🛡 DevSecOps: Implement Security on CI/CD Pipeline
What does the DevSecOps pipeline look like?
The pipeline stems from:
➡ Design
➡ Develop
➡ Build
➡ Test
➡ Deploy
➡ Monitor
Here are OSS (open-source software) tools you can use:
Kube-bench — Kubernetes Hardening
ansible-collection-hardening — Linux Hardening
Linkerd or Istio — Service Mesh
OPA(gatekeeper) and Kyverno — Policy
Gitleaks and Trufflehog — Sensitive Information
pyraider — Source Composition Analysis
bandit — SAST
SonarLint and SonarQube — Static Code Analysis
Cyclonedx — SBOM
ZAP — DAST
Jmeter — Performance Test
Arachni — Pentration Test
Terrascan, Tfsec, KubeLinter, Checkov — IaC, and k8S
Trivia and Twistlock- Image Scanning
Prometheus, Grafana and Loki — Monitoring
Elasticsearch, Fluentd, and Kibana — Monitoring
Here are paid tools to consider if you’re more concerned about security:
Snyk — OpenSource, Code, Container, and IaC Scan
Fortify — Static Code Analyzer
Codacy — Measure code quality
New Relic
Dynatrace
Sysdig
Datadoghq
Almost all these tools can be implemented on any CI/CD pipeline, like GitHub Action, GilabCI, CircleCI, Jenkins, Tekton, or any pipeline supporting container-based integration.
No comments:
Post a Comment