Tool for DevSecOps strategy

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for bancolombia from gravatar.com bancolombia

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics
Meta

License: GNU Affero General Public License v3 or later (AGPLv3+)

Author: Bancolombia DevSecOps Team

Requires: Python >=3.8

Classifiers

Project description

DevSecOps Engine Tools

Maintained by Bancolombia Build Quality Gate Status Coverage Python Version

Objective

Tool that unifies the evaluation of the different devsecops practices being agnostic to the devops platform, using both open source and market tools.

Component

📦 tools: DevSecOps Practice Modules

Communications channel

Here are the channels we use to communicate about the project:

1. Mailing list: You can join our mailing list to always be informed at the following link: CommunityDevsecopsEngine

2. Email: You can write to us by email: MaintainersDevsecopsEngine@googlegroups.com

Getting started

Requirements

  • Python >= 3.8

Installation

pip3 install devsecops-engine-tools

Scan running - flags (CLI)

devsecops-engine-tools --platform_devops ["local","azure","github"] --remote_config_repo ["remote_config_repo"] --tool ["engine_iac", "engine_dast", "engine_secret", "engine_dependencies", "engine_container"] --folder_path ["Folder path scan engine_iac"] --platform ["k8s","cloudformation","docker", "openapi"] --use_secrets_manager ["false", "true"] --use_vulnerability_management ["false", "true"] --send_metrics ["false", "true"] --token_cmdb ["token_cmdb"] --token_vulnerability_management ["token_vulnerability_management"] --token_engine_container ["token_engine_container"] --token_engine_dependencies ["token_engine_dependencies"]

Structure Remote Config

example_remote_config_local

📦Remote_Config
    📂engine_core
     📜ConfigTool.json
    📂engine_sast
     📂engine_iac
       📜ConfigTool.json
       📜Exclusions.json
     📂engine_secret
       📜ConfigTool.json
    📂engine_sca
     📂engine_container
       📜ConfigTool.json
       📜Exclusions.json
     📂engine_dependencies
       📜ConfigTool.json
       📜Exclusions.json

Tools available for the modules (Configuration engine_core/ConfigTool.json)

Module Tool Type
ENGINE_IAC CHECKOV Free
KUBESCAPE Free
KICS Free
ENGINE_DAST NUCLEI Free
ENGINE_SECRET TRUFFLEHOG Free
ENGINE_CONTAINER PRISMA Paid
TRIVY Free
ENGINE_DEPENDENCIES XRAY Paid

Scan running sample (CLI) - Local

Complete the value in .envdetlocal file a set in execution environment

$ set -a
$ source .envdetlocal
$ set +a

devsecops-engine-tools --platform_devops local --remote_config_repo DevSecOps_Remote_Config --tool engine_iac

Scan result sample (CLI)

Dashboard Grafana

Scan running sample - Github Actions

The remote config should be in a GitHub repository, either public or private.

If the repository is public:

  1. The yml file containing the workflow should be configured using the default secret GITHUB_TOKEN. For more information, refer to Automatic token authentication.

If the repository is private:

  1. Create a personal access token with the necessary permissions to access the repository.

  2. Add the token as a secret in the GitHub repository. Dashboard Grafana

  3. Configure the yml file containing the workflow using the created secret.

Example of the workflow yml:

name: DevSecOps Engine Tools
on:
  push:
    branches:
      - feature/*
env:
  GITHUB_ACCESS_TOKEN: ${{ secrets.GH_ACCESSTOKEN }} #In this case, the remote config repository is private
  # When the remote config repository is public, the secret should be like this: ${{ secrets.GITHUB_TOKEN }}

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Set up Python
        run: |
          # Install devsecops-engine-tools
          pip3 install -q devsecops-engine-tools
          output=$(devsecops-engine-tools --platform_devops github --remote_config_repo remote_config --tool engine_iac)
          echo "$output"
          if [[ $output == *"✘Failed"* ]]; then
            exit 1
          fi

Metrics

With the flag --send_metrics true and the configuration of the AWS-METRICS_MANAGER driven adapter in ConfigTool.json of the engine_core the tool will send the report to bucket s3. In the metrics folder you will find the base of the cloud formation template to deploy the infra and dashboard in grafana.

Dashboard Grafana

How can I help?

Review the issues, we hear new ideas. Read more Contributing

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for bancolombia from gravatar.com bancolombia

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics
Meta

License: GNU Affero General Public License v3 or later (AGPLv3+)

Author: Bancolombia DevSecOps Team

Requires: Python >=3.8

Classifiers

Release history Release notifications | RSS feed

1.7.32

This version

1.7.31

1.7.30

1.7.29

1.7.28

1.7.27

1.7.26

1.7.25

1.7.24

1.7.23

1.7.22

1.7.21

1.7.20

1.7.19

1.7.18

1.7.17

1.7.16

1.7.15

1.7.14

1.7.13

1.7.12

1.7.11

1.7.10

1.7.9

1.7.8

1.7.7

1.7.6

1.7.5

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.8

1.6.7

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

devsecops_engine_tools-1.7.31.tar.gz (76.1 kB view hashes)

Uploaded Source

Built Distribution

devsecops_engine_tools-1.7.31-py3-none-any.whl (148.9 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page