DevSecOps — Implementing Secure CI/CD Pipelines

DevSecOps LifeCycle

Why DevSecOps?

? DevSecOps brings security closer to IT and business objectives by minimizing vulnerabilities earlier in the application development life cycle.

? Keeping this in mind, our team automated security to secure the broader environment and data, as well as the CI/CD process.

? Integrating security measures with minimal disruption to operations, staying current with technologies like containers and microservices.

• In DevSecOps security is built for containers and microservices.

What is DevSecOps?

? DevSecOps brings security closer to IT and business objectives by minimizing vulnerabilities earlier in the application development life cycle.

? In a DevSecOps environment, IT professionals/security team works with developers to automate security checks throughout the development cycle.

? The benefit of DevSecOps:

? Enhanced automation throughout the software delivery pipeline which eliminates mistakes and reduces attacks and downtime.

• For teams looking to integrate security into their DevOps framework, the process can be completed seamlessly using the right DevSecOps tools and processes.

DevOps Vs DevSecOps ??

Objectives

? Remove Manual Build and Deploy Process

? Integrate security into our DevOps pipeline

? Integration of secret management tool to secure secrets

? Implement efficient, continuous, automated and secure development and deployment process

• Integration of Teams for entire product development life cycle
• Deploy the solution to the public cloud (GCP) upon highlighting all the security vulnerabilities and compliance requirements.

Architecture Diagram for CI/CD Pipeline

Here, we have taken a simple Maven Project to show a demo.

Tools Used

Initially, we are cloning git repository from sonar branch into the Jenkins workspace and in the second stage we are building our maven application from pom.xml which is creating an Artifact in Jenkins workspace folder.

In the post success step we are using JUnit for unit testing . The test reports are generated into the Jenkins workspace target folder.

In the next stage, we are doing Code Quality Assurance Test using SonarQube. It will analyze the code of the maven build and will publish the reports into the SonarQube portal authenticating with the token credentials verified by the HashiCorp Vault. The ‘installationName’?parameter is the name which we have used Manage Jenkins (Configure System ? Sonarqube servers).

Go to Manage Jenkins? Configure System and ‘Name’?and ‘Server?Url’?and ‘Server Authentication Token’?, which token is stored in the Vault server folder(secrets/creds/sonarqube-token).

Here, we have used a vault as a secret management tool to store our secrets(credentials) which are used in CI/CD Pipeline.

Here, we can see that the code quality is passed, and it can also detect the bug and vulnerabilities present in the code.

In the next stage we are building Docker Images with the image name as nanditasahu/devsecops-demo(Repository name) and tag name as $BUILD_NUMBER which returns the current build number of the job in Jenkins. It is also showing the top-level images, their repository and tags, and their size.

In the next stage, we are scanning vulnerabilities in the docker images which we have built using docker, and storing the scan sheet in a folder in the Jenkins workspace (trivy-image-scan). Since there is no?Critical?Severity in the image we are pushing the image to Docker Hub.

In the next stage, we are pushing the docker image into Docker Hub.

We first log in to the Docker hub using the username and password, which is been passed by the vault, and then we are pushing the image to Docker Hub.

In the next stage, we are uploading the reports to the GCP Cloud Storage buckets. To use gcloud cli in Jenkins we need to first install

GCLOUD SDK Plugin in Manage Jenkins and install Gcloud CLI in the compute engine where Jenkins is running using the steps below:

And then create a Service Account which has the roles of Storage Admin and Storage Object Admin. It will allow Jenkins to push trivy scan reports into the bucket. Add the JSON key which you get into the vault server and then integrate with Jenkins Credentials.

In the pipeline, we are first checking the gcloud version and then we are activating the service account created with the key file.

Then we are copying the trivy scan file from Jenkins workspace to the GCP Cloud Storage and then we are listing the contents of the cloud storage bucket using gsutil command.

As a best practice, since we don’t have the requirement to use the docker images we are cleaning the docker images.

We have also integrated Jenkins with Teams so that we get notifications for the unsuccessful build of the job or build failure or abort and many more.

Steps for Integration Teams with Jenkins

Create a Teams Channel and once the channel is created, click connector, and add Jenkins

Select Jenkins and click?Configure.

Enter a?name?for the Jenkins connection.

Copy the?webhook URL?and add the url in the Jenkins pipeline

Install the?Office 365 Connector?in Manage Plugins.

Open your Jenkins Pipeline and in the section?Office 365 Connector?tab paste the Webhook Url and check for all those boxes for which you want to receive events and then click the?Save?button.

Once the build starts, you’ll get notifications in the jenkins-notification channel.

We are using Blue Ocean Plugin to see the visualization of the pipeline created in Jenkins.

To use the above Jenkinsfile and Maven Code use the below repository:

Source: https://medium.com/@nanditasahu031/devsecops-implementing-secure-ci-cd-pipelines-9653726b4916