Securing the Agile Journey: A Guide to Successful DevSecOps Implementation Hands-On ( Part-2 )
Weaving security into every process.
In Part 1, we discussed security measures to implement during the development phase.
In Part 2, we will explore the integration of DevSecOps practices into CI/CD pipelines. This integration aims to detect, remediate, and pass only approved artifacts that are deployable into the production environment.
Preparing for the Shift Left Approach…
The goal is to identify and address security issues and vulnerabilities as early as possible, ideally during the initial stages of development. This approach helps to prevent security flaws from propagating throughout the development process and reaching production.
Security Implementation in Source Control and CI/CD
- When configuring CI/CD environments, it’s crucial to maintain complete isolation of non-production and production environments. Failing to do so may increase the blast radius of attackers. For example, using a single Jenkins server to deploy in all environments has the potential to make all environments vulnerable.
- Similarly, using single account management for non-production and production workloads risks everything.
- Separate CI and CD jobs, with each job having only the set of permissions required by the pipeline. For example, the CI job should have access only to push an image to the container registry, while the CD job should have access only to deploy a resource.
- Running privileged containers in CI/CD pipelines has unintended side effects and can cause damage to the host operating system.
- It’s advisable to detect security issues like vulnerable code, outdated packages, and malicious code in the build stage of the CI/CD pipeline. Detecting vulnerabilities in existing running code is too late for effective detection and takes more time to fix.
- Artifact validation: When an artifact is created in the CI pipeline, ensure that its hash is calculated and stored in a secure location. Verify that the artifact used in the CD pipeline is unmodified by cross-checking the hash.
- CI/CD pipelines are potential targets for attackers to gain sensitive details. Implement the least privileged access control mechanism across organizations and teams. Teams not involved in production environments should not have access to production pipelines or their credentials.
- Clean up the built environment after completing the job to erase any code or credentials used in the previous pipeline.
- In many use cases, a DevOps engineer has to use self-hosted build agents. Ensure that the agents are kept up to date using automation scripts.
- Prevent sensitive information from being logged in the build logs.
Let's look at a few additional tools for identifying security issues in Automation Pipelines.
1. SemGrep with GitHub Actions (Code Bugs and Security HotSpots Finder)
https://github.com/returntocorp/semgrep
Semgrep is an open-source, static analysis engine for finding bugs, detecting vulnerabilities in third-party dependencies, and enforcing code standards. It integrates with many well-known CI/CD providers like GitHub, GitLab, Jenkins, and Bitbucket.
Check out how we can enable semgrep scans periodically for a repo using GitHub actions:
The semgrep action provides a cool feature that allows sending the scan summary directly to the GitHub security dashboard. To enable the summary on the dashboard, we need to change the Action settings so that workflow can write security events, as per the image below:
After the pipeline runs successfully, the Security tab within the repository will display the identified security hotspots in the code. These can be conveniently tracked and versioned in the UI.
2. Git Leaks with GitHub Actions (Secrets Detection)
https://github.com/gitleaks/gitleaks
Gitleaks is an open-source secret scanner for git repositories, files, and directories. It's a popular tool for detecting committed sensitive credentials in the repository.
It's very easy to run Gitleaks locally as well as in CI/CD pipelines to detect sensitive information. If we want to ignore certain findings, then we can ignore specific findings by creating a .gitleaksignore file at the root of the repo.
3. Grype with GitHub Actions (Container + Code Issues Finder)
https://github.com/anchore/grype
Grype is a vulnerability scanner for container images and filesystems. It can find vulnerabilities in major operating system packages like Alpine, Amazon Linux, Debian Family, Red Hat (RHEL), etc.
It’s also super useful for finding language-specific packages issues like Ruby (Gems), Java (JAR, WAR, EAR, JPI, HPI), JavaScript (NPM, Yarn), Python (Egg, Wheel, Poetry, requirements.txt/setup.py files), Dotnet (deps.json), Golang (go. mod), PHP (Composer), Rust (Cargo), etc.
Here’s an example of a scanning image created in the build process using GitHub Actions:
Using the GitHub Security dashboard, issues of the docker image can also be tracked by creating an output file as SARIF. This is how it will look:
Visualized Workflow of an Ideal DevSecOps CI/CD Pipeline
Conclusion
A security-first CI/CD mindset emphasizes proactive measures to identify and mitigate vulnerabilities at every stage of the development process. By adopting this mindset, organizations can reduce the risk of security breaches, data leaks, and other cyber threats. DevSecOps encourages collaboration and communication between development, security, and operations teams, fostering a culture where security is a shared responsibility.
By leveraging tools like SemGrep, GitLeaks, and Grype, DevSecOps engineers can embed security into their day-to-day activities rather than treating it as an afterthought. These tools promote a security-first mindset by automating security checks, identifying vulnerabilities, and providing actionable insights to remediate them. With a DevSecOps approach supported by these tools, organizations can strengthen their security posture, protect their applications, and build trust with their users in the public domain.
That’s it for Part-2. In Part-3, we’ll see more tools and hands-on that DevOps can implement in their Monitoring workflow. In case you want to revisit Part-1, you can find it here.
For more updates on the latest tools and technologies, follow the Simform Engineering blog.
