DevSecOps - An INSECURE Repo

This repo is used for testing DevSecOps practices and tool sets, and is used for demonstration purposes only. If there is a tool you would like to see added, please submit a Feature Request Issue with the details about the tool.

This repo contains both Azure Pipeline YAML files and GitHub Actions YAML files, for comparison purposes.

The application code is based on the Microsoft eShopOnWeb sample application. This is self-contained within the Application-Source-Code directory.

Warning This repo contains code that is purposefully vulnerable and insecure. Use at your own risk!

Directories

There are several directories that contain additional/other sample code, specific to infrastructure and security pipelines.

For example, the Infrastructure-Source-Code directory, contains ARM templates, Bicep templates, and Terraform code, that is not specific to the application source code itself. The Security-Source-Code directory, contains files that include credentials and secrets, again, not specific to the application source code itself.

The Threat-Modeling directory contains examples of threat-modeling-as-code tools, which is not related to the application source code.

Pipelines

The pipelines are grouped into the following categories:

• APP - Application pipelines (ie. unit tests, builds, source code analysis, etc.)
• DATA - Data pipelines (ie. data quality tests, data migrations, ETLs, etc.)
• INFRA - Infrastructure pipelines (ie. Terraform scans, ARM/Bicep template tests, etc.)
• SEC - Security pipelines (ie. security scans, credential/secret scans, container image scans, etc.)

The GitHub Action Workflows use the pipeline categories as a prefix, for grouping purposes.

Azure DevOps (ADO) Pipelines

The following YAML-based Azure DevOps (ADO) pipelines have been created and tested.

Application Pipelines

• Unit, Integration, Functional Tests
• Build Docker Containers (using Docker Compose)
• Azure Resource Manager (ARM) Template Tool Kit (TTK)
• Azure Bicep
• SonarCloud
• WhiteSource
  • Note: This pipeline is no longer working since WhiteSource has been acquired by Mend.

Data Pipelines

• PENDING EXAMPLES / SAMPLE CODE
  • If you would like to contribute, and have some example data pipelines (ie. data quality tests, data migrations, ETLs, etc.), please submit a Feature Request Issue with the details.

Infrastructure Pipelines

Note: The majority of these are based on Terraform code

• Accurics TerraScan
• GitHub Super-Linter
• Checkmarx KICS
• Bridgecrew Checkov
• Terraform-Compliance
• TFLint
• TFSec

Security Pipelines

• Anchore
  • NOTE: Anchore is deprecated in favour of Grype
• AquaSec Trivy
• Microsoft CredScan
  • NOTE: CredScan is deprecated (as an individual tool), in favour of the Microsoft Secure Azure DevOps extension
• Microsoft Secure Azure DevOps
• OWASP ZAP
• Snyk
• YELP Detect-Secrets
• TruffleHog
• ShiftLeftScan

GitHub Actions (GHA) Workflows

The following YAML-based GitHub Actions (GHA) Workflows have been created and tested.

Application Workflows

• CodeQL Analysis
• Azure Resource Manager (ARM) Template Tool Kit (TTK) (NOT WORKING)
• Codacy

Data Workflows

• PENDING EXAMPLES / SAMPLE CODE
  • If you would like to contribute, and have some example data pipelines (ie. data quality tests, data migrations, ETLs, etc.), please submit a Feature Request Issue with the details.

Infrastructure Workflows

• Accurics TerraScan
• Checkmarx KICS
• Bridgecrew Checkov
• GitHub Super-Linter
• TFLint
• TFSec

Security Workflows

• Anchore
• AquaSec Trivy
• Microsoft Security DevOps (MSDO)
• ShiftLeftScan
• TruffleHog
• YELP Detect-Secrets

Threat Modeling Workflows

• PlantUML
• PyTM
• Threagile