DevSecOps Pipeline

This pipeline while running shows the bugs, vulnerabilities, and security issues in the source code while deploying the application using GitHub actions.

Comment

Inspiration

As we know, security should be of utmost importance while developing any application or software, so before , after the successful development of an application or software, a tester performs testing on the code. In this project, I have created a DevSecOps pipeline which continuously checks for bugs, vulnerabilities, and security issues during the development of software. This helps to find out the security issues and bugs in source code at regular intervals.

What it does

I have integrated security tools like Synk and Sonarcloud into this project, which performs testing on source code and indicates security issues in the code.

  1. SAST (Static Application Security Test): This tool detects bugs, vulnerabilities, code smells, and security flaws in source code.
  2. SCA (Software Composition Analysis): This tool scans third-party libraries for security flaws.
  3. DAST (Dynamic Application Security Test): It identifies security issues in deployed applications, such as the types of attacks that will occur on source code, and also suggests solutions to these issues.

How I built it

  1. First of all, I have created an EC2 instance on AWS, then I have installed nodejs, npm, pm2, and nodemon 
  2. I have added this as a self hosted agent on GitHub, i.e., on the GitHub repo > settings > runner 
  3. I have run those commands on an EC2 instance so that our NodeJS code will deploy on this instance 
  4. Once we have any commit happen on our GitHub repo in our source code, it will trigger an GitHub action file and will deploy the latest changes to an EC2 instance.
  5. Also, as I have integrated security tools like Snyk, SonarCloud, and ZAP to find different types of security issues present in source code 
  6. So while deploying the latest changes from GitHub to EC2, it scans for bugs, security issues, code smells, hotspots, and vulnerabilities in third party libraries.

Challenges we ran into

Challenges that I faced while creating this project are: in Node.js installation as it is not compatible with my Node.js code Then I faced issue in SAST test 

Accomplishments that we're proud of

So far I am most proud that I did this project successfully. I have passion to learn new trends and technologies in the field of Cloud and DevOps. I love setting goals and pursue them with my work, dedication, enthusiasm.

What we learned

In this project, I have learned how we can improve the SDLC cycle by integrating security tools into the deployment pipeline  So, it would be very helpful to find security issues before going live with the application in a production environment  

What's next for DevSecOps Pipeline

So, with this approach, we can integrate security tools for any type of application during its deployment 

Share this project:

Updates