Advertisement

Secure Your Open Source Projects For Free

DevOps Architect at Microsoft
Jun. 14, 2022
Advertisement

More Related Content

More from Davide Benvegnù(20)

Advertisement

Secure Your Open Source Projects For Free

  1. SECURE YOUR OPEN- SOURCE PROJECTS (For Free!) Davide Benvegnu DevOps Lead & YouTuber
  2. DevOps & Infra Lead @ PlayStudios Former DevOps Architect @ Microsoft + GitHub Former MMA Fighter Davide Benvegnu @DavideBenvegnu github.com/n3wt0n linkedin.com/in/davidebenvegnu coderdave.io
  3. Allegedly Famous YouTuber CoderDave
  4. Security is important
  5. Continuous Security
  6. Shift Left
  7. Shift Left Tools (for today) GitHub Advanced Security Software security suite with Code Scanning, Secret Scanning, and Dependency Vulnerability prevention Datree Automated policy and best-practices checks for Kubernetes, Helm, and ArgoCD
  8. Shift Left
  9. GitHub Advanced Security
  10. The 3 flavors of Advanced Security Dependency Management Code Scanning Secret Scanning Scans projects for dependency vulnerabilities and know issues. Sends Dependabot alerts when detects vulnerabilities affecting your repository Create automatic PRs to upgrade dependencies to a non-vulnerable version (or to keep them updated) Analyze the code in a GitHub repository to find code vulnerabilities and issues. Based on CodeQL, inherited from Semmle and LGTM. Integrated into GitHub, interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data Scans the entire Git history on all branches in your repository for secrets. Scans for passwords, secrets, tokens, API keys, and custom patterns. Works wit 150+ 3rd party services and cloud providers to automatically disable/rotate keys
  11. Code Scanning Supported Languages Code Scanning / CodeQL supports both compiled and interpreted languages • C/C++ • C# • Go • Java • JavaScript/TypeScript • Python • Ruby Quality of Results • Fairly low false positive ration • Can catch issues other tools may not Customizable • Based on CodeQL queries, regularly updated, • Open source: https://github.com/github/codeql • Write your own queries • Publish a CodeQL query pack (beta) to GHCR (self- contained) • Create a QL pack in a repository Configurable • Default config is usually “good enough” • Custom config file • Disabled default queries • Specifying CodeQL query packs • Specifying additional queries
  12. Datree
  13. Datree Supports kubectl manifests, Helm charts, and ArgoCD Prevents misconfigurations to reach your deployment targets by enforcing policies and best practices. Performs YAML validation, k8s schema validation, and policy check
  14. Let’s see them in action
  15. Conclusions
  16. Is it perfect? No, but… • Code Scanning: Low false positive rate • Code Scanning: New languages added regularly • Code Scanning: SARIF compatibility • GHAS: Good all-around tool • Datree: Integrated in the workflow • Datree: great support • Datree: super easy to use and customize
  17. Recap: GitHub Advanced Security • Extensible framework for code scanning • Integrated within the developer workflow • Backed by industry-leading CodeQL engine • Customizable and Configurable • Integrated with GitHub features Product Synergy
  18. Recap: Datree • Policy and Best Practices enforcement • Integrated within the developer workflow • Customizable and Configurable • Policy-as-Code support • Validates “anything Kubernetes” No more misconfiguration
  19. Videos
  20. THANK YOU! coderdave.io/join
Advertisement