Listed are some of my personal DevSecOps pipeline projects and their progresses.
They are based on my interests and some popular tools used in the industry. I tried to vary each pipeline tooling in order to learn and overcome whatever challenge would present itself during the process.
- Python Jenkins Declarative pipeline
- JAVA AWS cloud-native Pipeline
- JavaScript Azure-DevOps Pipeline
- RESTApi GCP GoCD Pipeline
- Android/iOS App Security Pipeline
- Container/kubernetes security Pipeline
- Attack Tree SlackBot
- Vulerability Management driven Pipeline
- Tekton K8s native Security Pipeline
DevSecOps pipeline for Python based project using Jenkins, Ansible, AWS, and open-source security tools and checks.
Toolchain
- CICD -
Jenkins
- Orchestration -
Ansible Playbook
- SCM -
Github
- Secret check -
trufflehog
- SCA -
safety
- SAST -
bandit
- Container Audit -
lynis
- DAST -
nikto
for scans,selenium-chrome
for grabbing session cookie - Security Audit -
lynis
- WAF -
modsecurity
, also configured as reverse proxy - Environment -
AWS
DevSecOps pipeline for JAVA based project using AWS DevOps tools, AWS security tools, and some open source tools.
Toolchain
- CICD -
AWS CodePipeline
,AWS CodeBuild
,AWS CodeDeploy
- IDE -
AWS Cloud9
- Secret Check -
Talisman
for pre-commit hook,trufflehog
checks secrets in pipeline - SCM -
Github
- Artifact repository -
AWS S3
- SCA -
dependency-check
- SAST -
findsecbugs
- DAST -
OWASP ZAP
- Compliance Scanning -
AWS Inspector
- Threat Detection -
AWS GuardDuty
- Security Advisor -
Security Hub
- WAF -
AWS WAF
- Environment -
AWS
DevSecOps pipeline for React+Docker based project using Azure DevOps - Release Pipeline, Azure security solutions, and some open source tools.
Toolchain
- CICD -
Azure DevOps
,Azure Release Pipeline
- Secret Check -
trufflehog
- SCM -
Github
- SCA -
anchore
non-os scans - SAST -
sonarqube community edition 7.9.2
- DAST -
gauntlt
witharachni
,nmap
etc - Host security -
Azure Security Center
including FIM,Qualys
vulnerability scans - Container security -
anchore
full scan (os, non-os) - Continious Compliance -
Azure security center
for PCI-DSS, ISO 27001 etc - WAF -
Azure Application Gateway
with WAF rules - DDoS protection -
Vnet
DDoS setting - Azure account protection -
Azure Security Center
recommendation - SIEM & SOAR -
Azure Sentinel
- Environment -
Azure Cloud
DevSecOps pipeline for Python flask REST API project using Go CD, Terraform, GCP, and open-source and cloud native security tools and checks.
Toolchain
- CICD -
Go CD
- Secret Check -
trufflehog
- SCM -
Github
- SCA -
safety
- SAST -
bandit
- DAST -
GCP Web Security Scanner
- Container security -
lynis
- Compliance -
terraform-compliance
- Environment -
GCP
Secret check, SCA, SAST, Container security, compliance checks have all been shifted left and are tested all within code level i.e. source code and Infrastructure as Code (IaC).
A DevSecOps pipeline for Android and iOS based project using Jenkins, android open-source security tools, and a security testing framework MobSF which does code/binary analysis, malware analysis, general and sensitive information check on iOS+Android apps.
Toolchain
- CICD -
Jenkins
- secret-check -
trufflehog
- SAST -
findsecbugs
- Vulnerability Analysis -
androbugs
- Malware Analysis -
quark-engine
- Malicious Behaviour Analysis -
androwarn
- Application Vulnerability Analysis -
qark
- APK composition analysis -
APKiD
- Security Test -
MobSF
for iOS and Android - Environment -
GCP
For Android, MobSF also checks certificate strength, obfuscation techniques, anti reverse engineering, dangerous permission etc.
DevSecOps pipeline for container based application deployed to GCP kubernetes cluster using GCP k8s and container solutions, and security tests with open source container solutions.
- CICD -
Jenkins
- Git Secret Check -
trufflehog
- Container image vulnerability analysis -
trivy
- Container Image malware analysis -
clamav
- Container Image storage -
Google Container Registry
- Kubernetes Engine -
Google Kubernetes Engine
- Kubernetes nodes -
Google Container-Optimized OS
- Kubernetes orchestration -
gcloud
- Kubernetes management -
kubectl
,helm
- Kubernetes CIS benchmark -
kube-bench
- Kubernetes penetration test -
kube-hunter
- Kubernetes runtime protection -
falco
- Environment -
GCP
A simple bot that sits on AWS EC2 instance with Python Flask API, will create attack-tree-diagram using graphviz library when numbered list of attack is provided as input.
Toolchain
- ChatOps -
Slack
- Diagram service -
Python
for code & logic,graphviz
library for diagraming - Artifact Repository -
AWS S3
- Request API service -
Slack
Actions - Response API server -
Python Flask
- Bot client host -
Slack
- Bot server host -
AWS
A vulnerability manager (DefectDojo) based pipeline for Python based project which comes with ASVS Standard to provide security test plan and requirements, integration of vulnerability data from 70+ tools, and slack integration for monitoring.
Toolchain
- Planning -
OWASP ASVS
- CI/CD -
Go CD
- secret-check -
trufflehog
- SCA -
safety
- SAST -
bandit
- DAST -
nikto
- Container Vulnerability Analysis -
trivy
- Vulnerability Manager -
DefectDojo
- Monitoring -
Slack
- Environment -
AWS
More to follow