I’ve got a project that I run the whitesource bolt plugin on. It all works well, and the report is delivering benefit.
I’ve checked the GitHub plugin and that seems to have a lot more features. Such has fail the build when X level is found
My question
Is there a way to configure the plugin so that it fails the build of a high or medium vulnerability is found using azure devops?
Related
my ideal case is to build a secure CI/CD pipeline using cloud build applying SAST and other security test in order to prevent the developer to deploy code that has a smell or have any vulnerabilities
I currently using Github as my version control platform and hosting my app on google cloud
and with the help of google cloud build i did build a CI/CD pipeline to deploy my app each time we have an update , the current flow is whenever create a pull request in one of the main branches that reflects our environments prod/staging/dev a check status is triggered which is cloud build CI/CD.
the pipeline currently just build, scan and then push the image also starting the managed insatnce group update but its now my focus for this question, i am trying to follow the secure methodologies for DevSecOps by applying some security tests in the early stages like SAST,SCA and image scanning
so the issue is that google does not have the full ecosystem currently and no clear path for DevSecOps using cloud build as the Ci tool for such as what third party tools to integrate with in order to fill the gaps? this was the only clear path i did found until now https://cloud.google.com/blog/products/devops-sre/devsecops-and-cicd-using-google-cloud-built-in-services a blog to follow but not answering all the questions
what i have achieved until now is applying an IDE SAST tool like sonarlint also i found snyk
Although i mainly focused on the free tools as a start in order to test because as i said no clear integrations with cloud build is out there except for snyk.io i did found an integration with cloud build but its even not a native support yet
the reason for using cloud build not github actions that i don't want to store any service account key outside our project because it will be a general behavior in my company and its a more safer to keep our keys inside , so i need some ideas what tools i can integrate with cloud build in order to achieve that and how to apply it and is there a way to use github actions and cloud build at the same time while orchestrating the pull request check status order ? for example check the source code before start building the docker image
I have a pipeline where I checkout code from git, build artifacts and publish the artifacts to Nexus.
Now before I deploy the artifacts, I want to scan them for any vulnerability. How I can achieve it. Are there some tools available.
What you described is basically the use of Nexus Lifecycle and Firewall tools. They scan items as they enter your repository manager.
I suggest reading more about them here:
https://www.sonatype.com/product-nexus-lifecycle
https://www.sonatype.com/product-nexus-firewall
Note neither of them are free services, they require a license.
Nexus is to late. You should scan the artefacts in Jenkins when you have both the sources and binaries to your disposal. There should be tutorials how to do something like Jenkins-Sonar Qube integration.
Imagine following. You have scanned an artefact and you see vulnerabilities. What are you doing then? Are you willing to remove it from repository? Imagine the problems you will generate this way. And the dev team will say, that they did not see the results of your scan so they could not act upon it and now this artefact is going to be deployed...
After RnD, I found a possible solutions. Answer provided by #joedragons is also useful. I guess jforg xray is also good a solution.
https://jfrog.com/xray/
JFrog Xray is a continuous security and universal artifact analysis tool, providing multilayer analysis of containers and software artifacts for vulnerabilities, license compliance, and quality assurance. Deep recursive scanning provides insight into your components graph and shows the impact that any issue has on all your software artifacts.
I've requested to my Team Lead that we start integrating a CI/CD pipeline into most, if not all, of our projects. Our newest project relies heavily on our own, external class library that is referenced in the solution ; it is under "Dependencies" as a project reference.
The project runs fine when I build it in my machine using Visual Studio 2019, and before we needed to integrate an external library, it would build and release fine using our Azure DevOps pipelines.
However, with the addition of an external class library, when I try to run a build through Azure DevOps, I get the following error:
The project file ....csproj was not found.
I fully understand why it can't find it - because I need to pull in the external class library and build that first! There doesn't seem to be a lot of online material (not that I could find anyway!) that describes solutions to this other than "use nuget" ; unfortunately, it is a requirement from my Team Lead that this is not a route we go down - which has lead to a long couple of days!
With this in mind, I can't find another way to do this in Azure DevOps. I have looked into some sort of PowerShell command but to no avail thus far.
Has anyone run into this issue before with external class libraries in DevOps and can give me advice on the best way to approach it?
Generally speaking in 99,99% cases keeping a direct reference to the project is not a good idea. You can end up with really unmaintainable CI/CD logic and/or with dll versions mismatches during deployments. Actually I am an Architect in the project where I tried to fix that issue by migrating all dependencies to the NuGet server.
Azure Artifacts
You mentioned, that you are using Azure DevOps as main CI/CD tool, so this is a great opportunity to introduce Azure Artifacts as internal nuget server which is a part of Azure DevOps. For the first 2 GB it is free, here you have pricing details.
Alternatives
If for some reason you cant use Azure Artifacts, I recommend some alernatives:
MyGet
ProGet
Own nuget server
More information about alternatives you can find in this article.
I add all needed information about GitLab account in Sentry, but issues from Sentry didn't appear in Gitlab (repository is private and just for test without real code). Please help me to solve problem.
Sentry doesn't auto-publish issues to issue trackers like GitLab (as it would easily flood most issue trackers). Instead, once you've enabled the integration, your Sentry's issue view will have a "Create issue in GitLab" button.
Note that GitLab 11.8 (Feb. 2019) not offers Error tracking with Sentry
Keeping an eye on errors generated by your application helps maintain a good user experience by detecting problems before users report them and speeding up resolution when they occur.
GitLab 11.8 makes it more convenient and efficient to monitor errors by integrating with popular open source error tracker Sentry, and displaying the most recent errors right within your GitLab project.
Sentry has recently improved their GitLab integration, enabling detection of suspicious commits, release and commit tracking, and more. With the combination of both integrations you’ll have a simple path to Sentry from GitLab, as well as a clean way to get to GitLab from Sentry, so that you can always address errors contextually, staying within your existing workflow.
See documentation and issue 55178.
And, with GitLab 14.4 (October 2021):
Integrated error tracking inside GitLab without a Sentry instance
Prior to GitLab 14.4, you could integrate with Sentry Error Tracking by supplying an endpoint for a Sentry backend (either self-deployed or in their cloud service). With Gitlab 14.4, you now have access to a Sentry-compatible backend built into your GitLab instance. This allows you to quickly instrument your apps so your errors show up directly in GitLab without the need for a separate Sentry instance.
See Documentation and Issue.
See GitLab 15.5 (October 2022):
Error Tracking Open Beta
In GitLab 15.5, we are re-enabling GitLab integrated error tracking for GitLab.com in Open Beta. We’ve reworked the architecture so it uses our new Observability backend, leveraging the ClickHouse database as a unified data store. This improvement will enable scaling and a more performant system for the user.
In addition, this sets the groundwork to have errors in the same database as other observability data such as metrics, traces, and logs. We want to allow users to see errors on the same dashboard as other observability data, and enable them to be embedded into issues and incidents.
See Documentation and Issue.
If I bind my azure website to TFS, I can configure the build to run the unit tests in the project. However, I can't seem to find a similar option when publishing from github. Am I missing something?
My site publishes fine, but, based on the information I'm seeing in the log, I'm pretty sure the tests aren't being executed. In my unwritten book, Continuous Integration demands that all tests are executed and passing before the build can be pushed out into production.
http://social.msdn.microsoft.com/Forums/en-US/azuregit/thread/1743558f-1366-4748-b87e-576da9b19678
Guess I wasn't searching for the right thing initially. Hoping there's an update to this soon.