I tried to created a end to end DevSecOps pipeline for Node.js project
Introduction
Hi this Akshay Rao from Annotation.Inc, I tried to create the DevSecOps pipeline including some security scans. These security scans are very important as the vulnerability is found before the Application is the production, because if the vulnerability are found in the production the cost of rectifying is very high.
Let's start
Lets start by understanding the pipeline
I have take nodejs project in the Github, write a workflow.yml
In this yml file i have created
I had to generate a token form Synk and Sonar cloud (SYNK_TOKENS & SONAR_TOKEN) in the Github repository settings. Then commit the workflow and the scans will start running in the actions tab in the Github.
name: Build code, run unit test, run SAST, SCA, DAST security scans for NodeJs App on: push jobs: build: runs-on: ubuntu-latest name: Run unit tests and SAST scan on the source code steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: 16 cache: npm - run: npm install - name: SonarCloud Scan uses: sonarsource/sonarcloud-github-action@master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: args: > -Dsonar.organization=<PUT YOUR ORGANIZATION NAME> -Dsonar.projectKey=< PUT YOUR PROJECT KEY NAME> security: runs-on: ubuntu-latest needs: build name: Run the SCA scan on the source code steps: - uses: actions/checkout@master - name: RunSnyk to check for vulnerabilities uses: snyk/actions/node@master continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKENS }} zap_scan: runs-on: ubuntu-latest needs: security name: Run DAST scan on the web application steps: - name: Checkout uses: actions/checkout@v2 with: ref: master - name: ZAP Scan uses: zaproxy/[email protected] with: docker_name: 'owasp/zap2docker-stable' target: 'http://example.com/' rules_file_name: '.zap/rules.tsv' cmd_options: '-a'
The reports will be genarated as artifacts or in the actions by clicking on scan names or through dashboard url which will be mentioned.
SAST Report
SCA Report
DAST Report
Conclusion
I thank AsecurityGuru's udemy course who helped me in understanding DevSecOps pipeline.
Thank You