GithubHelp home page GithubHelp logo

louischan-oursky / devsecops-ci Goto Github PK

View Code? Open in Web Editor NEW

This project forked from oursky/devsecops-ci

0.0 1.0 0.0 49 KB

Security checkers callable from CI

License: Apache License 2.0

Dockerfile 0.99% Makefile 8.55% Shell 32.00% Python 58.45%

devsecops-ci's Introduction

DevSecOps - CI

Security checkers callable from CI

masterTravisCI

What is DevSecOps?

In short, Security as Code, Compliance as Code, Infrastructure as Code. The goal of this repository is provide a easy to invoke checker toolset to enhance security quality, analogy to lint tool for code quality.

Operation Pipeline

devsecops-ci works like an ordinately link checker, it open up a single command line interface to perform all necessary checks. Simply invoke it in the CI pipeline.

┌───────────────┐
│ coding        │
└───────┬───────┘
┌───────┴───────┐
│ git push      │
└───────┬───────┘
┌───────┴──────┐         ┌───────────────┐
│ CI           ├────┬────┤ lint          │
└───────┬──────┘    │    └───────────────┘
        │           │    ┌───────────────┐
        │           ├────┤ tests         │
        │           │    └───────────────┘
        │           │    ┌───────────────┐
        │           └────┤ devsecops-ci  │
        │                └───────────────┘
┌───────┴──────┐
│ CD(optional) │
└──────────────┘

Tests coverage

How to add to your project

To hide dependency packages from polluting workspace, we recommend to use the prebuilt docker image or just docker build it on CI.

docker build -t devsecops-ci https://github.com/oursky/devsecops-ci.git

To delete the image:

docker rmi devsecops-ci

To perform tests, run:

docker run -it --rm -v "`pwd`:/target:ro" devsecops-ci check
 OR
docker run -it --rm -v "`pwd`:/target:ro" devsecops-ci check --commit-range=rev1..rev2
 OR
docker run -it --rm -v "`pwd`:/target:ro" devsecops-ci check --target-dir=/target --commit-range=rev1..rev2

Where --target-dir is optional argument points to the mounted directory, defaults to /target. --commit-range is optional argument to check only selected commit revisions, e.g. --commit-range=revA..revB or --commit-range=${TRAVIS_COMMIT_RANGE}.

This run check against current pwd, this directory should be the top level directory of your project. You can also build and run it locally on your development computer.

Integrate with TravisCI

Add a job to .travis.yml

matrix:
  include:
    # your project build jobs
    - language: node_js
    ...

    # devsecops-ci
    - language: minimal
      dist: xenial
      services:
        - docker
      before_install:
        - docker build -t devsecops-ci https://github.com/oursky/devsecops-ci.git
      script:
        - docker run -it --rm -v "`pwd`:/target:ro" devsecops-ci check --verbose=no --commit-range=${TRAVIS_COMMIT_RANGE}

Suppress false alarm

You may suppress false alarm by adding entry to .devsecops-ci file.

Secret Scanner
[git-secret]
exclude: .travis.yml|dir/*.example
allow_secrets:
    secret1
    secret2

exclude takes a regex and suppress checking on matched files.
allow_secrets take a list of whitelisted string to ignore, which is partiicularly useful for non-secret like sentry DSN.

bandit
[bandit]
exclude: alembic,tests
skips: B123,B456

exclude takes a comma-separated list of directory or filename and suppress checking on matched files.
skips suppress checking on particular test cases.
Check https://github.com/PyCQA/bandit for detail.

devsecops-ci's People

Contributors

hidden-dimensions avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.