👨🏾‍🤝‍👨🏻 💐 👩🏻‍🤝‍👨🏾 DevSecOps. PT Application Inspector in software development: release blocking 👩🏼‍🎨 ™️ 👃🏽

Hello everyone! My name is Timur Gilmullin, I work in the technology and development process department at Positive Technologies. Informally, we are called the DevOps department, and our guys are engaged in the automation of various processes and help programmers and testers work with product pipelines.

, PT Application Inspector . - CI/CD-, CI-. PT Application Inspector — .

DevSecOps- , PT Application Inspector CI- ;
Security Gates, - GitLab;
, .

DevSecOps Positive Technologies

DevSecOps CI/CD- . , PT Application Inspector .

DevSecOps pipeline in Positive Technologies: a secure cyclical process of development, assembly, deployment, testing, promotion, publishing, installing updates, collecting telemetry and monitoring — DevSecOps- Positive Technologies: , , , , , , ,

CI/CD- . (Developing), git-, GitLab CI (Unit-Testing + Building). (Deploying) (Functional Testing). Artifactory (Promoting), GUS FLUS- (Publishing GUS/FLUS). (Installing/Updating). (Collecting telemetry), (Monitoring) (User's feedback). .

Security- , , , . . , . , PT Application Inspector, — , . CI/CD- , MaxPatrol.SIEM - PT Application Firewall.

, DevSecOps, , , . - « » — . , , .

PT Application Inspector Positive Technologies

, . , , DevOps-, . . DevSecOps Positive Technologies.

DevSecOps-, CI- PT Application Inspector , , . , , ; -, DevSecOps- PT Application Inspector .

SAST/DAST/IAST- CI- , ( shift-left).
— . .
PT Application Inspector « », «» — CI- — , .
DevSecOps . PT Application Inspector DevSecOps, CI/CD-. Positive Technologies , , .

PT Application Inspector CI-

Scanner PT Application Inspector in CI infrastructure — PT Application Inspector CI-

DevOps.BuildAgent —
Docker.Linux.AISA.Latest/TAG — - AISA,
AI.Agent —
AI.Server — PT Application Inspector
DevOps.GitLab —
DevOps.GitLab-CI — CI-
DevOps.Artifactory —
Docker.Registry — -
Docker.Linux.AISA — AISA ( - )
AI.Shell Agent — AISA, -, API PT Application Inspector
BuildAgent.Console —
WorkingDirectory — , ,

, . PT Application Inspector . GitLab CI. GitLab , AISA .

AISA — Application Inspector Shell Agent. API PT Application Inspector. AISA -, «» .

- AISA CI-, CI- DevOps-. docker registry Artifactory. - AISA.

CI-. :

:

● PT Application Inspector;

● .
:

● CI- AISA ( -).
:

● ;

● AISA.
CI-:

●      GitLab CI;

●      TeamCity;

●      ( CLI AISA).

PT Application Inspector , - CI- .

PT Application Inspector

— , . , , () . , , . AISA. , , .

Typical steps in the product assembly process

GitLab.
.
build-on-server, . — CI-. build-on-server , , CI- CI-.
AISA. .
.
, .
. , .
.
AISA- , .
Security Gates. Code Quality Status — 0, , 1, .
Code Quality Status 0, , . 1 , — .
Artifactory. .
Security Gates GitLab CI - GitLab. , .

, . , AISA GitLab CI.
, — PT Application Inspector , , . GitLab CI, downstream pipelines, . , , .
, , - GitLab, , , - , Security Gates ( Code Quality Gates SonarQube).
git. , -, - .

Security Gates:

, , Security Gates - GitLab.

Security Gates — , CI-, : - .

«» Artifactory — -BANNED , , Security Gates.

yaml-, :

threats mapping — GitLab ( ) PT Application Inspector ( ). , . , , GitLab Potential, Low, Medium Info.
security gates — . , - . , . , .

Security Gates . , . .

Example of "footcloths" of messages from SonarQube in the GitLab merge request thread — «» SonarQube - GitLab

SonarQube GitLab — codequality. , -, , . , «» , legacy-, . , .

, , , -. , CI- AISA GitLab CI.

Security Gates:

, Security Gates, Code Quality Status 0 (Passed). - , GitLab ( ) . , , HTML- GitLab CI TeamCity, .

, Security Gates, — Code Quality Status 1 (Failed) - Draft .

, , , Security Gates , .

-: .

TeamCity -«», AISA-. HTML- TeamCity, (Tab reports), .

, TeamCity - GitLab.

, Security Gates — Code Quality Status — .

Security Gates:

, PT Application Inspector . , . , . GitLab CI.

CI- , . - , . .

— . , Security Gates -, .

, .gitlab-ci.yml .

Security Gates: Information mode

GitLab CI, (AI Information Mode).

, :

- (Unit tests);
(Build);
(Upload to registry).

GitLab CI gitlab-ci.yml include. :

(Start AI Scan);
AISA (AI-Scanning);
— (Send info);
— AISA (AI Scan Report);
Security Gates, — Code Quality Status (0, Passed / 1, Failed) — ;
(Send emails).

, -.

Security Gates: Lock mode

(AI Lock Mode) — . , (include) , , .

, : (running). , Security Gates - GitLab . , .

Security Gates: Strictest mode

, , (AI Strictest Mode) — . , , , (Approve build). , , Security Gates, , -. - (Draft).

, .

git Security Gates

git-flow :

master — ;
develop — -;
feature — ;
release — , .

- , . , - .

feature- (Information mode). - feature- develop . PT Application Inspector.
develop- (Strictest mode), Security Gates. . , - , .
release- (Lock mode) - master, develop.
master- (Information mode), , , , .

: Security Gates -

2021 . DevSecOps-. , Security Gates , , - Application Inspector .

Open Source dohq-ai-best-practices

GitLab CI TeamCity, PT Application Inspector Open Source dohq-ai-best-practices MIT-. :

PT Application Inspector CI.
PT Application Inspector.
Dockerfile AISA- Windows Linux.
GitLab CI TeamCity - .

DevOps

CI :

« : Continuous Integration» (2016)
« : Positive Technologies DevOps» (2017)
« -» (2018)
« : » (2019)
« : DevOps» (2020)
«DevSecOps: PT Application Inspector » (2020)
« DevOps Positive Technologies» (2021)

, . . :)

: — Positive Technologies. PT Application Inspector DevOps-, Open Source.

: — CI- . PT Application Inspector CI- Open Source.

DevSecOps . : , , , PT Application Inspector, , DevOps Positive Technologies PT Application Inspector , :)

DevSecOps. PT Application Inspector in software development: release blocking

DevSecOps Positive Technologies

PT Application Inspector Positive Technologies

PT Application Inspector CI-

PT Application Inspector

Security Gates:

Security Gates:

Security Gates:

Security Gates: Information mode

Security Gates: Lock mode

Security Gates: Strictest mode

git Security Gates

: Security Gates -

Open Source dohq-ai-best-practices

DevOps

More articles: