Secure Your Code Implement DevSecOps in Azure
0 likes445 views
The document discusses the integration of DevSecOps practices in Azure, emphasizing the importance of security throughout the development lifecycle. It covers topics such as security automation, vulnerability assessment, and implementing best practices using Azure tools, GitHub, and third-party solutions. Additionally, it provides a step-by-step demo for setting up a secure CI/CD pipeline in Azure DevOps using various integrated services.
![DEMO: Implement Security in Azure DevOps CI/CD
Anchore : HELM Configuration
apiVersion: v
1
kind: ServiceAccoun
t
metadata
:
name: tille
r
namespace: kube-syste
m
--
-
apiVersion: rbac.authorization.k8s.io/v
1
kind: ClusterRol
e
metadata
:
name: kube-dashboar
d
rules
:
- apiGroups: ["*"
]
resources: ["*"
]
verbs: ["*"
]
--
-
apiVersion: rbac.authorization.k8s.io/v
1
kind: ClusterRoleBindin
g
metadata
:
name: tille
r
roleRef
:
apiGroup: rbac.authorization.k8s.i
o
kind: ClusterRol
e
name: cluster-admi
n
subjects
:
- kind: ServiceAccoun
t
name: tille
r
namespace: kube-syste
m
--
-
apiVersion: rbac.authorization.k8s.io/v
1
kind: ClusterRoleBindin
g
metadata
:
name: rook-operato
r
namespace: rook-syste
m
roleRef
:
apiGroup: rbac.authorization.k8s.i
o
kind: ClusterRol
e
name: kube-dashboar
d
subjects
:
- kind: ServiceAccoun
t
name: kubernetes-dashboar
d
namespace: kube-system
• create a file name helm-rbac.yaml
• execute sudo vim helm-rbac.yaml
• add configuration same as given code block
• execute kubectl apply - f helm-brac.yaml command](https://image.slidesharecdn.com/secureyourcodeimplementdevsecopsinazure-210419072541/85/Secure-Your-Code-Implement-DevSecOps-in-Azure-60-320.jpg)
Secure Your Code Implement DevSecOps in Azure
- 1. Secure Your Code : Implement DevSecOps in Azure 21 Feb 2021 @srkbngl
- 2. Who am I? Serkan Bingöl Cloud & DevOps Consultant @kloia MCSD / MCT / AAI / AWS Certified Blog : medium.com/@serkanbingoll Tweet : @srkbngl LinkedIn : /in/sbingol GitHub : github.com/serkanbingol
- 3. Agenda • What is Dev{Sec}Ops ? • DevSecOps in GitHub & Demos • DevSecOps in Azure • 3rd Party DevSecOps Tools • DEMO : Implement Security in Azure DevOps CI/CD • Q & A
- 4. What is Dev{Sec}Ops ? DevOps is the union of people, process, and technology to enable continuous delivery of value to your end users. DevSecOps is a cultural movement that furthers the movements of Agile and DevOps into Security Automation + Security image from https://www.recordedfuture.com/ image from https://stackify.com/devops-engineer-starter-guide/
- 5. What is Dev{Sec}Ops ? DEV : OPS :SEC Ratio - 100:10:1 “The ratio of engineers in Development, Operations, and Infosec in a typical technology organization is 100:10:1. When Infosec is that outnumbered, without automation and integrating information security into the daily work of Dev and Ops, Infosec can only do compliance checking, which is the opposite of security engineering—and besides, it also makes everyone hate us.” image from https://twitter.com/joshcorman/status/644153295464960000
- 6. What is Dev{Sec}Ops ? Discover vulnerability during the development. * Slide 9 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
- 7. What is Dev{Sec}Ops ? More we code , more we need security. Insecure code causes breaches Source: 2019 Data Breach Investigations Report, Verizon 53% of breaches are caused by weaknesses in applications. Report link : https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
- 8. What is Dev{Sec}Ops ? Security Patterns : Old Path Vs. New Path • Embrace Secrecy • Just Pass Audit! • Enforce Stability • Build a Wall • Slow Validation • Certainly Testing • Test When DONE ! • Process Driven • Create Feedback Loops • Compliance adds Value • Create Chaos • Zero Trust Networks • Fast and Non-Blocking • Adversity Testing • Shift Left • The Paved Road image from https://wellbeingeconomy.org/
- 9. What is Dev{Sec}Ops ? Azure Patterns: Infrastructure Planning ✘Subscription per environment ✘Apply policies to control transparently and proactively ✘ Security Center ON from day 1 ✘Infrastructure as code. Period ✘ Production ONLY for CI/CD pipelines ✘ CI/CD pipeline is a heart of security image from https://bridgecrew.io/blog/infrastructure-as-code-security-101/
- 10. What is Dev{Sec}Ops ? Azure Patterns: Watch Every Step • Threat modeling • IDE Security plugins • Pre-commit hooks • Peer review • Static code analysis • Security unit tests • Container Security • Dependency management • IaC • Security scanning • Cloud configuration • Security acceptance tests • Security smoke tests • Security Configuration • Secret Management • Server Hardening • Continuous monitoring • Threat intelligence • Penetration Testing • Blameless postmortems
- 11. DevSecOps in GitHub • Browser-based IDEs with built-in security extensions. • Agents that continuously monitor security advisories and replace vulnerable and out-of-date dependencies. • Search capabilities that scan source code for vulnerabilities. • Action-based workflows that automate every step of development, testing, and deployment. • Spaces that provide a way to privately discuss and resolve security threats and then publish the information. * Combined with the monitoring and evaluation power of Azure, these features provide a superb service for building secure cloud solutions. * https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-github
- 12. DevSecOps in GitHub Foundation of the Enterprise in Cloud : Azure AD • Azure AD auth to GitHub • GitHub auth to Azure portal - SAML SSO - LDAP - RBAC - Required 2FA - GitHub Connect - Audit log
- 13. DevSecOps in GitHub Secure your supply chain * Slide 22 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
- 14. DevSecOps in GitHub Secure your supply chain: GitHub Dependabot Alerts • Automate dependency updates • Identificate vulnerable dependencies Managing Vulnerabilities in your project Dependencies : https://docs.github.com/en/github/managing-security-vulnerabilities/managing-vulnerabilities-in- your-projects-dependencies
- 15. DevSecOps in GitHub Secure your supply chain: GitHub Dependabot Alerts * Slide 30 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
- 16. DevSecOps in GitHub Secure your repository: GitHub Secret Scanning • Scan and detect secrets in your repository • Lots of service providers * Secret scanning is available in public repositories, and in private repositories owned by organizations with an Advanced Security license. Configuring secret scanning for your repositories : https://docs.github.com/en/github/administering-a-repository/configuring-secret-scanning-for- your-repositories - Atlassian - Azure - AWS - Alibaba Cloud - Google Cloud - Stripe - ……
- 17. DevSecOps in GitHub Analyse your code * Slide 37 : https://speaking.sasharosenbaum.com/EI8Ioj/slides
- 18. DevSecOps in GitHub Analyse your code: GitHub Code Scanning • Automate your code review. • CodeQL has leading security teams and individuals. • CodeQL has more CVEs than any other static application security testing vendor team. • GitHub is now a CNA. About code scanning : https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about- code-scanning * CVE : Common Vulnerabilities and Exposures ** CNA : CVE Numbering Authority *** Zero-Day : Software vulnerability that is unknown to, or unaddressed by, those who are interested in mitigating it.
- 19. DevSecOps in Azure • Azure AD can be configured as the identity provider for GitHub. • GitHub Enterprise can integrate automatic security and dependency scanning. • Azure Pipelines generates a Docker container image that is stored to Azure Container Registry, which is to be used at release time by Azure Kubernetes Service. • A release on Azure Pipelines integrates the Terraform tool, managing both the cloud infrastructure as code, provisioning resources such as Azure Kubernetes Service, Application Gateway, and Azure Cosmos DB. • Azure Security Center will be able to do active threat monitoring on the Azure Kubernetes Service, on both Node level (VM threats) and internals. * https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-in-azure
- 20. DevSecOps in Azure Infrastructure as Code : Terraform • Deliver Infrastructure as Code Terraform is commercial templating tool that can provision cloud-native applications across all the major cloud players: Azure, Google Cloud Platform, AWS, and AliCloud. Instead of using JSON as the template definition language, it uses the slightly more terse YAML. Infrastructure as code with Microsoft: https://docs.microsoft.com/en-us/dotnet/architecture/cloud-native/infrastructure-as-code - Write : Write infrastructure as code using declarative configuration files. - Plan : Check whether the execution plan for a configuration matches your expectations before provisioning or changing infrastructure. - Apply : Apply changes to hundreds of cloud providers to reach the desired state of the configuration. image from https://adinermie.com/
- 21. DevSecOps in Azure Policy-as-code : Azure Policy • Understand evaluation outcomes • Control the response to an evaluation • Remediate non-compliant resources • Single source of truth Azure Policy is a service that offers both built-in and user-defined policies across categories mapping the various Azure services such as Compute, Storage or even AKS. These policies can be defined on the Azure Portal and assigned to one or more subscriptions/resource groups. Azure Policy documentation : https://docs.microsoft.com/en-us/azure/governance/policy/ image from https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-terraform
- 22. DevSecOps in Azure Maintain your keys : Azure Key Vault • Centralize application secrets • Securely store secrets and keys • Simplified administration of application secrets • Integrate with other Azure services Azure Key Vault helps solve “Secrets Management” , “Key Management” and “Certificate Management” problems. Azure Key Vault documentation : https://docs.microsoft.com/en-us/azure/key-vault/general/overview image from https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal
- 23. DevSecOps in Azure Keep your resources safe: Azure Security Center • Strengthen security posture • Protect against threats • Get secure faster • Prioritize your security work Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud - whether they're in Azure or not - as well as on premises. Azure Security Center documentation : https://docs.microsoft.com/en-us/azure/security-center/ image from https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
- 24. 3rd Party DevSecOps Tools Check open source components : Whitesource Bolt • WhiteSource Secures & Manages Your Open Source Usage • Get Real-Time Alerts on Security Vulnerabilities • Ensure license compliance • Automated Up-to-Date Inventory Reports WhiteSource Bolt scans all your projects and detects open source components, their license and known vulnerabilities. Not to mention, it also provide fixes. Whitesource Bolt Ver. 1.0 documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt Whitesource Bolt Ver. 2.0 documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2 image from https://marketplace.visualstudio.com/items?itemName=whitesource.whiteSource-bolt-v2
- 25. 3rd Party DevSecOps Tools Demonstrate security and penetration testing: WebGoat • Learn the hack - Stop the attack • Test vulnerabilities • Create a de-facto interactive teaching environment WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. WebGoat documentation : https://github.com/WebGoat/WebGoat image from https://www.zupzup.org/websecurity-with-webgoat
- 26. 3rd Party DevSecOps Tools Create security report : Microsoft Security Code Analysis • Simple configuration and execution • Keep builds clean • Auto-Update • Break the build • Scan Credentials The Microsoft Security Code Analysis extension empowers you to do so, easily integrating the running of static analysis tools in your Azure DevOps pipelines.. Microsoft Security Code Analysis Extension documentation : https://secdevtools.azurewebsites.net/ image from https://techdailychronicle.com/
- 27. 3rd Party DevSecOps Tools Scan containers for the security and compliance: Anchore The Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. The Anchore Engine is provided as a Docker container image that can be run standalone or within an orchestration platform such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and other container orchestration platforms. Anchore documentation : https://anchore.com/opensource/ image from https://anchore.com/blog/enhanced-vulnerability-data/ Configure Anchore to authenticate with Azure Container Registry (ACR) and analyze an image.
- 28. DEMO: Implement Security in Azure DevOps CI/CD Prerequisites • An Azure subscription • Azure DevOps account • GitHub Account Steps • Create Azure DevOps project and prepare WebGoat source code • Create container registry with ACR and Azure Key Vault • Configure CI/CD pipeline for Webgoat • Check open source components with Whitesource Bolt • Scan containers with Anchore for the security with AKS • Helm CLI • Anchore CLI • Kubectl
- 29. DEMO: Implement Security in Azure DevOps CI/CD Install Required CLI’s Azure CLI : https://docs.microsoft.com/en-us/cli/azure/install-azure-cli Helm CLI : https://helm.sh/docs/intro/install/ Kubectl : https://kubernetes.io/docs/tasks/tools/install-kubectl/ Anchore CLI : https://github.com/anchore/anchore-cli Anchore CLI for Mac M1 : https://www.dynamsoft.com/codepool/python-barcode-apple-m1-mac.html
- 30. DEMO: Implement Security in Azure DevOps CI/CD Azure DevOps & Azure Subscription Connections Connect your organization to Azure Active Directory : https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to- azure-ad?view=azure-devops
- 31. DEMO: Implement Security in Azure DevOps CI/CD Create Azure DevOps Project Create a project in Azure DevOps : https://docs.microsoft.com/en-us/azure/devops/organizations/projects/create-project? view=azure-devops&tabs=preview-page
- 32. DEMO: Implement Security in Azure DevOps CI/CD Create a new Git repo in your project Create a new Git repo in your project : https://docs.microsoft.com/en-us/azure/devops/repos/git/create-new-repo?view=azure-devops WebGoat GitHub project : https://github.com/WebGoat/WebGoat
- 33. DEMO: Implement Security in Azure DevOps CI/CD Update WebGoat dockerfile version
- 34. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Login & Set Subscription Sign in with Azure CLI : https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli
- 35. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Create Resource Group Create Azure Resource Group : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli azure-cli command az group create --name webGoatKonfRG --location westeurope
- 36. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Create Azure Container Registry azure-cli command az acr create --resource-group webGoatKonfRG --name webGoatKonfACR --sku Basic --admin-enabled true -- location westeurope Create Azure Container Registry : https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-cli
- 37. DEMO: Implement Security in Azure DevOps CI/CD Azure CLI : Azure Key Vault azure-cli command az keyvault create --name "webGoatKonfKV" --resource-group "webGoatKonfRG" --location westeurope Create Azure Key Vault : https://docs.microsoft.com/bs-cyrl-ba/Azure/key-vault/general/quick-create-cli
- 38. DEMO: Implement Security in Azure DevOps CI/CD Check Azure Resources - Resource Group , ACR , Key Vault
- 39. DEMO: Implement Security in Azure DevOps CI/CD Get Azure CR Credentials Azure Container Registry Documentation : https://docs.microsoft.com/en-us/azure/container-registry/
- 40. DEMO: Implement Security in Azure DevOps CI/CD Create secrets Azure Key Vault Use acrUsername and acrPassword names and set ACR credentials as value.
- 41. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Use the classic editor to create a pipeline without YAML. Create your first pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/create-first-pipeline?view=azure- devops&tabs=java%2Ctfs-2018-2%2Cbrowser
- 42. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Use Empty job to start. Select ubuntu-18.04 agent for agent job.
- 43. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Add Maven task to then “Advanced” step set MAVEN_OPT to -Xmx3072m .
- 44. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Add Docker task. Select webgoat-server folder dockerfile to build. Add Latest to tags. Create new Container Registry connection with New button. Last step Save & Queue .
- 45. DEMO: Implement Security in Azure DevOps CI/CD Configure Build Pipeline Build will take approximately 5 mins then check build pipeline finished with successful.
- 46. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Artifact Define your multi-stage continuous deployment (CD) pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops
- 47. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Define your multi-stage continuous deployment (CD) pipeline : https://docs.microsoft.com/en-us/azure/devops/pipelines/release/define-multistage-release-process?view=azure-devops
- 48. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Tasks azure-cli command az container create --resource-group $(resourceGroup) --name $(containerGroup) --image $(acrRegistry)/$(imageRepository):$(Build.BuildId) --dns-name-label $ (containerDNS) --ports 8080 --registry-username $(acrUsername) --registry-password $(acrPassword) Add Azure CLI task. Select Azure Subscription created before. Select Inline Script. Add cli command given above to Inline Script area.
- 49. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Variables - Non-sensitive In variables section for non-sensitive variables add resourceGroup , containerGroup , acrRegistry , containerDNS , imageRepository names with values of webGoatKonfRG , webgoatkonfcg , webgoatkonfacr.azurecr.io, webgoatkonfdns , webgoat-8.1 in a row under Pipeline variables area. Get values from webGoatKonfACR named container registry to use in release pipeline variables.
- 50. DEMO: Implement Security in Azure DevOps CI/CD Configure Release Pipeline : Add Stage Variables - Sensitive For sensitive variables select variable groups under release pipeline variables title and link it with created from Azure Key Vault service. Create Variable Group from Azure Key Vault under library menu from Pipelines section.
- 51. DEMO: Implement Security in Azure DevOps CI/CD Create Release You need a manually approve to deploy created artifact by pushing deploy button in Stage 1 Create a new release under release pipeline by clicking Create New Release button.
- 52. DEMO: Implement Security in Azure DevOps CI/CD Check Azure Container Instances After create a successful deployment go to Azure Container Instance service to get our container published web link.
- 53. DEMO: Implement Security in Azure DevOps CI/CD Browse WebGoat and Learn Security ! WebGoat Container Browse Link : http://ACI_FQDN:8080/WebGoat WebGoat Official Page : https://owasp.org/www-project-webgoat/ *ACI_FQDN is our container instance FQDN
- 54. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components Add Whitesource Bolt extension to build pipeline from Visual Studio Marketplace
- 55. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components WhiteSource Bolt Documentation : https://marketplace.visualstudio.com/items?itemName=whitesource.ws-bolt
- 56. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: check open source components After adding Whitesource Bolt extension rebuild pipeline to get reports.
- 57. DEMO: Implement Security in Azure DevOps CI/CD Whitesource Bolt: Check Vulnerability Reports After build pipeline Whitesource Bolt extension creates vulnerability reports.
- 58. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Create AKS Cluster on WebGout Resource Group Install Anchore server on AKS with Helm : https://anchore.com/blog/azure-anchore-kubernetes-service-cluster-with-helm/ azure-cli command az aks create --resource-group webGoatKonfRG --name anchoreAKSCluster --node-count 3 --enable- addons monitoring --generate-ssh-keys
- 59. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Get credentials for AKS cluster and check credentials cli commands Get credentials : az aks get-credentials --resource-group webGoatKonfRG --name anchoreAKSCluster Get nodes : kubectl get nodes Browse aks cluster : az aks browse --resource-group webGoatKonfRG --name anchoreAKSCluster
- 60. DEMO: Implement Security in Azure DevOps CI/CD Anchore : HELM Configuration apiVersion: v 1 kind: ServiceAccoun t metadata : name: tille r namespace: kube-syste m -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRol e metadata : name: kube-dashboar d rules : - apiGroups: ["*" ] resources: ["*" ] verbs: ["*" ] -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRoleBindin g metadata : name: tille r roleRef : apiGroup: rbac.authorization.k8s.i o kind: ClusterRol e name: cluster-admi n subjects : - kind: ServiceAccoun t name: tille r namespace: kube-syste m -- - apiVersion: rbac.authorization.k8s.io/v 1 kind: ClusterRoleBindin g metadata : name: rook-operato r namespace: rook-syste m roleRef : apiGroup: rbac.authorization.k8s.i o kind: ClusterRol e name: kube-dashboar d subjects : - kind: ServiceAccoun t name: kubernetes-dashboar d namespace: kube-system • create a file name helm-rbac.yaml • execute sudo vim helm-rbac.yaml • add configuration same as given code block • execute kubectl apply - f helm-brac.yaml command
- 61. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Install Anchore cli commands Add anchore helm repo : helm repo add anchore https://charts.anchore.io Install anchore helm chart : helm install anchore-demo anchore/anchore-engine cli commands Get deployments : kubectl get deployments Expose API port externally : kubectl expose deployment anchore-demo-anchore-engine-api —type=LoadBalancer --name=anchore-engine —port=8228 View service and external IP : kubectl get service anchore-engine
- 62. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Check Anchore Status cli commands Check status of Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret -- namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -- decode; echo) system status
- 63. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add Registry and Image to Anchore cli commands Add Registry to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret -- namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -- decode; echo) registry add --registry-type docker_v2 webgoatkonfacr.azurecr.io webGoatKonfACR LHZiFHz/ YeuQL=wQhHgRGva5MDOMCWdE cli commands Add Image to Anchore : anchore-cli --url http://20.73.32.172:8228/v1 --u admin --p $(kubectl get secret --namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) image add webgoatkonfacr.azurecr.io/webgoat-8.1:Latest
- 64. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add credentials to Azure Vault For sensitive variables add anchorPassword , anchorUser , anchorServer , azure key vault wallet to use in vulnerability scan task. Don’t forget to link variable group to pipeline. And also don’t forget to add non-sensitive variables to pipeline variables as imageRepository and acrRegistry. cli command for get anchore-cli password kubectl get secret --namespace default anchore-demo-anchore-engine -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo
- 65. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Add new job agent to build pipeline In the Dependencies select agent job, which is responsible for compiling and pushing WebGoat container to ACR. It is important to have that job finished before scans gets triggered as we want to scan the lates image.
- 66. DEMO: Implement Security in Azure DevOps CI/CD Anchore : First Task - Install anchore cli First Bash task is reponsible for installing anchore-cli tool on agent.
- 67. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Second Task - Vulnerability scanner Second Bash task is reponsible for scan for vulnerabilities in the image. Bash task command anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) image vuln $(acrRegistry)/$ (imageRepository):Latest os > image-vuln.json
- 68. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Third Task - Policy scanner Third Bash task is reponsible for scan for policies in the image. Bash task command anchore-cli --json --url $(anchorServer) --u $(anchorUser) --p $(anchorPassword) evaluate check $(acrRegistry)/$ (imageRepository):Latest --detail > image-policy.json
- 69. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Generate Anchore Report Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks: • Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory) • Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
- 70. DEMO: Implement Security in Azure DevOps CI/CD Anchore : Generate Anchore Report Both scan will produce json reports and we need to publish them as pipeline artifact, which can be downloaded after. To do this add two tasks: • Copy Files : contents => *.json , Target Folder => $(Build.ArtifactStagingDirectory) • Publish build artifacts : Path to publish => $(Build.ArtifactStagingDirectory) , Artifact name => Anchore-reports
- 71. We are a team of experienced and happy high achievers, Knowing that ‘Great vision without great people is irrelevant.’ So: ● Talents determine the positions, we do not miss the best, ● We hire the best and providing them the best, pecuniary and non-pecuniary, ● We set high standards, so you better have those as well, ● Stunning colleagues means a great workplace, and the motive to be online. If you have the Stunning ‘Kloian’ essence or potential by being: ● No Bullshit ● Self-motivated and Reliable ● Optimistic and Focused ● Happy and Fun ● Flexible and Trustworthy ● Willing and Creative ● Open minded and Kind (Majority of above, if not all.) You are more than welcome to apply: [email protected] Come Join Us, The Kloians:
- 72. Q & A RESOURCES MENTIONED IN THIS SESSION https://github.com/kloia/dotnetkonf21-Azure-DevSecOps Thank you for listening. blog.kloia.com @kloia_com kloia.com