Streamline your document processes with airSlate SignNow's pipeline management tool for Security

How to create outlook signature

[Music] foreign [Music] so before starting the video humble request to you all it takes quite a lot of time for me to record and upload videos also I upload devops related videos on daily basis as you can see so if you are interested in watching these videos you can subscribe to my channel and with that being said let's get right into the video so in today's video what I'm going to show you is what exactly is devsec Ops and how we can implement it in our pipelines project okay so for that I will be using a pet clinic application which is a official application from springboard okay so this is the repository let me just open it to show you one time okay so this is the repository it contains basic files and we will try to deploy this application as well okay now going into the Jenkins so I'll be using Jenkins as a CI CD tool and I have created a sample small pipeline okay so let me open it and let me show you what exactly is the task that we are going to do today okay so as of now I have just created a sample pipeline which basically like performs a compilation of the code building of the code and Docker push and Docker build and push and then finally deploying the jar file to Tomcat okay so here in this video basically what I want to share with you is what exactly is devsecops so you know like in devops basically what we do we like build application and deploy it to our deployment server and that's all okay I also like following the best practices but when we are like adding different security tools in our pipeline to perform different like security tasks to find out polarities and other issues in our source code Docker image as well as the file system then basically this whole device process it becomes devsec Ops basically referring to like devops security then Ops okay so which is a really good practice in case you are in divorce field you should definitely use like security tools to perform different kind of things in your different kind of security analysis in your pipeline so that's what we are going to do okay so first of all what I am going to do is use a sonar Cube application for code quality check in case you don't know what is sonar Cube sonar cube is a basically a tool which is used for figuring out like performing an analysis on your project code and then finding out like code smell bugs then vulnerabilities and like technical debt and much more okay so we can this whole analysis process from sonar cube is known as code quality check okay which performs on the source code okay so first of all we will implement this thing secondly we will use a tool known as oasp dependency check tool which is also another like vulnerities finder okay on the source code repository that we will Implement and finally we will use another tool which is known as trivi so we will use trivia to perform a security scan on our Docker image okay so let's start with sonar Cube so I have set up a sonar Cube on This Server 9000 server okay so now let me tell you like how we will configure it in our pipeline so basically first of all okay let me open this in another page as well to show you what I have done already so in manage plugin basically you need to a plugin which is sonar scanner let me show you so sonar Cube's camera for Jenkins so this plugin basically you need to it and once you have installed then you need to configure your uh Jenkins configure system sonar Cube server so we will be using This Server Like This IP address along with the column 9000 Port okay so basically we need to configure it and let me show you you can see I have configured this is the sonar Cube URL and for basically you can generate a in sonar Cube by going into Administration security users and then here you can see the option so if I click on it you can click provide a name and generate and you need to copy that name inside your Jenkins credentials and then it will be configured okay so you can see I have configured this on our Cube server as well okay now sonar Cube scanner tool as well as the server we have configured next thing we need to do is Define the sonar Cube scanner tool in our pipeline so as you can see scanner home I have defined by the name of the tool let me show you tool as well as okay so if I go to Global tool configuration and scroll down sonar cubes scanner you can see the name I have provided as sonar scanner same thing I have added in this environment also so okay so now like adding the task for performance on our Cube scanner okay so basically like you should always add sonar Cube scanner task before you are building the application so that before the build is started the sonar Cube analysis is complete okay so what I will do I will just copy this stage and add it here let's change its name stage name will be sonar Cube analysis okay and next for the command so I have like written it already let me show you so this is the command I have written okay let me paste it and let me explain it to you as well so let's paste it here yeah okay so with sonarchive environment so basically here first of all we need to provide this server name so just to make sure the server name is correct let's check one more time scroll down to sonar Cube servers yeah so server name is we will copy this and paste it here okay now next we have like we are using the color tool for sonar Cube scanner so we have defined it here and finally we are using several uh you can say d sonar options okay so these are the different options inside which like we will provide the details for example like uh okay also let me show you side by side as you can see sonar Cube projects list is empty as of now okay so here project name since I am using a patronic application so I will provide the name as pet clinic okay and then here same as in key also okay and also like to connect to complete the analysis you need to provide the Java batteries uh location so for me I have just put a dot so that it can go for the whole root directory okay now this will perform this on our Cube analysis okay now as I mentioned there is another tool known as Oso dependency check so to that and configure that again we need to do another thing so for that I will again go to manage Jenkins manage plugins basically we need to one more plugin for oasp so let's search it OSP and you can see the first option which comes OS dependency check so we will without restart and this installation should not take much time okay so it is complete now we need to configure that tool so conf tool configuration we will go to Global tool configuration scroll down until we find OS dependency check yeah dependency check you can see it's here so I will provide the name as DP Dash check click on automatically so that it provides you an option so we'll select dependency check and version we want to use let's say 6.5.1 and that's all click apply okay okay so once you have configured the OS dependency check you need to provide a code for it so that it can perform the analysis so I have just written it in this format and let me paste it also let me paste it then I'll explain what exactly is being done here okay let's paste it here yeah okay see here so dependency check additional arguments it is empty as of now okay and here in ODC installation we just need to provide the name of tool that we have configured in global tool configuration and here we need to provide the format in in which like the report will be generated okay in case you are wondering like what exactly we need to provide here so basically there are tons of arguments okay I will show you that as well check arguments we will open the official page okay if it's not yeah Jeremy Long dot github.io okay so you can see here here lots of uh arguments are there which you can use for example like if you use this argument that means you need to provide the path of the like workspace or specific thing where like the scan needs to be performed then if you want to like exclude something then you can like put it here in case you want to generate the report in different format that also you can put here so there are like tons of options which can be utilized there okay so as of now I will just keep it empty so as to perform like complete analysis okay and also like we need to where is the yeah so it's fine okay meanwhile this let's try to run this and let's see if it is working fine or not so I will just click on build now and let's see yeah so it started it's in progress at this point and this might take little bit of time okay and then we will see if it is working fine or not so once if it gets success then we will try to do analysis using trivia on our Docker images and you can see the OS dependency check stage has started and it is downloading some required dependencies okay okay so we can see that uh OS dependency check task has been completed as well as the report has been generated in the form of dot XML format it has generated now scroll down to sonar Cube stage so we can see so not give stage is also in progress and it is running now okay so analysis is successful we can see here and now it's in web and clean so once this completes then I will show you like if there will be a specific dependency check report dot XML format file generated in our workspace okay so let it complete this map and clean thing okay this is taking little bit of time since the pipeline is quite big okay we can see the OS dependency check stage has taken almost three and a half minutes this is because it is running for the first time and it is taking that downloading all the dependencies from 2000 to 2023. so whatever like availabilities have been found in those time period it will download that so that it can like compare and as per its database information it can like update okay so you can see the whole pipeline is completed now okay so let me open the logs and let's so here you can see there is one option enabled which is dependency check if I click on it you can see there were no vulnerabilities found in our a source code okay that is a good thing also what I want to show you is the report that might be generated if I go here you can see here the report also generated which is in the format.xml if you want to view it we can click on it since there was like no availability found out in our source code so it is like very small if there was if there was any vulnerability that found out that it would be like quite big okay okay now one more tool is remaining which is uh trivia is basically used for performing the image scan Docker image scan and that's what we are going to use it so let's configure one last time the pipeline and we are going to perform the trivia scan after Docker image is built so let's copy this stage name and let's paste it here we will provide the name as preview okay and here we need to write the command Okay so before writing the command what I will do I will check the imagine image details from the docker Hub repository on which I have just pushed okay so let's sign in from here provide the username which would be this one password would be this click enter and we should be able to let's open the our own Repository we can go here to my profile yeah so you can see pet clinic repository has been created with tags it should be latest yeah and it was published two minutes ago okay now we want to perform scan on this so let's write small piece of code for this name we have already received of the image so we will copy the image name copy this and there is a command for it okay so yeah this is the command which we can use to perform analysis so we will copy the command and paste it here in case you are wondering how trivi we should be working because like I have already installed that in in my like Jenkins server okay okay so image name has been copied and let me paste it here now one last time we will just apply and run it and then finally we will I will show you like how the deployment application is looking deployed application and you can see the pipeline is also quite big okay so let's see how much time it takes now since we have already like ran all these stages earlier as well so it should not take much time okay as you can see like it skipped the checking in case of dependency Os Os dependency check because it was already like we downloaded all the of them previously itself sonar Cube stage we are in okay sonar Cube analysis is Success meanwhile let me show you in sonar Cube analysis how the report looks so if I refresh it here you can see pet clinic project has been generated total number of lines of code was 3.9 3. yeah 3.9 K number of code smell it figured out was 35 and 2 bucks it figured out if you want more details you can open it click on issues and here in more details you can see inside sonarq which is like really interesting thing like sonar Cube as I said sonar cube is a part of like devsecops and it is a security tool which can be used with devops okay so you can see it is like darker stage we are in it is already it is building the image and it will push it the image to our Docker Hub Repository track the progress here and usually in case of dependency check if it find out like any vulnerabilities or anything it will show everything in this graph as well but as of now since it is uh it did not figure out anything so it's showing zero and let's see the trivia results we can see TV is also successful it is able to perform analysis on the docker image and it has like some information for us to like need to update DB DB repository whatever okay okay still it is still performing the analysis once it completes then we can see the results in here itself okay you can see here little bit details we are able to see jar file found okay okay let's wait for it to complete menu um yeah see usually like whenever you are running a new stage for the first time it takes sometimes okay okay so we can see report has been generated and we can see that as well whatever issues we have figured out in in our Docker image so those details are mentioned here okay also our deployment is also done okay now to see the application deployed we can copy this paste it here and since I have deployed the application on Petland Tomcat so we can see it here and this is the deployed application you can see you can get details like find owner so those things we can see and it is like looking quite good okay so this was the deployed application and as said this was like when we had in this in this tutorial what we did basically we built and deployed the application using devops along with some security tools to like find out any issues vulnerabilities bugs and all okay so this basically whole thing became became like a devsecops as I informed earlier also devs takeoffs is basically devops extended or integrated with different security tools so I hope this video was quite useful if it was then give it a like also if you are new on my channel then make sure to subscribe so thanks for watching