Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rmkanda/secure-pipeline-java-demo

boilerplate demo devops devsecops devsecops-best-practices devsecops-pipeline jenkins-pipeline pipeline security security-tools

Last synced: about 1 month ago
JSON representation

Host: GitHub
URL: https://github.com/rmkanda/secure-pipeline-java-demo
Owner: rmkanda
License: mit
Created: 2020-05-28T10:31:01.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2022-01-05T11:37:09.000Z (almost 3 years ago)
Last Synced: 2024-09-30T18:05:41.520Z (about 2 months ago)
Topics: boilerplate, demo, devops, devsecops, devsecops-best-practices, devsecops-pipeline, jenkins-pipeline, pipeline, security, security-tools
Language: Java
Homepage:
Size: 1.79 MB
Stars: 35
Watchers: 3
Forks: 36
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Secure Pipelines Demo

Sample spring application with Jenkins pipeline script to demonstrate secure pipelines

## Pre Requesites

- minikube v1.24.0 - [Refer here for installation](https://kubernetes.io/docs/tasks/tools/install-minikube/)

- helm v3.7.2 - [Refer here for installation](https://helm.sh/docs/intro/install/)

## Setup Setps

### Minikube setup

- Setup minikube

  ```s

  minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit

  minikube addons enable ingress

  ```

### Jenkins setup

- Stup Jenkins server

  ```s

  helm repo add jenkins https://charts.jenkins.io

  helm repo update

  helm install jenkins jenkins/jenkins

  ```

- Wait for the jenkins pod to start

- Get admin user password of Jenkins

  ```s

    kubectl exec --namespace default -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo

  ```

  **Note:** Make a note of the password

- [Optional] Forward Jenkins server port to access from local machine

  ```s

  kubectl port-forward svc/jenkins 8080:8080

  open http://localhost:8080

  ```

- Add additonal plugins to Jeninks server (Manage Jenkins -> Manage plugins)

  - BlueOcean

  - Configuration as Code

  - OWASP Dependency-Track

### Dependency Track setup

- Refer [Dependency Track v4 Installation Guide](DEPENDENCY_TRACK.md)

  **Note:** dependency-track will take some time to start (~1hr on low end Mac)

### Link Jenkins and Dependency Track

- Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys -> Also add the Permissions - PROJECT_CREATION_UPLOAD, POLICY_VIOLATION_ANALYSIS, VULNERABILITY_ANALYSIS

- Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Also enable Auto Create Projects -> Test Connection -> Save

**Hint:** URL (if you have followed the exact steps) http://dependency-track-apiserver.deptrack.svc.cluster.local

(Format: severiceName.namespace.svc.cluster.local)

### New Jenkins Pipeline

Create a new Jenkins pipeline with this repo and trigger build

- Login to Jenkins -> New Item -> Enter name and choose Pipeline -> Choose GitHub project and set project URL

- Under pipeline section, Choose Pipeline script from SCM

- Choose git as SCM and provide repo details

- Save

# Pipeline

Refer the below screenshot for the stages in the pipeline

##### Pipeline View

![Pipeline View](imgs/Secure_Pipeline_1.png)

##### Stage View

![Stage View](imgs/Secure_Pipeline_2.png)

##### Dependency Track

![Dependency Track View](imgs/Dependency_Track.png)

## Tools

| Stage               | Tool                                                                      |

| ------------------- | ------------------------------------------------------------------------- |

| Secrets Scanner     | [truffleHog](https://github.com/dxa4481/truffleHog)                       |

| Dependency Checker  | [OWASP Dependency checker](https://jeremylong.github.io/DependencyCheck/) |

| SAST                | [OWASP Find Security Bugs](https://find-sec-bugs.github.io/)              |

| OSS License Checker | [LicenseFinder](https://github.com/pivotal/LicenseFinder)                 |

| SCA                 | [Dependency Track](https://dependencytrack.org/)                          |

| Image Scanner       | [Trivy](https://github.com/aquasecurity/trivy)                            |

| Image Hardening     | [Dockle](https://github.com/goodwithtech/dockle)                          |

| K8s Hardening       | [KubeSec](https://kubesec.io/)                                            |

| IaC Hardening       | [checkov](https://www.checkov.io/)                                        |

| DAST                | [OWASP Baseline Scan](https://www.zaproxy.org/docs/docker/baseline-scan/) |

---

### TODO

Image Malware scanning - [ClamAV](https://github.com/openbridge/clamav)