DevSecOps: Implement security on CICD Pipeline

Owned by Taejoon Moon
Dec 03, 2022
1 min read

CICD 파이프라인에서 보안 구성하기. 각 단계별 사용하는 프로그램 정리가 되어 있음.

DevSecOps: Implement security on CICD Pipeline

  • Design

  • Develop

  • Build

  • Test

  • Deploy

  • Monitor

 

OSS tools mentioned:

  1. Kube-bench — Kubernetes Hardening

  2. ansible-collection-hardening — Linux Hardening

  3. Linkerd or Istio — Service Mesh

  4. OPA(gatekeeper) and Kyverno — Policy

  5. Gitleaks and Trufflehog — Sensitive Information

  6. pyraider — Source Composition Analysis

  7. bandit — SAST

  8. SonarLint and SonarQube — Static Code Analysis

  9. Cyclonedx — SBOM

  10. ZAP — DAST

  11. Jmeter — Performance Test

  12. Arachni — Pentration Test

  13. Terrascan, Tfsec, KubeLinter, and Checkov — IaC, and k8S

  14. Trivia and Twistlock- Image Scanning

  15. Prometheus, Grafana and Loki — Monitoring

  16. Elasticsearch, Fluentd, and Kibana — Monitoring

Paid Tools that need to consider if you and your manager are more concerned about security:

  1. Snyk — OpenSource, Code, Container, and IaC Scan

  2. Fortify — Static Code Analyzer

  3. Codacy — Measure code quality

  4. New Relic

  5. Dynatrace

  6. Sysdig

  7. Datadoghq