Introduction

This part of the project shows how the DevSecOps pipeline is implemented in this repo. The DevSecOps pipeline is implemented using GitHub Actions. Most of the tools used in the pipeline are open source and free to use. Here is the complete description of how it has been setup.

The DevSecOps pipeline runs on every PR or push to the main branch. If there is any failure or if vulnerabiity criteria is set in any of the steps, the pipeline will fail and the PR will not be merged.

Forking the WebGoat Repo

Instead of cloning the WebGoat repo, I forked it to my GitHub account. This is because I wanted to use the GitHub Actions workflow to trigger the pipeline. This way If I want I can always keep track of the changes made to the upstream repo.

Created main DevSecOps pipeline workflow file in .github/workflows and for all tasks controlling from the main workflow
Created individual workflow files for each task and added them to the main workflow file
For SAST scan I had some issue hence kept it as a separate workflow but it runs along rest of the pipeline

DevSecOPs Pipline

The DevSecOps pipeline covers following 4 component for this repo :

Static Application Security Testing (SAST|CodeQuality) - SonarCloud
Dependency Check (DC) - DependencyCheck
Secret & Password Scanning - Gitleaks
Docker Vulnerability Scan - Trivy

All the workflow for DevSecOps pipeline has been created here : DevSecOps Pipeline

The DevSecOps pipeline is triggered when a pull request is created or a push is made to the main branch. The pipeline is triggered by the GitHub Actions. The pipeline runs all 4 steps in parallel and the results are displayed in the GitHub Actions tab.

In the pull request workflow, the pipeline runs all the workflow :

The Details of the pipeline can be viewed in the Actions tab of the repository.

Summary of pipeline and workflow with all output and artifacts - All 3 Workflows

Summary of pipeline and workflow with link - SAST Scan Workflow

Ruleset to protect the main branch from code merge without successful pipeline

Created a branch protection rule for the main branch to protect it from code merge without successful pipeline. This proptect the merge to happen in main branch until the DevSecOps pipeline is successful.

1. Static Application Security Testing (SAST|CodeQuality) - SonarCloud

SonarCloud is a cloud-based platform to analyze code quality. It supports a wide range of languages and can be easily integrated with GitHub or any other SCM.

Created a SonarCloud account
Created a project in SonarCloud and added the project key and token to the GitHub repository
Referenced the SonarCloud (documentation)[https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner-for-maven/] from official site for Maven based project
Updated existing POM file with SonarCloud plugin and variables
Added SonarCloud workflow ci:
- For scanning PR branches - sonar-sast-scan
- For scanning main branch when the push happens sonar-sast-scan-main
The report link is made available as artifact after the pipeline is completed
The complete report can be viewed in the SonarCloud dashboard which is available in the artifact section of the workflow.
I haven't set the quality gate for the pipeline as I couldn't find time and I am not sure if it is required for this project.
Here is the output of the SonarCloud report :

2. Dependency Check (DC) - DependencyCheck

Dependency Check is a software composition analysis (SCA) tool that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

Created a DependencyCheck pipline in GitHub Actions referring to DependencyCheck
Created a workflow file [.github/workflows/dependency-check.yml]
Added the workflow file to the main workflow file
In this task it scans the maven dependencies and checks for any vulnerabilities
The report in html is made available as artifact after the pipeline is completed
The table show severity, cve number and also shows which dependency is vulnerable, it can be sorted based on severity and cve number and many other options
The severity can be rated from 0 to 10 and 0 is the highest severity and 10 is the highest severity. The CICD pipeline will fail if any vulnerability of defined severity is found. (I have commented out the severity check in the pipeline).

          # args: >
          #   --failOnCVSS 7
          #   --enableRetired

Here is the output of the dependency check report :

3. Secret & Password Scanning - Gitleaks

Gitleaks is a tool to detect and prevent hardcoded secrets like passwords, api keys, and tokens in code. It is open source and free to use. It generates a report in html format.

Created a Gitleaks pipline in GitHub Actions referring to Gitleaks
After successful scan it generates output in summary and sarif file which can be shown in the GitHub Security tab.

4. Docker Vulnerability Scan - Trivy

Trivy is a simple and comprehensive vulnerability scanner for containers and other artifacts.

Created a Trivy pipline in GitHub Actions referring to Trivy
It checks for vulnerabilities in the docker image and generates a report in table format in artifact section of the workflow.
The report shows the severity, cve number and also shows which library is vulnerable
I have set it to check only for critical vulnerabilities, but it can be configured to check for other severities as well.
```
    ignore-unfixed: true
    vuln-type: 'os,library'
    severity: 'CRITICAL,HIGH'
```
The output of the trivy scan is shown below :