Note: What would you do if you ever got lost?
to go to the First part of the Series. It's Important To Take Things One Step At A Time. ~GD
Welcome to the second part of the How to Build a DevSecOps Pipeline in AWS. In the second part, I would focus on all the DevSecOps Stages in detail and how to check the test results (artefacts). Before starting, let's do a recap. In Part 1, you have built a DevSecOps CI/CD Pipeline by using AWS native developer tools such as code pipeline, code build & code commit. The entire provisioning was done using a cloudformation stack.
Everything is covered from scratch, you won't face any difficulty understanding. In case of any clarification, drop me a note on LinkedIn. Feel free to explore them with ease, skip to the one which is relevant to you.
The following series is split into two parts (refer below) with very simple and clear instructions to provision a CI/CD pipeline adhering to DevSecOps principles in AWS.
The Codepipeline Security Validation Stages perform the static code analysis on the committed code whenever a new piece of code added by the developers.
Click here to open the AWS CodePipeline console, change the region if you have run the DevSecOps master template in a different region. Navigate to the required codepipeline to check for the build details & artefacts, you need to click on the Details as shown above. It will take you to the respective build status page, you can see something similar like below.
You can navigate through the tabs to check for:
1.1 How to check the Build Artefacts or Test Results ?
To check the Test Results or Artifacts, switch to the Build Details tab. You need to scroll a little bit down to see the Artifacts section, as shown below. It contains the hyperlink to the artefacts stored in S3. Click to navigate & download it.
Note: You can check the artefacts only for SAST-Check and DAST-Check [Check Section 2 below]. Always download the latest artefacts after a successful build.
1.2 How to check the Code Build Reports
, you can check the 3rd party libraries within the project and if they are vulnerable or not. In the
, you can validate whether your Cloudformation templates contain vulnerable resources.
Note: Applicable only for SCA-Check and IaC-Check builds, where JUnit artefacts converted into AWS CodeBuild Reports.
Once all the above security stages are successful, it will move to the next AWS CodePipeline phase where a pre-prod environment will initialise by creating & executing a cloudformation changeset, you can see something similar like below. The following pre-prod environment will host a sample Java application in an AWS Autoscaling group. It is the same sample application stored in AWS CodeCommit repository & deployed using AWS CloudFormation.
The Application has been exposed to the internet by using an AWS application load balancer. The following AWS ALB URL will be passed to the DAST AWS CodeBuild stage as an environment variable. Dynamic Application Security Testing will be performed on that URL, which will generate a report and flag issues if it finds medium or high vulnerabilities. If the DAST AWS CodeBuild stage is successful, it will move to the prod- approval stage, which requires manual approval.
Once approved, it will go for the production deployment, which is
. As I mentioned earlier, readers can explore by themselves where they need to create a replica of the pre-prod environment to host the same sample application to bring up the production environment.
out-of-scope for this tutorial
We have come a long way, kindly Share and help me on my mission to educate and familiarize people in the world of digitization 💪 #This is a Free tutorial and all my upcoming tutorials will be free and accessible from Public forums# Appreciate if you drop me a note on
& share your opinion. Don't worry, I don't bite 👻 so don't shy away 🏃🏻♀️ 🏃🏻. Your feedback will help me to come up with more awesome contents on the internet.