DevSecOps with Tekton and OpenShift

Incoming call from… CISO

DevOps + Sec = Dev Sec Ops

Use Case

.
├── app
│ ├── Dockerfile
│ ├── app.py
│ └── requirements.txt
└── kubernetes
├── base
│ └── be
│ ├── deployment-config.yaml
│ ├── image-builder.yaml
│ └── service.yaml
└── kustomization.yaml
FrondEnd and BackEnd pipeline
# Deploy simple Tekton pipeline
oc apply -k "https://github.com/mancubus77/devsecops-demo-tekton.git/?ref=simple"
# Run task
tkn pipeline start build-and-deploy \
-w name=sharedworkspace,volumeClaimTemplateFile=https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/01_pipeline/03_persistent_volume_claim.yaml

OK, what is about Security?

DevSecOps pipeline execution
oc apply -k https://github.com/mancubus77/devsecops-demo-tekton.git
tkn pipeline start build-and-deploy \
-w name=shared-workspace,\
volumeClaimTemplateFile=https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/01_pipeline/03_persistent_volume_claim.yaml
The issue with port binding
Error message from Bandit about port binding
Kube-lint error message
Part of Dockerfile for Backend
Trivy scan results for backend
Dockerfile frontend
Trivy scan result for frontend

Remediation

Image scanning with Red Hat image

Conclusion

Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store