Skip to content

Simple repo trying out different open source DevSecOps tools.

Notifications You must be signed in to change notification settings

TheDukeDK/devsecops-demo

Repository files navigation

Demo Environment

This repository implements a demo of DevSecOps tools against some sample code bases. The goal being to evaluate these tools against each other using the same baseline and also provide examples of usage.

It, presently, contains the following applications to support the demo.

  • Gitlab(13.5.3-ee)
  • Jenkins(2.249.3)
  • SonarQube(8.4.2 Community Edition)

The tools are all demonstrated in a set of Jenkins pipelines. At present the focus is on open source tools and tools with a free tier usage.

DevSecOps Areas

They are broken into the following categories.

  • Infrastructire As Code: Checking for security issues and best practice. Covers K8's Yaml, Helm Charts, Terrafrom and Dockerfiles.

  • Library Scanning: Checking dependencies for security issues. Presently covered are .Net Core, NodeJs. Java coming soon.

  • Image Scanning: Checking container images for vulnerabilties.

Documentation

  • See Setup for getting the demo environemt up and running locally.

  • Each of the categories has its own markdown file listing the different tools that have been evaluated, the reasoning behind the selection of a specific tool and observations regarding them.

  • The Observations section is not about the tools but implementing DevSecOps from a larger perspective.

  • Comments have also been made to the pipeline files to give an overview of usage within the pipelines.

  1. Setup
  2. Library Scanning
  3. Image Scanning
  4. IaC Scanning
  5. Observations

Todo's

  • Add Java pipelines for existing tools.

About

Simple repo trying out different open source DevSecOps tools.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published