From b58cc9fe03eff097dc7a80fcd8c5e7eec8046cfc Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 29 Aug 2024 02:19:45 +0300 Subject: [PATCH 1/5] add devsecops_pipeline.py --- devsecops_pipeline.py | 64 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 devsecops_pipeline.py diff --git a/devsecops_pipeline.py b/devsecops_pipeline.py new file mode 100644 index 0000000..045a782 --- /dev/null +++ b/devsecops_pipeline.py @@ -0,0 +1,64 @@ +import os +import subprocess +import sys + +# Helper function to run shell commands +def run_command(command, cwd=None): + result = subprocess.run(command, shell=True, cwd=cwd, text=True, capture_output=True) + if result.returncode != 0: + print(f"Error: Command '{command}' failed with exit code {result.returncode}") + print(result.stdout) + print(result.stderr) + sys.exit(result.returncode) + return result.stdout + +# Static Code Analysis and Code Coverage (using SonarQube) +def run_sonarqube_analysis(path): + print("Running SonarQube for static code analysis and code coverage...") + run_command(f"sonar-scanner -Dsonar.projectBaseDir={path}") + +# Dependency Checking (using Safety) +def run_safety(): + print("Running Safety for dependency checking...") + run_command("safety check --full-report") + +# Secret Scanning (using TruffleHog) +def run_trufflehog(path): + print("Running TruffleHog for secret scanning...") + run_command(f"trufflehog {path}") + +# Infrastructure as Code Scanning (using Terraform and Snyk) +def run_terraform_scan(path): + print("Running Snyk for Terraform IaC scanning...") + run_command(f"snyk iac test {path}") + +# Code Coverage and Linting (using Pylint) +def run_pylint(path): + print("Running Pylint for code linting...") + run_command(f"pylint {path}") + +# Main function to orchestrate the DevSecOps pipeline +def main(): + project_path = os.getcwd() + + # Static Analysis and Code Coverage with SonarQube + run_sonarqube_analysis(project_path) + + # Dependency Checking + run_safety() + + # Secret Scanning + run_trufflehog(project_path) + + # Terraform IaC Scanning + terraform_path = os.path.join(project_path, 'terraform') + if os.path.exists(terraform_path): + run_terraform_scan(terraform_path) + + # Linting + run_pylint(project_path) + + print("DevSecOps pipeline completed successfully!") + +if __name__ == "__main__": + main() From 8c039b1b89b344a308ad062fe1ecce6ee2ccaf2d Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 29 Aug 2024 03:42:33 +0300 Subject: [PATCH 2/5] add devsecops-pipeline workflow --- .github/workflows/devsecops-pipeline.yml | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/devsecops-pipeline.yml diff --git a/.github/workflows/devsecops-pipeline.yml b/.github/workflows/devsecops-pipeline.yml new file mode 100644 index 0000000..c8dd3ac --- /dev/null +++ b/.github/workflows/devsecops-pipeline.yml @@ -0,0 +1,30 @@ +name: DevSecOps Pipeline + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + security-checks: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Set up Python + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Dependencies + run: | + python -m pip install --upgrade pip + pip install safety truffleHog sonar-scanner + + - name: Run DevSecOps Pipeline + run: python devsecops_pipeline.py From d3e5daffd2a45a75875b9364638c80375c425ffb Mon Sep 17 00:00:00 2001 From: meleksabit Date: Thu, 29 Aug 2024 03:51:51 +0300 Subject: [PATCH 3/5] replace sonarqube with bandit --- .github/workflows/devsecops-pipeline.yml | 2 +- devsecops_pipeline.py | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/devsecops-pipeline.yml b/.github/workflows/devsecops-pipeline.yml index c8dd3ac..6d1d69a 100644 --- a/.github/workflows/devsecops-pipeline.yml +++ b/.github/workflows/devsecops-pipeline.yml @@ -24,7 +24,7 @@ jobs: - name: Install Dependencies run: | python -m pip install --upgrade pip - pip install safety truffleHog sonar-scanner + pip install bandit safety truffleHog pylint - name: Run DevSecOps Pipeline run: python devsecops_pipeline.py diff --git a/devsecops_pipeline.py b/devsecops_pipeline.py index 045a782..d12a21c 100644 --- a/devsecops_pipeline.py +++ b/devsecops_pipeline.py @@ -12,10 +12,10 @@ def run_command(command, cwd=None): sys.exit(result.returncode) return result.stdout -# Static Code Analysis and Code Coverage (using SonarQube) -def run_sonarqube_analysis(path): - print("Running SonarQube for static code analysis and code coverage...") - run_command(f"sonar-scanner -Dsonar.projectBaseDir={path}") +# Static Code Analysis (using Bandit) +def run_bandit(path): + print("Running Bandit for static code analysis...") + run_command(f"bandit -r {path}") # Dependency Checking (using Safety) def run_safety(): @@ -41,8 +41,8 @@ def run_pylint(path): def main(): project_path = os.getcwd() - # Static Analysis and Code Coverage with SonarQube - run_sonarqube_analysis(project_path) + # Static Analysis + run_bandit(project_path) # Dependency Checking run_safety() @@ -54,7 +54,7 @@ def main(): terraform_path = os.path.join(project_path, 'terraform') if os.path.exists(terraform_path): run_terraform_scan(terraform_path) - + # Linting run_pylint(project_path) From bfc3f90ac7bf7fa5211525536ddf52fc8390f1c9 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Fri, 6 Sep 2024 02:30:59 +0300 Subject: [PATCH 4/5] edit cron job --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4688f97..e8c440e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,7 +17,7 @@ on: pull_request: branches: [ "main" ] schedule: - - cron: '39 23 * * 1' + - cron: '33 23 * * 1' jobs: analyze: From 80ec32ca2267b8fcc0e178a8e4c2968a51043a20 Mon Sep 17 00:00:00 2001 From: meleksabit Date: Sun, 8 Sep 2024 03:08:46 +0300 Subject: [PATCH 5/5] add comment for the cron job --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e8c440e..cddd97a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,7 +17,7 @@ on: pull_request: branches: [ "main" ] schedule: - - cron: '33 23 * * 1' + - cron: '33 23 * * 1' # CodeQL will run every Monday at 23:33 UTC jobs: analyze: