Skip to main content

Tool for DevSecOps strategy

Project description

DevSecOps Engine Tools

Maintained by Bancolombia Build Quality Gate Status Coverage Python Version Docker Pulls

Objective

Tool that unifies the evaluation of the different devsecops practices being agnostic to the devops platform, using both open source and market tools.

Component

📦 tools: DevSecOps Practice Modules

Communications channel

Here are the channels we use to communicate about the project:

1. Mailing list: You can join our mailing list to always be informed at the following link: CommunityDevsecopsEngine

2. Email: You can write to us by email: MaintainersDevsecopsEngine@googlegroups.com

Getting started

Requirements

  • Python >= 3.8

Installation

pip3 install devsecops-engine-tools

Scan running - flags (CLI)

devsecops-engine-tools --platform_devops ["local","azure","github"] --remote_config_repo ["remote_config_repo"] --tool ["engine_iac", "engine_dast", "engine_secret", "engine_dependencies", "engine_container", "engine_risk", "engine_code"] --folder_path ["Folder path scan engine_iac, engine_code and engine_dependencies"] --platform ["k8s","cloudformation","docker", "openapi"] --use_secrets_manager ["false", "true"] --use_vulnerability_management ["false", "true"] --send_metrics ["false", "true"] --token_cmdb ["token_cmdb"] --token_vulnerability_management ["token_vulnerability_management"] --token_engine_container ["token_engine_container"] --token_engine_dependencies ["token_engine_dependencies"] --token_external_checks ["token_external_checks"] --xray_mode ["scan", "audit"] --image_to_scan ["image_to_scan"]

Structure Remote Config

example_remote_config_local

📦Remote_Config
    📂engine_core
     📜ConfigTool.json
    📂engine_risk
     📜ConfigTool.json
     📜Exclusions.json
    📂engine_sast
     📂engine_iac
       📜ConfigTool.json
       📜Exclusions.json
     📂engine_secret
       📜ConfigTool.json
     📂engine_code
       📜ConfigTool.json
       📜Exclusions.json
    📂engine_sca
     📂engine_container
       📜ConfigTool.json
       📜Exclusions.json
     📂engine_dependencies
       📜ConfigTool.json
       📜Exclusions.json

Tools available for the modules (Configuration engine_core/ConfigTool.json)

Module Tool Type
ENGINE_RISK DEFECTDOJO Free
ENGINE_IAC CHECKOV Free
KUBESCAPE Free
KICS Free
ENGINE_DAST NUCLEI Free
ENGINE_SECRET TRUFFLEHOG Free
ENGINE_CONTAINER PRISMA Paid
TRIVY Free
ENGINE_DEPENDENCIES XRAY Paid
DEPENDENCY CHECK Free
ENGINE_CODE BEARER Free

Scan running sample (CLI) - Local

Complete the value in .envdetlocal file a set in execution environment

$ set -a
$ source .envdetlocal
$ set +a
devsecops-engine-tools --platform_devops local --remote_config_repo DevSecOps_Remote_Config --tool engine_iac

Demo CLI Local

Scan running sample (Docker)

Installation

docker pull bancolombia/devsecops-engine-tools
docker run --rm -v ./folder_to_analyze:/folder_to_analyze bancolombia/devsecops-engine-tools:latest devsecops-engine-tools --platform_devops local --remote_config_repo docker_default_remote_config --tool engine_iac --folder_path /folder_to_analyze

The docker image have it own default remote config with basic configuration called docker_default_remote_config, but you can define your own config and pass it as volume

docker run --rm -v ./folder_to_analyze:/folder_to_analyze -v ./custom_remote_config:/custom_remote_config bancolombia/devsecops-engine-tools:latest devsecops-engine-tools --platform_devops local --remote_config_repo custom_remote_config --tool engine_iac --folder_path /folder_to_analyze

Scan running sample - Azure Pipelines

The remote config should be in a Azure Devops repository.

Note: By default the tool gets the token from the SYSTEM_ACCESSTOKEN variable to get the remote configuration repository. You must ensure that this token has permission to access this resource.

name: $(Build.SourceBranchName).$(date:yyyyMMdd)$(rev:.r)

trigger:
  branches:
    include:
      - trunk
      - feature/*

stages:
  - stage: engine_tools
    displayName: Example Engine Tools
    jobs:
      - job: engine_tools
        pool:
          name: Azure Pipelines
        steps:
          - script: |
              # Install devsecops-engine-tools
              pip3 install -q devsecops-engine-tools
              devsecops-engine-tools --platform_devops azure --remote_config_repo remote_config --tool engine_iac
            displayName: "Engine Tools"
        env:
          SYSTEM_ACCESSTOKEN: $(System.AccessToken)

Scan running sample - Github Actions

The remote config should be in a GitHub repository, either public or private.

If the repository is public:

  1. The yml file containing the workflow should be configured using the default secret GITHUB_TOKEN. For more information, refer to Automatic token authentication.

If the repository is private:

  1. Create a personal access token with the necessary permissions to access the repository.

  2. Add the token as a secret in the GitHub repository. Demo Github

  3. Configure the yml file containing the workflow using the created secret.

Example of the workflow yml:

name: DevSecOps Engine Tools
on:
  push:
    branches:
      - feature/*
env:
  GITHUB_ACCESS_TOKEN: ${{ secrets.GH_ACCESSTOKEN }} #In this case, the remote config repository is private
  # When the remote config repository is public, the secret should be like this: ${{ secrets.GITHUB_TOKEN }}

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Set up Python
        run: |
          # Install devsecops-engine-tools
          pip3 install -q devsecops-engine-tools
          output=$(devsecops-engine-tools --platform_devops github --remote_config_repo remote_config --tool engine_iac)
          echo "$output"
          if [[ $output == *"✘Failed"* ]]; then
            exit 1
          fi

Metrics

With the flag --send_metrics true and the configuration of the AWS-METRICS_MANAGER driven adapter in ConfigTool.json of the engine_core the tool will send the report to bucket s3. In the metrics folder you will find the base of the cloud formation template to deploy the infra and dashboard in grafana.

Dashboard Grafana

Config Tool Generator

To generate the ConfigTool.json file in a simple way, a web interface was created where you can configure each necessary parameter individually or use a base template that you want to modify. In the config tool generator folder you will find the code for the SPA created in Angular to run it local environment.

Config Tool Generator

How can I help?

Review the issues, we hear new ideas. Read more Contributing

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devsecops_engine_tools-1.14.3.tar.gz (93.8 kB view details)

Uploaded Source

Built Distribution

devsecops_engine_tools-1.14.3-py3-none-any.whl (177.7 kB view details)

Uploaded Python 3

File details

Details for the file devsecops_engine_tools-1.14.3.tar.gz.

File metadata

File hashes

Hashes for devsecops_engine_tools-1.14.3.tar.gz
Algorithm Hash digest
SHA256 5cc4ba367c2320c7dea363e25f378db8e5532576090fb71c4f18d1e57314c1fd
MD5 869f69f3f96d613110b543a3f472c4a8
BLAKE2b-256 5bcdb135bc47506564457b604f62ed83afbeb0123eccf45cfe834c4f78525d7c

See more details on using hashes here.

Provenance

The following attestation bundles were made for devsecops_engine_tools-1.14.3.tar.gz:

Publisher: release.yml on bancolombia/devsecops-engine-tools

Attestations:

File details

Details for the file devsecops_engine_tools-1.14.3-py3-none-any.whl.

File metadata

File hashes

Hashes for devsecops_engine_tools-1.14.3-py3-none-any.whl
Algorithm Hash digest
SHA256 bfe01d51e10a5f43d0c2118a36b9ab21064982f639826ef25587a2b0c2a2bd7d
MD5 9d3f7d4357dc1df006288d910315cde5
BLAKE2b-256 08b9c4c3bff505dfdd14b86e823f14e4a3e5e6688718dbd2a71d9d0e7e9aa924

See more details on using hashes here.

Provenance

The following attestation bundles were made for devsecops_engine_tools-1.14.3-py3-none-any.whl:

Publisher: release.yml on bancolombia/devsecops-engine-tools

Attestations:

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page