top of page

Docker CI/CD Pipeline for DevSecOps Using GitHub Actions

What is DevSecOps?

DevSecOps is an acronym that stands for development, security, and operations. It is a cultural, automation, and platform design strategy that incorporates security as a shared responsibility across the whole IT lifecycle.

DevSecOps vs. DevOps

DevOps is more than simply development and operations teams. If you want to fully benefit from the agility and responsiveness of a DevOps strategy, IT security must be incorporated across the whole life cycle of your apps.

Why? Previously, the responsibility of security was limited to a single team in the final stages of development. That wasn’t so bad when development cycles spanned months or even years, but those days are long gone. Effective DevOps provides quick and frequent development cycles (often weeks or days), but even the most effective DevOps endeavours can be undone by outmoded security standards.

DevOps security is automated

Maintaining short and frequent development cycles, integrating security measures with minimal disruption to operations, staying current with innovative technologies like containers and microservices, and fostering closer collaboration between commonly isolated teams—this is a tall order for any organisation. All of these activities begin at the human level—with the intricacies of collaboration within your organization—but automation is the enabler of those human improvements in a DevSecOps framework.

But what to automate, and how?

This covers source control repositories, container registries, the CI/CD pipeline, application programming interface (API) administration, orchestration and release automation, and operational management and monitoring.

DevOps security is built for containers and microservices

Containers have revolutionised the way many businesses operate due to their increased size and more dynamic infrastructure. As a result, DevOps security procedures must evolve to fit the new environment and adhere to container-specific security rules.

Static security policies and checklists don’t work well with cloud-native solutions. Rather, security must be ongoing and integrated across the whole life cycle of the app and infrastructure.

DevSecOps entails incorporating security into app development from start to finish. This pipeline integration necessitates a shift in organisational attitude as much as it necessitates new tools. With this in mind, DevOps teams should automate security to secure the broader environment and data, as well as the continuous integration/continuous delivery process—a goal that will almost certainly involve microservices security in containers.

Levels of Security

1. Environment and data security

  • Standardize and automate the environment: To reduce illegal connections and access, each service should have the fewest privileges feasible.

  • Unify user identification and access control capabilities: Because authentication occurs at various places, tight access control and centralised authentication procedures are critical for protecting microservices.

  • Separate containers running microservices from one another and from the network: This covers both in transit and at rest data, as both might be high-value targets for attackers.Encrypt data between apps and services: A container orchestration platform with integrated security features helps minimize the chance of unauthorized access.

  • Demonstrate secure API gateways: Secure APIs improve authorisation and route visibility. Organizations can limit attack surfaces by decreasing exposed APIs.

2. CI/CD process security

  • Integrate container security scanners: This should be part of the process of adding containers to the registry.

  • Automate security testing in the CI process by running security static analysis tools as part of builds and checking any pre-built container images for known security vulnerabilities as they are pushed into the build pipeline.

  • Incorporate automated security tests into the acceptance testing process: Automate input validation checks, as well as authentication, verification, and permission functions.

  • Automate security updates, such as patches for known vulnerabilities: Use the DevOps pipeline to do this. It should remove the requirement for administrators to enter into production systems while also producing a documented and verifiable change record.

  • Automate system and service configuration management capabilities: This ensures that security regulations are followed and that human mistakes are avoided. Auditing and remediation should also be automated.

 

The Three Faces of DevSecOps

DevSecOps simply means the following:

  1. To introduce security into DevOps culture

  2. To secure DevOps methodologies

  3. To secure DevOps tools

1. Introducing Security into DevOps Culture

The culture factor, particularly the concept of shared ownership, which brought Dev and Ops teams together, is the cornerstone of every DevOps programme. So, all we have to do now is bring InfoSec into the room and hope for the best, right? Perhaps, but it took nearly a decade to get traction in developing this collaborative atmosphere.

It’s critical to remember that technological change takes time, so we can let our teams adapt at their own speed. For example, in established firms with different units, we found it dangerous to go on a DevOps path while also including security. It can be significantly more expensive and time-consuming than starting from scratch with a company.

To help understand how the IT industry got into this moment, Figure 1-1 illustrates how we used to create software in the old times of the waterfall model, composed of a linear workflow.


Fig. 1.1 Waterfall model’s workflow

In 2001, the Agile movement recognised that any software project is continually evolving and advocated for the abolition of the concept of linear workflow. The Agile development process enabled developers to obtain earlier input from their clients and discover problems before the product reached deployment, as seen in Figure 1.2.


Fig 1.2 The Agile development lifecycle indicates the steady flow of feedback

Flickr automated its infrastructure and attained the process of continuous integration and deployment, as illustrated in Figure 1.3, after Allspaw and Hammond stimulated a cultural shift centred on communication and collaboration between the two teams.


Fig. 1.3 The DevOps infinity loop demonstrates how the collaboration between development and operations teams resulted in continuous integration and continuous deployment.

DevSecOps is a development of DevOps, much as DevOps is an extension of Agile.

2. Securing DevOps Methodologies

The DevOps movement, like Agile, altered software development and delivery processes. It introduced a slew of new concepts to the industry, including continuous integration and continuous delivery (CI/CD) pipelines. The workflow of a typical CI/CD pipeline flows from left to right, as represented in Figure 1.4, to help automate the stages between a developer’s submission of their code into the repository and the release of that code into production.

Fig. The workflow of a typical CI/CD pipeline moves left to right.

3. Securing DevOps Tools

Cloud computing is more likely to be used by elite and high-performance firms that use DevOps owing to benefits such as cost visibility, quick auto-scaling, and stability.

The most difficult component to grasp was cloud-native security, because the usual software stack has become much too large and scattered to comprehend. If you come from an InfoSec background and are new to DevSecOps, in-depth security modelling may make difficult things easier to understand. Consider cloud-native security in terms of four levels, sometimes known as the 4Cs:

  1.  Code security

  2.  Container security

  3. Cluster security

  4. Cloud security

Why Adopt DevSecOps?

Here are four good reasons to adopt DevSecOps:

  1. The current wave of digital transformation has transformed every corporation into a software-centric organisation.

  2. It can assist to cut expenses while enhancing the quality of software delivery.

  3. DevSecOps minimises cloud computing complication.

  4. The inevitable next step is DevSecOps.

Vulnerability Scanner for Container Images

Grype is a container image and filesystem vulnerability scanner. The utility retrieves a catalogue of vulnerabilities from the publicly accessible Anchore Feed Service. This database is updated at the start of each scan, but it may also be updated manually.

Grype installation and setup instructions can be found at https://github.com/anchore/grype.git

Some of the features with this tool are:

  • Search for known vulnerabilities in the contents of a container image or filesystem.

  • Look for flaws in important operating system packages.

  • Look for vulnerabilities in language-specific programmes.

  • Both Docker and OCI image formats are supported.

Example : DevSecOps Docker Pipeline


This example shows how to create a DevSecOps Docker Pipeline using GitHub actions (GitHub’s CI/CD tool).

Step 1: Clone the GitHub repo.

Step 2: Commit the changes & push it to your GitHub account.

The GitHub actions detect changes in the repository and then scan the code with the vulnerability scanner tool “Grype.” Finally, it will create and scan the container images before pushing the docker image to Docker-Hub if no vulnerabilities are found in the image.

4 views0 comments

Kommentare


bottom of page