​

​

Mentee : Aviral Srivastava

​

Mentor : Santosh Kumar

CODE4GovTECH 2023

Midpoint Showcase

Sunbird DevOps - Implementing Code Security and Container Image vulnerability Scanning

​

​

Table of Contents

1. Introduction
2. Project Description
3. Scope of Project
4. Milestones Planned
5. Milestones Achieved
6. Live Demo
7. Learnings from project

About Sunbird DevOps

​

​

Introduction

​

​

​

1. Sunbird is a set of configurable, extendable, modular building blocks for learning and human development designed for scale.
2. SunbirdEd is a scalable open-source learning solution for teachers and tutors.
3. Sunbird Devops is the collection of technologies, processes and practices needed to run Sunbird in a Production environment.
4. The deployment design and software choices taken have been motivated with a need to run Sunbird in a highly available, reliable and scalable setup, with higher levels of automation being favored.

The reasons behind choosing this project:

​

1. Interest in the security side of development.

​

• Exposure of understanding the working of such large scale project impacting millions of lives.

​

• Familiarity with the tech stack being used.

Reason behind choosing this project -

​

​

Project Description

Code Security and container image vulnerability scanning

​

Why do we need Code and Container Security?

• Preventing Vulnerabilities: Open-source projects are often accessible to a wide range of contributors, including malicious actors. Code and container security help identify and address vulnerabilities early in the development process, reducing the risk of introducing security flaws.

​

• Protecting Users: Large open-source projects are used by a vast number of users worldwide. Ensuring code and container security helps protect these users from potential security breaches and data leaks.

​

• Building Trust: Security-conscious users and organizations are more likely to trust and adopt an open-source project that demonstrates a commitment to security best practices. Code and container security measures enhance the reputation and credibility of the project.

​

• Preventing Supply Chain Attacks: Open-source projects often rely on external dependencies, libraries, and containers. Code and container security help prevent supply chain attacks by detecting vulnerabilities in these dependencies.

​

​

Project Impact

​

• Enhanced Security Posture: By integrating security checks into the CI/CD pipeline, the project can identify and address security vulnerabilities early in the development process. This proactive approach helps in building a more secure software product and reduces the risk of security breaches.

​

• Faster Vulnerability Remediation: CI/CD pipelines with automated security scanning enable faster identification of vulnerabilities. When a security issue is detected, the development team can quickly address it before the code progresses further, leading to quicker vulnerability remediation.

​

• Consistent Security Measures: Implementing code and container security as part of the CI/CD process ensures that security checks are consistently applied to every code change or container update. This consistency helps maintain a high level of security across the entire project.

​

​

• Understanding the requirements - analyze the requirements for code and container security. This involves understanding the current development environment, CI/CD pipeline, and the specific security needs of the project.
• Research on the tools needed - To identify the most suitable tools for code and container security.
• Setting up the tools -

a) SAST and SCA Tools Setup

b) Container Image Scanning Tools Setup

• Integration of the tools - Integrating the code and container security tools into the CI/CD pipeline.
• Testing - Testing the implemented code and container security measures is crucial to ensure their effectiveness and reliability. The testing phase includes the following aspects:

a) Security Scanning Tests

b) Integration Tests

c) False Positive/Negative Analysis

Milestones Planned

​

​

​

​

Milestones Achieved

• Understanding project workflow.

​

• Review integrated Sonar scanning functionality for code scanning - and exploring Sonar toolset: SonarQube, SonarCloud, SonarLint and Scanner.

​

• Exploring tools for Container Security

​

• Testing GitHub Actions for Container Security - Snyk, Trivy, and Anchore.

​

• Integrated Container security workflows with GitHub Actions

Demo

https://drive.google.com/file/d/1GRH1Rn6KAPiVgqeaZggUjj2U-oP2Rymj/view?usp=sharing

​

​

​

1. Gained insights about the domain, scope and functioning of the project.

​

• Learnt about SAST, and SCA tools.

​

• Learnt about the Sonar Ecosystem - SonarQube, SonarCloud, SonarLint and Scanner.

​

• Learnt about writing more secure code.

​

• Learnt about container security and its best practices.

​

• Gained more insights about the workflow tools used in automation and deployment - like CircleCI, GH Actions, etc.

​

Project Learnings

​

​

Thank You