-
This repo is made public for the participants' access convenience.
-
Note that unless you have GHAS (GitHub Advanced Security), public GitHub repos have more security options available, compared to internal and private repos. In particular, without GHAS:
- internal and private repos have no possibility to use CodeQL SAST;
- you cannot upload .sarif files with security scan results to GitHub;
- you have no credentials scans.
-
There is also a
.pptx
file with the presentation slides. -
There are also a few recent DevSecOps reports about current statistics about security vulnerabilities.
-
Finally, there is a subdirectory
Azure-DevOps-security-pipelines/
containing Azure DevOps pipelines with the magnificent security scan tools we discussed in the meeting. Compare how same things are expressed in GitHub Actions and Azure DevOps pipelines. -
Sorry, it may look chaotic, but you'll find a few useful security workflows in (bigger numbers correspond to later versions):
- https://github.com/solita/sv-security-scans-07-crash-course
- https://github.com/solita/sv-security-scans-06
- https://github.com/solita/sv-security-scans-05a
- https://github.com/solita/sv-security-scans-04
- https://github.com/solita/sv-security-scans-03
- https://github.com/solita/sv-security-scans-02 (has a few of my recent security blogs)
- https://github.com/solita/sv-security-scans-01 (sorry, it's Internal)
Uses the latest official Docker image from DockerHub for the prominent credentials scan tool GitLeaks. Note that using an official GitHub action requires a license. Therefore, you are interested to adopt/adapt this workflow to be able to use Gitleaks!
Terraform IaC security scanner.
IaC security scanner (Terraform, CloudFormation, k8s)
Prominent Docker container scanner
MISSING!
Scans for security vulnerabilities in Python virtual environments
installed using pip install -r requiremets.txt
There are low security vulnerabilities with
aws-encryption-sdk==2.0.0
but they are eliminated with
aws-encryption-sdk==2.3.0
Changing package versions is done in the requirements file
requirements-pip-audit-02.txt
.
Does not work. REMOVE??? Remove package.json
as well!
Here we illustrate another option: you do not need to keep your code in the same repository as your workflows... Tested on AWS Encryption library
Same, tested on Python Algorithms library.
- 2023-03-11 - started