockets/pscanrules/
  - ..
- Content Security Policy (CSP) Header Not Set [10038] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/blog/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - ..
- Cross-Domain Misconfiguration [10098] total: 12:
  - https://www.zaproxy.org/blog/index.xml
  - https://www.zaproxy.org/docs/index.xml
  - https://www.zaproxy.org/getting-started/images/firefox-protection-hud.png
  - https://www.zaproxy.org/img/favicon.ico
  - https://www.zaproxy.org/img/search.svg
  - ..
- Source Code Disclosure - SQL [10099] total: 12:
  - https://www.zaproxy.org/blog/2022-12-24-12-days-of-zapmas/
  - https://www.zaproxy.org/docs/api/
  - https://www.zaproxy.org/docs/desktop/addons/ajax-spider/scandialog/
  - https://www.zaproxy.org/docs/desktop/addons/parameter-digger/dialog/
  - https://www.zaproxy.org/docs/desktop/addons/quick-start/
  - ..
- Sub Resource Integrity Attribute Missing [90003] total: 8:
  - https://www.zaproxy.org
  - https://www.zaproxy.org
  - https://www.zaproxy.org
  - https://www.zaproxy.org
  - https://www.zaproxy.org/robots.txt
  - ..
- Cross-Domain JavaScript Source File Inclusion [10017] total: 10:
  - https://www.zaproxy.org
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/docs/
  - ..
- Dangerous JS Functions [10110] total: 1:
  - https://www.zaproxy.org/main.237d7f.js
- Information Disclosure - Debug Error Messages [10023] total: 5:
  - https://www.zaproxy.org/docs/alerts/40008/
  - https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/
  - https://www.zaproxy.org/docs/desktop/addons/websockets/pscanrules/
  - https://www.zaproxy.org/docs/desktop/start/features/custompages/
  - https://www.zaproxy.org/docs/desktop/ui/dialogs/session/contexts/
- Permissions Policy Header Not Set [10063] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - https://www.zaproxy.org/docs/automate/
  - ..
- Private IP Disclosure [2] total: 12:
  - https://www.zaproxy.org/alerttags/owasp_2017_a03/index.xml
  - https://www.zaproxy.org/alerttags/owasp_2021_a01/index.xml
  - https://www.zaproxy.org/blog/2022-08-25-zap-on-raspberry-pi/
  - https://www.zaproxy.org/docs/alerts/110006/
  - https://www.zaproxy.org/docs/alerts/2/
  - ..
- Strict-Transport-Security Header Not Set [10035] total: 12:
  - https://www.zaproxy.org/cdn-cgi/l/email-protection
  - https://www.zaproxy.org/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
  - https://www.zaproxy.org/docs/index.xml
  - https://www.zaproxy.org/img/favicon.ico
  - https://www.zaproxy.org/img/search.svg
  - ..
- Timestamp Disclosure - Unix [10096] total: 1:
  - https://www.zaproxy.org/cdn-cgi/styles/cf.errors.css
- X-Content-Type-Options Header Missing [10021] total: 12:
  - https://www.zaproxy.org/blog/index.xml
  - https://www.zaproxy.org/docs/index.xml
  - https://www.zaproxy.org/getting-started/images/firefox-protection-hud.png
  - https://www.zaproxy.org/img/favicon.ico
  - https://www.zaproxy.org/img/search.svg
  - ..
- Base64 Disclosure [10094] total: 12:
  - https://www.zaproxy.org
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/blog/
  - https://www.zaproxy.org/community/
  - ..
- Information Disclosure - Suspicious Comments [10027] total: 5:
  - https://www.zaproxy.org/faq/
  - https://www.zaproxy.org/full/path/to/script.js
  - https://www.zaproxy.org/main.237d7f.js
  - https://www.zaproxy.org/search/?q=ZAP
  - https://www.zaproxy.org/zap/wrk/LogMessages.js
- Modern Web Application [10109] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/blog/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - ..
- Re-examine Cache-control Directives [10015] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/blog/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - ..
- Retrieved from Cache [10050] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/blog/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - ..
- Storable and Cacheable Content [10049] total: 11:
  - https://www.zaproxy.org
  - https://www.zaproxy.org/
  - https://www.zaproxy.org/community/
  - https://www.zaproxy.org/docs/
  - https://www.zaproxy.org/docs/automate/
  - ..

View the following link to download the report.
RunnerID:5251675952

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.