DevSecOps — Implementing Secure CI/CD Pipelines

 






















       Why DevSecOps?

  •  DevSecOps brings security closer to IT and business objectives by minimizing vulnerabilities earlier in the application development life cycle.
  • Keeping this in mind, our team automated security to secure the broader environment and data, as well as the CI/CD process.
  • Integrating security measures with minimal disruption to operations, staying current with technologies like containers and microservices.
  • In DevSecOps security is built for containers and microservices.


    What is DevSecOps?

  • DevSecOps brings security closer to IT and business objectives by minimizing vulnerabilities earlier in the application development life cycle.
  • In a DevSecOps environment, IT professionals/security team works with developers to automate security checks throughout the development cycle.
  • Enhanced automation throughout the software delivery pipeline which eliminates mistakes and reduces attacks and downtime.
  • For teams looking to integrate security into their DevOps framework, the process can be completed seamlessly using the right DevSecOps tools and processes.

        DevOps Vs DevSecOps ??





           Objectives

  • Remove Manual Build and Deploy Process
  • Integrate security into our DevOps pipeline
  • Integration of secret management tool to secure secrets
  • Implement efficient, continuous, automated and secure development and deployment process
  • Integration of Teams for entire product development life cycle
  • Deploy the solution to the public cloud (GCP) upon highlighting all the security vulnerabilities and compliance requirements.

       Architecture Diagram for CI/CD Pipeline






    Here, we have a taken a simple Maven Project to show a demo.

   Tools Used

















   Jenkinsfile for CI/CD Pipeline








Initially, we are cloning git repository from sonar branch into the Jenkins workspace and in the second stage we are building our maven application from pom.xml which is creating an Artifact in Jenkins workspace folder.

In the post success step we are using JUnit for unit testing . The test reports are generated into the Jenkins workspace target folder.











In the next stage we are doing Code Quality Assurance Test using SonarQube. It will analyze the code of maven build and will publish the reports into the SonarQube portal authenticating with the token credentials verified by the HashiCorp Vault. The ‘installationName’ parameter is the name which we have used Manage Jenkins (Configure System  Sonarqube servers).

Go to Manage Jenkins Configure System and ‘Name’ and ‘Server Url’ and ‘Server Authentication Token’ , which token is stored in Vault server folder(secrets/creds/sonarqube-token).



Here, we have used vault as secret management tool to store our secrets(credentials) which are used in CI/CD Pipeline.








To know how we have Integrated Vault with Jenkins, please refer my earlier post : How to Integrate HashiCorp Vault with Jenkins

Here, we can see that the code quality is passed, and it can also detect the bug and vulnerabilities present in the code.





In the next stage we are building Docker Images with image name as nanditasahu/devsecops-demo(Repository name) and tag name as $BUILD_NUMBER which returns the current build number of the job in Jenkins. It is also showing the top-level images, their repository and tags, and their size.










In the next stage , we are scanning vulnerabilities in the docker images which we have built using docker and storing the scan sheet in a folder in the Jenkins workspace (trivy-image-scan). Since there is no Critical Severity in the image we are pushing the image to Docker Hub.



In the next stage, we are pushing the docker image into Docker Hub.

We are first login into the Docker hub using the username and password, which is been passed by vault and then we are pushing the image to Docker Hub.










In the next stage, we are uploading the reports to the GCP Cloud Storage buckets. To use gcloud cli in Jenkins we need to first install

GCLOUD SDK Plugin in Manage Jenkins and install Gcloud CLI in the compute engine where Jenkins is running using the steps below: Install gcloud SDK





And then create a Service Account which has the roles of Storage Admin and Storage Object Admin. It will allow Jenkins to push trivy scan reports in to the bucket. Add the json key which you get into the vault server and then integrate with Jenkins Credentials.



In the pipeline we are first checking the gcloud version and then we are activating the service account created with the key file.

Then we are copying the trivy scan file from Jenkins workspace to the GCP Cloud Storage and then we are listing the contents of the cloud storage bucket using gsutil command.


As a best practice, since we don’t have the requirement to use the docker images we are cleaning the docker images.

We have also integrated Jenkins with Teams so that we get notifications for successful build of the job or build failure or abort and many more .

   Steps for Integration Teams with Jenkins

  Create a Teams Channel and once the channel is created, click connector,      and add Jenkins


    Select Jenkins and click Configure.

   Enter a name for the Jenkins connection.

   Copy the webhook URL and add the url in the Jenkins pipeline


   Install the Office 365 Connector in Manage Plugins.


  Open your Jenkins Pipeline and in the section Office 365 Connector tab    paste the Webhook Url and check for all those boxes for which you want to    receive events and then click the Save button.


  Once the build starts, you’ll get notifications in the jenkins-notification        channel.
 

  After the build is completed, you will get notifications in the jenkins-          notification channel.



  We are using Blue Ocean Plugin to see the visualization of the pipeline     created in Jenkins.

To use the above Jenkinsfile and Maven Code use the below repository: DevSecOps Pipeline

























Comments

Post a Comment

Popular posts from this blog

Getting Started with ArgoCD

Image
      In this article, we will learn how to use ArgoCD as continuous delivery tool in our workflow. It facilitates the adoption of GitOps, where teams leverage declarative configuration and infrastructure definitions from Git as the single source of truth. What is ArgoCD? ArgoCD is a Kubernetes-native continuous deployment (CD) tool. Unlike external CD tools that only enable push-based deployments, Argo CD can pull updated code from Git repositories and deploy it directly to Kubernetes resources. It enables developers to manage both infrastructure configuration and application updates in one system. There are many features of ArgoCD : 1. Whole Kubernetes configuration defined as code in GIT Repository. 2. Web user interface and command-line interface (CLI). 3. It has easy rollback mechanism through which we can rollback our changes to any previous state. 4. It has cluster disaster recovery feature which helps to create the exact cluster if cluster dies because all codes are present in
Read more

Overview of Ansible and Ansible Playbooks

Image
In this article, you will get a brief idea about ansible, ansible playbooks, roles and how to use include module in your playbooks and we will be showing how to automate the process of creating a small application using database – mysql and webserver – flask by using ansible playbooks.   Why Do We Need Ansible? Ansible is an open source IT Configuration Management, Deployment & Orchestration tool. It aims to provide large productivity gains to a wide variety of automation challenges. This tool is very simple to use yet powerful enough to automate complex multi-tier IT application environments. It models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.   For an example : Assume that if you want to install some software in a large number of servers , you will not install those softwares one by one into the server right ….. It will take a hell lot of time !! .     Advantages of using Ansible     1.   Execute tas
Read more