DevSecOps

This repo is used for testing DevSecOps practices and toolsets, and is used for demonstration purposes only.

WARNING

This repo contains code that is purposefully vulnerable and insecure. Use at your own risk!

Azure DevOps (ADO) Pipelines

The following YAML-based Azure DevOps (ADO) pipelines have been created and tested:

• APP
  • Unit, Integration, Functional Tests
  • Build and Publish Docker Container
  • Azure Resource Manager (ARM) Template Tool Kit (TTK)
  • Azure Bicep (INCOMPLETE)
  • SonarCloud
  • WhiteSource
• DATA
  • PENDING
• INFRA
  • Accurics TerraScan
  • GitHub Super-Linter
  • Checkmarx KICS
  • Bridgecrew Checkov
  • Terraform-Compliance
  • TFLint
  • TFSec
• SEC
  • Anchore
  • AquaSec Trivy
  • Microsoft CredScan
  • OWASP ZAP
  • Snyk
  • YELP Detect-Secrets
  • TruffleHog (INCOMPLETE)
  • ShiftLeftScan

GitHub Actions (GHA) Workflows

The following YAML-based GitHub Actions (GHA) Workflows have been created and tested:

• APP
  • CodeQL Analysis
  • Azure Resource Manager (ARM) Template Tool Kit (TTK)
  • Codacy
• DATA
  • PENDING
• INFRA
  • Accurics TerraScan
  • Checkmarx KICS
  • Bridgecrew Checkov
  • GitHub Super-Linter
  • TFLint
  • TFSec
• SEC
  • Anchore
  • AquaSec Trivy
  • ShiftLeftScan
  • TruffleHog
  • YELP Detect-Secrets

To-Do:

• Add examples for:
  • Dockle
  • Docker Bench for Security
  • DockerDive
  • DockerSlim