DWX 2022 - DevSecOps mit GitHub
•
0 gefällt mir•47 views
GitHub investierte sehr stark im Bereich Security und hat als weltweit grösste Open-Source-Plattform auch die ideale Basis, um Abhängigkeiten und Schwachstellen viel genutzter Bibliotheken zu analysieren und zu notifizieren. In öffentlichen wie auch in privaten Repositories in GitHub Enterprise Cloud und GitHub Enterprise Server stehen einem unter dem Betriff "GitHub Advanced Security" eine Vielzahl von Sicherheitsfunktionen zur Verfügung. Dieser Vortrag zeigt die Funktionsweise der Features Code Scanning, Secret Scanning und Dependency Review auf. GitHub Actions und Pull Requests runden die Werkzeugkiste für einen erfolgreichen DevSecOps-Prozess ab.
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie DWX 2022 - DevSecOps mit GitHub
Ähnlich wie DWX 2022 - DevSecOps mit GitHub (20)
Mehr von Marc Müller
Mehr von Marc Müller (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
DWX 2022 - DevSecOps mit GitHub
- 8. ▪ ▪ ▪
- 11. GitHub Cloud GitHub Free GitHub Team GitHub Enterprise On-Premises GitHub Enterprise Server
- 17. ▪ ▪ ▪
- 18. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
- 21. • • • • •
- 22. Azure DevOps GitHub Project Management Azure Boards Projects, Discussions, Issues Burndown Analytics Azure Boards GitHub Analytics Code Editing n/a Codespaces and github.dev Continuous Integration Azure Pipelines GitHub Actions Deploy & Release Azure Pipelines / Azure Artifacts GitHub Actions / GitHub Packages Manual testing Azure Test Plans n/a Code security n/a Advanced Security Analytics Analytics Service Insights
- 25. Commit message Action Fixed AB#123 Links and transitions the work item to the "done" state. Adds a new feature, fixes AB#123. Links and transitions the work item to the "done" state. Fixes AB#123, AB#124, and AB#126 Links to Azure Boards work items 123, 124, and 126. Transitions only the first item, 123 to the "done" state. Fixes AB#123, Fixes AB#124, Fixes AB#125 Links to Azure Boards work items 123, 124, and 126. Transitions all items to the "done" state. Fixing multiple bugs: issue #123 and user story AB#234 Links to GitHub issue 123 and Azure Source: https://docs.microsoft.com/en-us/azure/devops/boards/github/link-to-from-github?view=azure-devops
- 34. Assign Issue Create Feature Branch Develop and Commit Push to Remote Create Pull-Request Notify team & wait for review Develop and Commit Approved? Merge PR & delete branch Finished?
- 37. ▪ ▪
- 41. ▪ ▪
- 42. ▪ ▪ ▪ ▪ ▪
- 44. ▪ ▪ ▪ ▪
- 45. Workflow Event ▪ branch_protection_rule ▪ check_run ▪ check_suite ▪ create ▪ delete ▪ deployment ▪ deployment_status ▪ discussion ▪ discussion_comment ▪ fork ▪ gollum ▪ issue_comment ▪ issues ▪ label ▪ milestone ▪ page_build ▪ project ▪ project_card ▪ project_column ▪ public ▪ pull_request ▪ pull_request_comment (use issue_comment) ▪ pull_request_review ▪ pull_request_review_comment ▪ pull_request_target ▪ push ▪ registry_package ▪ release ▪ repository_dispatch ▪ schedule ▪ status ▪ watch ▪ workflow_call ▪ workflow_dispatch ▪ workflow_run Job Step 1: Run action Step 2: Run script Step 3: Run action Step 4: Run action Job Step 1: Run action Step 2: Run script Step 3: Run script Step 4: Run action Runner Run actions Log results Runner Run actions Log results
- 46. Action Docker Container Action JavaScript Action Composite Action
- 48. Source: https://docs.github.com/en/actions/using-workflows/reusing-workflows name: Reusable workflow example on: workflow_call: inputs: username: required: true type: string secrets: token: required: true jobs: example_job: name: Pass input and secrets to my-action runs-on: ubuntu-latest steps: - uses: ./.github/workflows/my-action with: username: ${{ inputs.username }} token: ${{ secrets.token }} jobs: call-workflow-1-in-local-repo: uses: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89 call-workflow-2-in-local-repo: uses: ./.github/workflows/workflow-2.yml call-workflow-in-another-repo: uses: octo-org/another-repo/.github/workflows/workflow.yml@v1
- 49. Reusable workflows Composite actions Cannot call another reusable workflow Can be nested to have up to 10 composite actions in one workflow Can use secrets Cannot use secrets Can use if: conditionals Cannot use if: conditionals Can be stored as normal YAML files in your project Requires individual folders for each composite action Can use multiple jobs Cannot use multiple jobs Each step is logged in real-time Logged as one step even if it contains multiple steps Source: https://github.blog/2022-02-10-using-reusable-workflows-github-actions/
- 50. ▪ ▪ ▪ ▪ ▪ ▪ ▪ → Source: https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners and https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners
- 51. ▪ ▪ name: CI on: push: branches: [ main ] jobs: container-test-job: runs-on: ubuntu-latest container: image: node:14.16 env: NODE_ENV: development ports: - 80 volumes: - my_docker_volume:/volume_mount options: --cpus 1 steps: - name: Check for dockerenv file run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)
- 52. ▪ ▪ → ▪ → ▪ ▪
- 54. Git Container Registry Container Image Container Image CI YAML CI YAML
- 56. Build Test Merge Automatically release to repository Automatically deploy to production
- 59. 1 2 3 4 5 Lines of Code Security Threats Commits mentioning vulnerabilities
- 61. Code CI Deploy: Dev/QA Dev Deploy: Pre- Prod Deploy: Prod Ops Sec
- 62. ▪ ▪ ▪
- 63. Supply Chain • Open-Source Dependencies • Alerts on vulnerabilities Code • Deep scanning for vulnerabilities • i.e. XSS / SQL Injection Development Lifecycle • Higher level insights • Across entire organization
- 66. Source: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://blog.sonatype.com/npm-project-used-by-millions-hijacked-in-supply-chain-attack, https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package- deletes-files-to-protest-ukraine-war/
- 70. ▪ ▪
- 72. ▪ ▪
- 78. ▪ ▪ ▪ ▪
- 80. Custom Community Powered GitHub Powered • Security & Vulnerability • OWASP Top 10 • SANS 25 • Language best practices • …