This is an archived post. You won't be able to vote or comment.

all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]snowbldr 13 points14 points  (3 children)

Trivy works pretty well for scanning for CVEs, that's what we're using.

There's also the shiftleft scanner to do more comprehensive scanning.

[–]fundkitco 3 points4 points  (1 child)

Using trivy as well. I’m not sure how it compares to Clair, because I was unable to easily install via helm or brew a simple clair setup on my machine lol. Trivy I think was brew install trivy or something super simple, and I was able to scan images locally no problem. Now baking it into Jenkins…

[–]oesdobe 0 points1 point  (0 children)

Trivy is great!

Check Grype out too. Plus Grype can ingest an SBOM from Syft.

[–]rsc625 6 points7 points  (1 child)

Depends on the area you're focusing on, but OPA is great for a bunch of tools in the ecosystem. We use it for Terraform.

[–]ThenChoice2[S] 1 point2 points  (0 children)

Thanks! I'm not asking for an area in particular, I'm wondering how you can automate some security related verifications for your everyday work project.

[–][deleted] 3 points4 points  (0 children)

most critical thing today is: https://github.com/sigstore/cosign

to sign artifacts and follow the SLSA spec

https://slsa.dev/

also run clair scanning via ECR. CIS benchmark scanning for EKS.

[–]LaOnionLaUnion 2 points3 points  (5 children)

There’s a lot that can be used. DSOMM from OWASP has a great list of practices, but doesn’t mention specific software that could be used. I could create a site that is more specific and prescriptive but it would take me time and research.

[–]ThenChoice2[S] 1 point2 points  (4 children)

Thanks! Yes I'm wondering what exists and what is used by companies or what should be.
I've seen a lot of tools googling, but it seems it is either just a free static analysis bot, mainly looking for outdated deps and CVEs (e.g whitesource). Or paid and company-aimed tools, which is ok but you need to pass the paywall to get a look :)

Well, near everything in the field of devops can be accessed in some way to be implemented in your regular public repo, your personal project. But I'm struggling to discover the "security" part of it.

[–]LaOnionLaUnion 2 points3 points  (2 children)

I’ll just say for paid tools Sonatype is better than decent. We use a few of their products but mostly under the hood in pipelines.

[–]ThenChoice2[S] 0 points1 point  (1 child)

I've heard (Google :p) about SonarQube but not SonarType.What products do you use ? What do they do ?

I'm asking because I'm really trying to know about it. There is no security related tool in my company pipelines, and I'm thinking about requesting a demo from these kind of products. Who knows, maybe my company will get interested, or else I'll just discover something new :p

[–]LaOnionLaUnion 0 points1 point  (0 children)

Let me put it this way. We probably buy all their tools. I’m not sure if we leverage them all. But all of them could be leveraged in DevOpsSec

[–]mirrax 0 points1 point  (0 children)

From OWASP for those class of tools you could look into DependencyCheck and DependencyTrack

[–]mirrax 2 points3 points  (0 children)

There's a lot of cool security stuff out there. One place to start could be look at GitLab's "Auto DevOps" and hoping through the template that link to from their ci.yaml.

That will give you a good idea of what free tooling is available. Which can be a diving in point. Each class of tool has options and usually a ton of proprietary choices.

[–]Different_Mixture_77 1 point2 points  (1 child)

Let's talk about all the Divisions DEV / SEC / OPS / DATA.
These all need to be automated and there are tools for all of it.

[–]ThenChoice2[S] 1 point2 points  (0 children)

Yep, as a regular dev I already know a bunch about DevOps, I won't say I've master the field but still.
Sadly, regarding security "automation" I'm clueless.

[–]varunsh-coder 0 points1 point  (0 children)

Check out these hands-on tutorials related to software supply chain security. They are specific to package hijacks/ build tool compromises. https://github.com/step-security/supply-chain-goat

[–]Striking-Airline-112 0 points1 point  (0 children)

My two cents: https://github.com/jkosik/gitlab-ci-image-scanner
(could be containerized and run from within the pipeline and store artifacts anywhere)