{"id":21126448,"url":"https://github.com/lreimer/secure-devex22","last_synced_at":"2025-08-02T03:38:35.856Z","repository":{"id":71906705,"uuid":"547909937","full_name":"lreimer/secure-devex22","owner":"lreimer","description":"Demo repository for my talk at the Heise Developer Experience 2022 conference.","archived":false,"fork":false,"pushed_at":"2025-07-01T00:23:43.000Z","size":122,"stargazers_count":6,"open_issues_count":5,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-07-08T23:40:07.712Z","etag":null,"topics":["checkov","clean-code","code-quality","devsecops","docker","kubernetes","lint","security","security-tools","snyk","sonarqube","static-analysis","terraform","tilt","trivy","zap-api"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lreimer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-10-08T14:44:09.000Z","updated_at":"2025-04-03T09:59:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"2813fd34-e3ce-495a-9333-e35ac892333f","html_url":"https://github.com/lreimer/secure-devex22","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/lreimer/secure-devex22","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fsecure-devex22","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fsecure-devex22/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fsecure-devex22/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fsecure-devex22/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lreimer","download_url":"https://codeload.github.com/lreimer/secure-devex22/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lreimer%2Fsecure-devex22/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268331369,"owners_count":24233235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-02T02:00:12.353Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["checkov","clean-code","code-quality","devsecops","docker","kubernetes","lint","security","security-tools","snyk","sonarqube","static-analysis","terraform","tilt","trivy","zap-api"],"created_at":"2024-11-20T04:41:55.231Z","updated_at":"2025-08-02T03:38:35.848Z","avatar_url":"https://github.com/lreimer.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=lreimer_secure-devex22\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=lreimer_secure-devex22)\n\n# Secure Developer Experience\n\nDemo repository for my talk at the Heise Developer Experience 2022 conference.\n\n## Usage\n\n```bash\n# build and run the service, or use Tilt\n./gradlew assemble bootRun\ntilt up\n\n# call the service endpoints\nhttp get localhost:8080/openapi/\nhttp get localhost:8080/api/cves/CVE-2021-44228\n\nhttp get localhost:8081/actuator\nhttp get localhost:8081/actuator/health\n```\n\n## Google ErrorProne\n\nFind common programming mistakes early during development as part of the Java compile phase.\nSee https://errorprone.info\n\n```groovy\nplugins {\n    id 'java'\n    id \"net.ltgt.errorprone\" version \"2.0.2\"\n}\n\ndependencies {\n    // dependency for the javac compiler plugin\n    errorprone \"com.google.errorprone:error_prone_core:2.15.0\"\n}\n\ntasks.named(\"compileJava\").configure {\n    options.errorprone.enabled = true\n    // and many other options\n}\n```\n\n## SonarCloud Security Analysis\n\nSonar can detect 54 security vulnerabilities and 38 security hotspots using static code analysis.\nSee https://rules.sonarsource.com/java/type/Vulnerability\n\n```groovy\nplugins {\n    id \"jacoco\"\n    id \"org.sonarqube\" version \"3.4.0.2513\"\n}\n\njacocoTestReport {\n    reports {\n        xml.enabled true\n    }\n}\n\nsonarqube {\n  properties {\n    property \"sonar.projectKey\", \"lreimer_secure-devex22\"\n    property \"sonar.organization\", \"lreimer\"\n    property \"sonar.host.url\", \"https://sonarcloud.io\"\n  }\n}\n```\n\nSee https://sonarcloud.io/project/overview?id=lreimer_secure-devex22\nAlso, it can easily be integrated into your CI build as well as your IDE (e.g. VS Code) using SonarLint.\n\n## Dependency Vulnerability Scanning\n\nThe compile time and runtime dependencies of your applications and services can be checked for CVEs regularly using the OWASP dependency check plugins for Gradle or Maven.\n\n```groovy\nplugins {\n    id \"org.owasp.dependencycheck\" version \"7.2.1\"\n}\n\ndependencyCheck {\n    cveValidForHours=24\n    failOnError=true\n}\n```\n\n## Docker Image Vulnerability Scanning\n\nSeveral suitable tools can be used to scan your Docker images for vulnerable OS packages and\nother software components.\n\n```bash\n# to manually build the Docker image use on of the following commands\n./gradlew bootBuildImage\ndocker build -t secure-devex22:1.0.0 .\n\n# Installation and usage instructions for Docker Lint\n# https://github.com/projectatomic/dockerfile_lint\ndockerfile_lint -f Dockerfile -r src/test/docker/basic_rules.yaml\ndockerfile_lint -f Dockerfile -r src/test/docker/security_rules.yaml\n\n# Installation and usage instructions for Trivy\n# https://github.com/aquasecurity/trivy\ntrivy image -s HIGH,CRITICAL secure-devex22:1.0.0\n\n# Installation and usage instructions for Snyk\n# https://docs.snyk.io/snyk-cli/install-the-snyk-cli\nsnyk container test --file=Dockerfile secure-devex22:1.0.0\n```\n\n## Kubernetes Security Scanning\n\nMany security misconfigurations are possible when deploying Kubernetes workloads.\nMost can be found easily via static code analysis using different tools.\n\n```bash\n# see https://www.kubeval.com\nkubeval k8s/base/microservice-deployment.yaml\n\n# see https://github.com/yannh/kubeconform\nkubeconform k8s/base/microservice-deployment.yaml\n\n# see https://github.com/zegl/kube-score\nkubectl score k8s/base/microservice-deployment.yaml\n\n# Checkov, see https://github.com/bridgecrewio/checkov\ncheckov --directory k8s/base\ncheckov --directory k8s/overlays/int\n\n# Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli\nsnyk iac test k8s/base\nsnyk iac test k8s/overlays/int\n\n# Trivy, see https://github.com/aquasecurity/trivy\ntrivy k8s -n default --report summary all\ntrivy k8s -n default --report all all\n```\n\n## Terraform Security Scanning\n\nMany security misconfigurations of your cloud infrastructure are possible when working with Terraform.\nMost can be found easily via static code analysis using different tools.\n\n```bash\n# TFLint und Rule Sets\n# see https://github.com/terraform-linters/tflint\n# see https://github.com/terraform-linters/tflint-ruleset-aws\nterraform init\nterraform plan\ntflint\n\n# Checkov, see https://github.com/bridgecrewio/checkov\ncheckov --directory aws\n\n# Snyk, see https://docs.snyk.io/snyk-cli/install-the-snyk-cli\nsnyk iac test aws/\n```\n\n## Continuous Developer Experience\n\nThe linters and static analysis tools are ideally run before and with every Git commit and push.\n\n```bash\n# see https://github.com/pre-commit/pre-commit\nbrew install pre-commit\n\n# see https://pre-commit.com/hooks.html\n# see https://github.com/gruntwork-io/pre-commit\n# see https://github.com/antonbabenko/pre-commit-terraform\n\n# install the Git hook scripts\npre-commit install\npre-commit run --all-files\n```\n\n## Continuous Integration\n\nGitHub and many other platforms provide CI and security integration functionality that can be used.\n\n```bash\n# see https://github.com/lreimer/secure-devex22/actions\n# see https://github.com/lreimer/secure-devex22/actions/new?category=security\n```\n\n## Continuous Security Scanning\n\n```bash\n# installing the Starboard Operator and CLI\n# see https://aquasecurity.github.io/starboard/\nhelm repo add aqua https://aquasecurity.github.io/helm-charts/\nhelm repo update\n\nhelm install starboard-operator aqua/starboard-operator \\\n  --namespace starboard-system \\\n  --create-namespace \\\n  --set=\"trivy.ignoreUnfixed=true\" \\\n  --version 0.10.8\n\nkubectl get vulnerabilityreports --all-namespaces -o wide\n\nkubectl krew install starboard\nkubectl starboard install\nkubectl starboard scan vulnerabilityreports deployment.apps/nginx-deployment\nkubectl starboard get vulnerabilityreports deployment/nginx-deployment -o yaml\n\n# see https://github.com/lreimer/continuous-zapk8s\n# see https://www.zaproxy.org/getting-started/\n# see https://www.zaproxy.org/docs/docker/api-scan/\n```\n\n## Maintainer\n\nM.-Leander Reimer (@lreimer), \u003cmario-leander.reimer@qaware.de\u003e\n\n## License\n\nThis software is provided under the MIT open source license, read the `LICENSE`\nfile for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flreimer%2Fsecure-devex22","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flreimer%2Fsecure-devex22","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flreimer%2Fsecure-devex22/lists"}