DevSecOps - Static Code Analysis

1. Static code analysis is a method used to examine and evaluate the code without executing it. It involves analyzing the source code to identify potential errors, vulnerabilities, and code quality issues.

   • This process helps in detecting bugs, security flaws, and other issues early in the development cycle, making it easier to fix them before the code is run.

   • In the context of DevSecOps, static code analysis is crucial for ensuring that the code is secure and meets quality standards before deployment.

2. You can apply static code analysis to ensure that your code is secure and free of vulnerabilities before it is deployed. Here are some practical steps:

   • Integrate Static Code Analysis in Your CI/CD Pipeline: Use tools like SonarQube or PyLint to automatically scan your code for issues during the build process. This helps catch errors early and ensures that only high-quality code is deployed.

   • Improve Code Quality: By identifying and fixing issues such as exposed passwords, unencrypted traffic, and improper logging, you can enhance the overall security and reliability of your applications.

   • Automate Code Reviews: Static code analysis can supplement manual code reviews by quickly identifying common issues, allowing you to focus on more complex problems during peer reviews.

   • Track and Fix Issues Efficiently: Use the results from static code analysis to prioritize and address code violations, improving your codebase over time and ensuring compliance with best practices.

By incorporating these practices, you can maintain high standards of code quality and security

3. Build Pipelines are responsible for code compilation, while Release Pipelines handle deployment.

   

   • Build Pipeline: This is the process where your source code is compiled, tested, and packaged into a deployable artifact (like a .jar, .war, or .zip file). In this stage, static code analysis can be performed to identify any vulnerabilities or issues before the code is packaged. If the code has vulnerabilities, the build process can be halted to prevent faulty code from being deployed.

• Release Pipeline: Once the code has successfully passed through the build pipeline, the release pipeline takes over. This pipeline is responsible for deploying the packaged artifact to various environments (like staging, QA, and production). The same build artifact is used across different environments to ensure consistency, with environment-specific configurations applied as needed.

4. Security Scanning Basics:

   • Security scanning checks code for problems before it's used.

   • Doing this early helps fix issues before they cause bigger problems.

5. Types of Scanning

   

   • Static Code Analysis: Looks at the code without running it to find mistakes. Checkov (focuses on cloud infrastructure security), ESLint (Javascript/Typescript), Pylint (Python), SonarQube etc.

   • Software Composition Analysis (SCA): Checks if the open-source code used is safe and up-to-date. SCA is like SAST, but focuses on infrastructure as code (IaC). Snyk, OWASP Dependency check etc.

   • Static Application Security Testing (SAST): Scans application code for security issues without running it. SonarQube, Fortify, Veracode, Kiuwan etc. These tools may find cross site scription, SQL injection, encryption issues.

   • Dynamic Application Security Testing (DAST): Tests the application while it's running to find security problems. It has no knowledge or access to the applications internal designs or source code. ZAP, Burp Suite etc.

6. Why Use Different Scanning Methods:

   • Each method focuses on different parts of the code and finds different types of issues.

   • Using multiple methods together makes the code more secure.

   • For example, combining static code analysis with SCA and DAST can cover different aspects of code security and quality.

7. Steps to Implement Static Code Analysis on Azure DevOps:

   1. Azure Boards:

      • Use Azure Boards to organize your project tasks and track progress.

      • It helps manage your workflow and ensures that tasks are linked to specific code updates.

   2. Azure Repos:

      • Store your code in Azure Repos and follow Git best practices. For example, use a main branch for stable code and feature branches for new changes.

      • This allows you to test new features without affecting the main codebase.

   3. Azure Pipelines:

      • Build and release your code using Azure Pipelines. You can define your CI/CD processes using YAML (a human-readable data format).

      • YAML pipelines offer better version control and reusability compared to the classic UI version.

   4. Azure Test Plans:

      • Use Azure Test Plans for automated testing. This includes viewing and acting on static code analysis results, blocking builds with vulnerabilities, and tracking test history.

8. Practical Tips:

   • YAML Pipelines:

     • YAML stands for "YAML Ain't Markup Language" and is used to define steps in your CI/CD process.

     • It's sensitive to formatting, so make sure your spaces are correct.

   • Version Control:

     • Using YAML allows you to see the history of your CI/CD processes and compare versions.

     • You can create templates for reusability, ensuring everyone is up-to-date on changes.

   • Best Practices:

     • Follow Git best practices like using feature branches and requiring approvals before merging code to the main branch. This helps maintain code quality and control.

     • Use built-in tools (linters) to check your code for quality and best practices.

     • Get approvals from different teams to ensure the code is safe, like having multiple people review an essay before submitting it.

9. Key Parts of a YAML File:

   1. Trigger:

      Decides when the task should start, like when you push changes to your code.

   2. Variables:

      These are like placeholders for values you'll use throughout the task.

   3. Agent Pools:

      Groups of machines that run the tasks. These can be in the cloud or on-premise.

   4. Stages

      Different phases of the task, like building or testing your code.

      • Jobs:
        Specific tasks within each stage. Jobs can run at the same time or one after another.

      • Steps:

        Detailed instructions within each job, like running a script or a command.

   5. Imagine you're baking a cake:

      • Trigger: Start baking when you have all ingredients.

      • Variables: Ingredients like flour, sugar, eggs.

      • Agent Pools: Ovens you can use.

      • Stages: Mixing, baking, and decorating.

        • Jobs: Tasks like mixing ingredients, preheating the oven, and baking.

        • Steps: Specific actions like measuring flour, setting the oven to 350°F, and baking for 30 minutes.

10. Steps to Set Up on Azure:

    1. Create a Pipeline:

       • Start by creating a new pipeline in your Azure repository.

       • Use a starter template to get things going.

    2. Set Triggers:

       • Set the pipeline to run automatically when you make changes to the main branch of your code.

    3. Add Variables:

       • Define variables that the pipeline will use, like the directory where your code is stored.

    4. Add Steps:

       • Break down tasks into steps, such as copying files and publishing results.

       • Use predefined tasks to make it easier, like copying files from one place to another.

    5. Use Templates:

       • Reference other YAML files for common tasks to keep things organized and reusable.

11. Checkov Tool: A popular static code analysis tool that scans cloud infrastructure configurations.

    • Purpose: Ensures your code follows industry best practices and security standards.

    • Features:

      • Pre-built Policies: Comes with rules and guidelines for infrastructure code.

      • Custom Policies: Allows you to add your own rules if needed.

      • Multi-Cloud Support: Works with all major cloud providers.

    • Usage: Install Checkov, run scans on your code, and review the results to find and fix vulnerabilities.

    • Output: Saves scan results in a file (e.g., checkovreport.xml) for easy review.

12. Why do I need to copy files in the yml file?

    Think of the source directory as your "workspace" where you create and build your project files. The target directory is like a "storage box" where you keep the finished products ready for delivery.

    • In the context of setting up your YAML pipeline, copying files from the source directory to the target directory ensures that all the important files you worked on are neatly packed and ready for the next steps, like sharing them with others or deploying them to a server.

    • This keeps everything organized and makes sure nothing gets lost in the process.

Note: Open source tools could have an active and engaged user community with public questions and answers, but not guaranteed company provided support.