SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
Security issues, dependency vulnerabilities, misconfigurations... All of those can make or break your Open Source projects. Also, you want to make sure you adhere to the best practices, especially when you use more complex tools like Kubernetes. Let's see how we can use the tools that GitHub and Datree provide (most are Open Source too!) to secure your project and make sure that no misconfiguration ever reaches the deployment targets!
Security issues, dependency vulnerabilities, misconfigurations... All of those can make or break your Open Source projects. Also, you want to make sure you adhere to the best practices, especially when you use more complex tools like Kubernetes. Let's see how we can use the tools that GitHub and Datree provide (most are Open Source too!) to secure your project and make sure that no misconfiguration ever reaches the deployment targets!
1.
SECURE YOUR
OPEN-
SOURCE
PROJECTS
(For Free!)
Davide Benvegnu
DevOps Lead & YouTuber
2.
DevOps & Infra Lead @ PlayStudios
Former DevOps Architect @ Microsoft + GitHub
Former MMA Fighter
Davide Benvegnu
@DavideBenvegnu
github.com/n3wt0n
linkedin.com/in/davidebenvegnu
coderdave.io
7.
Shift Left Tools (for today)
GitHub Advanced Security
Software security suite with Code Scanning, Secret Scanning,
and Dependency Vulnerability prevention
Datree
Automated policy and best-practices checks for Kubernetes,
Helm, and ArgoCD
10.
The 3 flavors of Advanced Security
Dependency Management
Code Scanning Secret Scanning
Scans projects for dependency
vulnerabilities and know issues.
Sends Dependabot alerts when detects
vulnerabilities affecting your repository
Create automatic PRs to upgrade
dependencies to a non-vulnerable version
(or to keep them updated)
Analyze the code in a GitHub repository
to find code vulnerabilities and issues.
Based on CodeQL, inherited from Semmle
and LGTM.
Integrated into GitHub, interoperable
with third-party code scanning tools that
output Static Analysis Results Interchange
Format (SARIF) data
Scans the entire Git history on all
branches in your repository for secrets.
Scans for passwords, secrets, tokens, API
keys, and custom patterns.
Works wit 150+ 3rd party services and
cloud providers to automatically
disable/rotate keys
11.
Code Scanning
Supported Languages
Code Scanning / CodeQL supports both compiled and interpreted
languages
• C/C++
• C#
• Go
• Java
• JavaScript/TypeScript
• Python
• Ruby
Quality of Results
• Fairly low false positive ration
• Can catch issues other tools may not
Customizable
• Based on CodeQL queries, regularly updated,
• Open source: https://github.com/github/codeql
• Write your own queries
• Publish a CodeQL query pack (beta) to GHCR (self-
contained)
• Create a QL pack in a repository
Configurable
• Default config is usually “good enough”
• Custom config file
• Disabled default queries
• Specifying CodeQL query packs
• Specifying additional queries
13.
Datree
Supports kubectl manifests, Helm charts, and ArgoCD
Prevents misconfigurations to reach your deployment
targets by enforcing policies and best practices.
Performs YAML validation, k8s schema validation, and
policy check
16.
Is it perfect?
No, but…
• Code Scanning: Low false positive rate
• Code Scanning: New languages added regularly
• Code Scanning: SARIF compatibility
• GHAS: Good all-around tool
• Datree: Integrated in the workflow
• Datree: great support
• Datree: super easy to use and customize
17.
Recap: GitHub Advanced Security
• Extensible framework for code scanning
• Integrated within the developer workflow
• Backed by industry-leading CodeQL engine
• Customizable and Configurable
• Integrated with GitHub features
Product Synergy
18.
Recap: Datree
• Policy and Best Practices enforcement
• Integrated within the developer workflow
• Customizable and Configurable
• Policy-as-Code support
• Validates “anything Kubernetes”
No more misconfiguration