♾
Practical_Notes_DevSecOps
Here are some notes and commands used during the workshop.
Created with ❤ by NAJIM Ayoub for ENSA MARRAKECH students.
SCA — Analyse des dépendances
First we clone the repo of our vulnerable project. “WebGoat”
git clone [Link]
Let’s download the OwaspDependencyCheck using the wget command:
wget [Link]
-[Link]
After unziping the “[Link]”, we scan our repo WebGoat
using the command below :
cd dependensy-check-7.4.4/bin
./[Link] --scan ~/WebGoat/ --format JSON --out ~/WebGoat/report_owasp_dep
endency_check.json
Practical_Notes_DevSecOps 1
� We use the following command to show the file content :
cat ~/WebGoat/report_owasp_dependency_check.json | jq .
SAST — Secret Scan
First we clone the scanner repo. “repo-supervisor”
git clone [Link]
Because the tool needs nodejs and npm as requirements, we install npm and nodejs
as below :
sudo apt update
sudo apt install nodejs@14
sudo apt install npm
Then we run the commands :
cd repo-supervisor
npm ci && npm run build
JSON_OUTPUT=1 node ./dist/[Link] ~/WebGoat/ >> ~/WebGoat/repo-supervisor_output.json
DAST
We use Dastardly as below to test our target : [Link]
docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \
DASTARDLY_TARGET_URL=[Link] -e \
DASTARDLY_OUTPUT_FILE=/dastardly/[Link] \
[Link]/portswigger/dastardly:latest
CI/CD Pipeline
---
image: docker:latest # To run all jobs in this pipeline, use a latest docker image
services:
- docker:dind
Practical_Notes_DevSecOps 2
� stages:
- build
- test
- release
- preprod
- integration
- prod
sca:
stage: build
before_script:
- apk add py-pip py-requests
script:
# We are going to pull the owasp/dependency-check image
- docker pull owasp/dependency-check
# Let's run the scan
- docker run --rm -v $(pwd):/src owasp/dependency-check --scan /src --format JSON
--out owasp_dependency_check.json
after_script:
- python3 [Link] --host $DOJO_HOST --api_key $DOJO_API_TOKEN --engageme
nt_id 3 --product_id 1 --lead_id 1 --environment "Production" --result_file owasp_depe
ndency_check.json --scanner "SCA Scan"
artifacts:
paths: [owasp_dependency_check.json]
when: always
allow_failure: true
sast-secrets-scanning:
script:
- docker run -it --rm -v $(pwd):/opt/scan_me repo-supervisor /bin/bash -c "source
~/.bashrc && JSON_OUTPUT=1 node /opt/repo-supervisor/dist/[Link] /opt/scan_me" >> rep
o-supervisor_output.json
artifacts:
paths: [repo-supervisor_output.json]
when: always
allow_failure: true
dast-dastardly:
stage: integration
script:
- docker run --user $(id -u) --rm -v $(pwd):/dastardly -e
DASTARDLY_TARGET_URL=[Link] -e
DASTARDLY_OUTPUT_FILE=/dastardly/[Link]
[Link]/portswigger/dastardly:latest
artifacts:
paths: [[Link]]
when: always
allow_failure: true
Practical_Notes_DevSecOps 3
