Automation for Security Teams
| What will I learn? | In this tutorial, we will create a CI workflow focused on code security checks using Autoworx. This workflow will help ensure that your code adheres to best practices and is free from potential security vulnerabilities. |
| Difficulty |
Securing Your Code with worX
What you'll need
Software & Services
- Sample code for this tutorial. You can obtain the code by forking the Autoworx CI/CD Examples repository.
GitLab repository
- A GitLab account and repository to set up your CI/CD pipeline.
- A GitLab repository with sample Python code and Infrastructure as Code (IaC) files. You can fork the Autoworx CI/CD examples repository.
- A
.gitlab-ci.ymlfile in your repository, which we will be configuring with Autoworx security jobs.
Tutorial
In this tutorial, we will walk through the process of setting up various security jobs in GitLab CI/CD using Autoworx snippets. These jobs will help ensure that your Python code and IaC files are free of security vulnerabilities.
Autoworx Security Jobs
The following security jobs will be added to your GitLab CI/CD pipeline:
Bandit (Python Security)
Run a security check on the Python code to identify potential vulnerabilities. This step helps protect your application from security risks and ensures compliance with security standards. We use bandit, a popular Python static analysis tool, to scan the codebase for common security issues.
Container Security (Trivy)
Scan the built Docker image for security vulnerabilities. This step ensures that the application's runtime environment, including the base OS and third-party packages, are free from known security issues. We use Aqua Trivy, a comprehensive vulnerability scanner for containers and other artifacts, to scan the Docker image.
TFSec (Terraform Security)
Scans your Terraform code for security vulnerabilities using the TFSec static analysis tool. This step helps ensure that your infrastructure as code (IaC) complies with security best practices and standards. TFSec checks for common misconfigurations, insecure settings, and other issues that may pose security risks. The job is configured with the TERRAFORM_CODE_PATH variable pointing to the Terraform code directory.
Terrascan (Terraform Security)
Performs security and compliance scans on your Terraform code using the Terrascan open-source scanner. This step helps you identify potential security risks and compliance violations in your IaC. Terrascan supports a wide range of policies and integrates with various security standards. The job is configured with the TERRAFORM_CODE_PATH variable pointing to the Terraform code directory.
Checkov (IaC Security)
Scans your infrastructure as code (IaC) files for security vulnerabilities and compliance issues using the Checkov static analysis tool. This step helps ensure that your IaC files adhere to security best practices and meet compliance requirements. Checkov supports multiple IaC languages, including Terraform, and is integrated with GitLab CI to provide detailed reports. The job is configured with the IAC_CODE_PATH variable pointing to the IaC code directory.
Gitleaks (Secrets Detection)
Scans your Git repository for leaked secrets using the Gitleaks scanner. This step helps protect sensitive data from accidental exposure and ensures compliance with data protection regulations. Gitleaks checks for API keys, passwords, and other sensitive information that may be accidentally committed to your Git repository.
Sample GitLab CI/CD configuration
# This sample GitLab CI/CD configuration is part of the Autoworx tutorial
# and demonstrates a complete CI workflow for various security-related tasks.
# The pipeline provides security scans for Python code, Terraform code,
# Infrastructure-as-Code files, and Git repositories.
#
# The pipeline consists of the following stages:
# - security: Run security checks on Python and IaC files, scan Git repositories for secrets
# - container-security: Scan the Docker image for security vulnerabilities
#
# The pipeline includes several jobs from external templates, such as bandit,
# tfsec, terrascan, checkov, and gitleaks.
#
# The pipeline produces various artifacts, such as security scan results.
# These artifacts expire after 1 week.
#
# Sample Python code, Dockerfile, and IaC files used in this tutorial can
# be found in the public repository at:
# https://gitlab.com/hestio-community/autoworx/autoworx-cicd-examples
stages:
- security
- container-security
include:
- project: 'hest-io/hestio-product/hestio-worx/autoworx/ci/templates'
file:
- 'Jobs/Python/python-bandit.gitlab-ci.yml'
- 'Jobs/Docker/docker-container-security.gitlab-ci.yml'
- 'Jobs/Terraform/terraform-terraascan.gitlab-ci.yml'
- 'Jobs/Terraform/terraform-tfsec.gitlab-ci.yml'
- 'Jobs/IaC/iac-checkov.gitlab-ci.yml'
- 'Jobs/IaC/iac-secret-detection.gitlab-ci.yml'
bandit-security:
stage: security
variables:
PYTHON_CODE_PATH: "python/*.py"
container-security:
stage: container-security
variables:
DOCKER_IMAGE: "registry.gitlab.com/hestio-community/autoworx/autoworx-cicd-examples:latest"
tfsec_scan:
stage: security
variables:
TERRAFORM_CODE_PATH: "terraform/"
allow_failure: true
terrascan:
stage: security
variables:
TERRAFORM_CODE_PATH: "terraform/"
allow_failure: true
iac_checkov:
stage: security
variables:
IAC_CODE_PATH: "terraform/"
allow_failure: true
gitleaks_scan:
stage: security
allow_failure: true
TL;DR
This tutorial guided you through setting up a security-focused GitLab CI/CD pipeline using Autoworx for a Python-based application. The pipeline includes code analysis, container scanning, and IaC checks, ensuring your application remains secure during development.
At Hestio, we have taken our experience with designing and building on cloud to codify these patterns and made them available as a low-code pattern library for AWS. Why spend time and effort on reinventing the wheel when it's already a solved problem? Would you start developing office productivity software in a world where Microsoft Office already exists?
If you'd like to find out about worX, our low-code patterns library for AWS you can read more here or get in touch today to schedule a demo.
If you'd like to find out more about the products and services Hestio has to offer, select one of the options below.
