Secure Your Open Source Projects For Free
Download as PPTX, PDF0 likes54 views
The document discusses various tools and practices for securing open-source projects, focusing on GitHub Advanced Security and Datree. It highlights features like code scanning, secret scanning, and dependency management, emphasizing low false positive rates and integration into developer workflows. The document also touches on the importance of policy enforcement in Kubernetes environments and the customizable nature of these security tools.
Secure Your Open Source Projects For Free
- 1. SECURE YOUR OPEN- SOURCE PROJECTS (For Free!) Davide Benvegnu DevOps Lead & YouTuber
- 2. DevOps & Infra Lead @ PlayStudios Former DevOps Architect @ Microsoft + GitHub Former MMA Fighter Davide Benvegnu @DavideBenvegnu github.com/n3wt0n linkedin.com/in/davidebenvegnu coderdave.io
- 6. Shift Left
- 7. Shift Left Tools (for today) GitHub Advanced Security Software security suite with Code Scanning, Secret Scanning, and Dependency Vulnerability prevention Datree Automated policy and best-practices checks for Kubernetes, Helm, and ArgoCD
- 8. Shift Left
- 10. The 3 flavors of Advanced Security Dependency Management Code Scanning Secret Scanning Scans projects for dependency vulnerabilities and know issues. Sends Dependabot alerts when detects vulnerabilities affecting your repository Create automatic PRs to upgrade dependencies to a non-vulnerable version (or to keep them updated) Analyze the code in a GitHub repository to find code vulnerabilities and issues. Based on CodeQL, inherited from Semmle and LGTM. Integrated into GitHub, interoperable with third-party code scanning tools that output Static Analysis Results Interchange Format (SARIF) data Scans the entire Git history on all branches in your repository for secrets. Scans for passwords, secrets, tokens, API keys, and custom patterns. Works wit 150+ 3rd party services and cloud providers to automatically disable/rotate keys
- 11. Code Scanning Supported Languages Code Scanning / CodeQL supports both compiled and interpreted languages • C/C++ • C# • Go • Java • JavaScript/TypeScript • Python • Ruby Quality of Results • Fairly low false positive ration • Can catch issues other tools may not Customizable • Based on CodeQL queries, regularly updated, • Open source: https://github.com/github/codeql • Write your own queries • Publish a CodeQL query pack (beta) to GHCR (self- contained) • Create a QL pack in a repository Configurable • Default config is usually “good enough” • Custom config file • Disabled default queries • Specifying CodeQL query packs • Specifying additional queries
- 12. Datree
- 13. Datree Supports kubectl manifests, Helm charts, and ArgoCD Prevents misconfigurations to reach your deployment targets by enforcing policies and best practices. Performs YAML validation, k8s schema validation, and policy check
- 14. Let’s see them in action
- 15. Conclusions
- 16. Is it perfect? No, but… • Code Scanning: Low false positive rate • Code Scanning: New languages added regularly • Code Scanning: SARIF compatibility • GHAS: Good all-around tool • Datree: Integrated in the workflow • Datree: great support • Datree: super easy to use and customize
- 17. Recap: GitHub Advanced Security • Extensible framework for code scanning • Integrated within the developer workflow • Backed by industry-leading CodeQL engine • Customizable and Configurable • Integrated with GitHub features Product Synergy
- 18. Recap: Datree • Policy and Best Practices enforcement • Integrated within the developer workflow • Customizable and Configurable • Policy-as-Code support • Validates “anything Kubernetes” No more misconfiguration
- 19. Videos