{"id":17299036,"url":"https://github.com/strongjz/devsecopspipeline","last_synced_at":"2025-04-14T12:24:35.564Z","repository":{"id":72996999,"uuid":"263433266","full_name":"strongjz/devsecopspipeline","owner":"strongjz","description":"DevSecOps Container Pipeline Demo","archived":false,"fork":false,"pushed_at":"2023-02-25T09:57:47.000Z","size":2843,"stargazers_count":9,"open_issues_count":10,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-09T17:06:38.434Z","etag":null,"topics":["aws","aws-codepipeline","aws-ecr","falco","firelens","kubernetes","security","workflow"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/strongjz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-12T19:32:07.000Z","updated_at":"2025-01-23T13:19:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"91408896-100d-49c3-8eaa-770ad39a8e37","html_url":"https://github.com/strongjz/devsecopspipeline","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongjz%2Fdevsecopspipeline","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongjz%2Fdevsecopspipeline/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongjz%2Fdevsecopspipeline/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/strongjz%2Fdevsecopspipeline/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/strongjz","download_url":"https://codeload.github.com/strongjz/devsecopspipeline/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248879200,"owners_count":21176455,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-codepipeline","aws-ecr","falco","firelens","kubernetes","security","workflow"],"created_at":"2024-10-15T11:20:49.564Z","updated_at":"2025-04-14T12:24:35.511Z","avatar_url":"https://github.com/strongjz.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"DevSecOps Container Pipeline Demo \n\nAustin AWS Meetup 28.05.2020\n\n### Overview \n\n* Github Repo\n* AWS ECR - Image Scanning - CVE\n* AWS Codepipeline/Build - CI/CD\n* AWS ECR - Immutable Tags \n* Run Time Security - Falco\n* Logging - FireLens \n* Alerting - Cloudwatch\n* Auditing - Cloudtrail \n\n### Github Repo\n\nSigned Commits Setup\n\n* GPG Key\n* Keybase\n* Github Account \n\nYou can use this tutorial to setup gpg keys and use them with Git\nhttps://github.com/pstadler/keybase-gpg-github\n\nDeveloper workflow\nhttps://3musketeers.io/about/\n\nUsing Make, Docker and docker-compose, the developer local workflow can match the workflow the CI/CD pipeline runs\nand workflow others will uses. It helps solves the \"works on my machine\" syndrome. \n\nKind - Kubernetes in Docker \n\nAllows Developers to run local Kubernetes clusters and test before pushing. \n\nhttps://kind.sigs.k8s.io/\n\n### CVE Image Scanning - AWS ECR \n\nList out images in ECR \n    \n    aws ecr list-images --repository-name golang_example \n    \nScans can be ran on push or manually\n\n    aws ecr start-image-scan --repository-name golang_example --image-id imageTag=0.0.10 --region us-west-2\n\nRetrieve findings \n\n    aws ecr describe-image-scan-findings --repository-name golang_example --image-id imageTag=0.0.10 --region us-west-2\n\n\nhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html\n\n### CI/CD - AWS Codepipeline/Build \n\nStages for Code pipeline \n\nBuild - Build golang example applications, in a docker container and stores it in the AWS ECR\n\nInvoke - Runs the Go Report Static Code analysis\n\nTest - runs any tests in the golang example applications\n\nDeploy - deploys the application via Code build, aws eks cli and kubectl \n\n\n### Immutable Tags And CVE Scanning - AWS ECR \n\nWhen enabled on a Repository, images tags can not be overwritten \n\n     2020-05-24 19:43:28 ⌚  strongjz-macbook in ~/Documents/code/go/src/github.com/strongjz/devsecopspipeline\n    ± |master U:2 ✗| → docker tag nginx AWS_ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com/golang_example:0.0.7\n    \n     2020-05-24 19:44:43 ⌚  strongjz-macbook in ~/Documents/code/go/src/github.com/strongjz/devsecopspipeline\n    ± |master U:2 ✗| → docker push AWS_ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com/golang_example:0.0.7\n    The push refers to repository [AWS_ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com/golang_example]\n    6c7de695ede3: Pushed \n    2f4accd375d9: Pushed \n    ffc9b21953f4: Pushed \n    [DEPRECATION NOTICE] registry v2 schema1 support will be removed in an upcoming release. Please contact admins of the AWS_ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com registry NOW to avoid future disruption. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/\n    tag invalid: The image tag '0.0.7' already exists in the 'golang_example' repository and cannot be overwritten because the repository is immutable.\n\n\nhttps://www.youtube.com/watch?v=y6NI_K96DRs\n\n\n### Run Time Security - Falco\n\nFalco is Container Native Runtime Security\n\n\"Falco is a behavioral activity monitor designed to detect anomalous activity in your applications. Falco audits a \nsystem at the most fundamental level, the kernel. Falco then enriches this data with other input streams such as \ncontainer runtime metrics, and Kubernetes metrics. Falco lets you continuously monitor and detect container, \napplication, host, and network activity—all in one place—from one source of data, with one set of rules.\"\n\nFalco Demo Repo\nhttps://github.com/falcosecurity/evolution/tree/master/examples/nodejs-bad-rest-api\n\nThis Demo runs a poorly configured NodeJS server and will generate a Falco alert when the server attempts to run a bash shell\n\n    falco          | 22:26:53.536628076: Warning Shell spawned in a container other than entrypoint (user=root container_id=6f339b8aeb0a container_name=express_server shell=bash parent=sh cmdline=bash )\n\n\n### Logging - FireLens \n\n\"FireLens gives you a simplified interface to filter logs at source, add useful metadata and send logs to almost any \ndestination. You can now stream logs directly to Amazon CloudWatch, Amazon Kinesis Data Firehose destinations such as \nAmazon Elasticsearch, Amazon S3, Amazon Kinesis Data Streams and partner tools. Using Amazon ECS task definition \nparameters, you can select destinations and optionally define filters for additional control and FireLens will ingest \nlogs to target destinations.\"\n\nFluentbit images are available here \nhttps://github.com/aws/amazon-cloudwatch-logs-for-fluent-bit\n\n### Alerting - Cloudwatch\n\n*Credits and Thank you to* \n\n@rnzsgh https://github.com/rnzsgh/eks-workshop-sample-api-service-go\n\nSysdig Blog Falco EKS deployment https://sysdig.com/blog/multi-cluster-security-firelens/\n\nIssues with Docker and Code build https://github.com/aws/aws-codebuild-docker-images/issues/164\n\nUbuntu Packer Build https://github.com/draios/sysdig-workshop-infra\n\nEKS AMI Build https://github.com/strongjz/amazon-eks-ami\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstrongjz%2Fdevsecopspipeline","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstrongjz%2Fdevsecopspipeline","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstrongjz%2Fdevsecopspipeline/lists"}