This repository shows you how to build up an enterprise-ready DevSecOps Pipeline with GitHub.
Note: For GitHub Actions to work (OWASP) --> repo "Settings" -> Actions -> General -> Workflow permissions : V Read and write permissions.
Ref: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs && https://arinco.com.au/blog/changes-to-the-default-github_token-permissions/
| Step | Github Action | Comments | Open Source Alternative |
|---|---|---|---|
| SCA: Software Composition Analysis (Dependency Checker) | CDRA | OWASP Dependency Check | |
| Container Scan | Trivy | ||
| DAST: Dynamic Application Security Testing | OWASP ZAP Basline Scan | ||
| License Checker | License finder |
SCA (Software Composition Analysis): check external dependencies/libraries used by the project have no known vulnerabilities. Third-party dependency scanning with CRDA.
Ref: https://github.com/redhat-actions/crda
Identify vulnerabilities in built images -> Trivy Image Scanner
Ref: https://github.com/aquasecurity/trivy-action
DAST: Dynamic Application Security Testing
OWASP (Open Web Application Security Project) ZAP (Zed Attack Proxy)
Ref: https://github.com/zaproxy/action-baseline
Ref: https://github.com/zaproxy/action-full-scan
Ref: https://github.com/jmservera/license-finder-action && https://github.com/pivotal/LicenseFinder
Note: https://github.com/alexgracianoarj/gitlab-pipeline-demo/blob/main/.gitlab-ci.yml -> example python script to upload scan results to defectdojo to analyze scan reports (json & serif report files)
https://github.com/marketplace?type=actions
Syntax:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions