This repository contains training materials for workshops on DevSecOps and Securing your Software Development Lifecycle (SDLC).
The workshop will be held at BSides CT on Saturday, 21st September. The exact time will be announced soon.
In this workshop, you'll learn the basics of DevSecOps and securing your SDLC using a range of tools. We'll explore both open-source options and those native to GitHub. Participants will learn how to set up IDE plugins, pre-commit hooks, and other techniques to secure their development environment. We will also cover building a CI/CD pipeline using DevSecOps concepts, including secrets scanning, dependency analysis, and Static Analysis Security Testing (SAST).
Before participating in this workshop, you’ll need to create a GitHub account.
- You can sign up at GitHub.
- If you're a student, you can sign up with a
.eduemail to get free private repositories and other benefits.
Once your account is set up, you will need to Fork and Clone this repository.
A complete guide for setting up the necessary tools is available in the Part 1 README file. This workshop will focus on using GitHub Codespaces.
Part 1 - Security within the development environment
Attendees will learn how to integrate security tools and pre-commit hooks into their development environment to enhance code security from the start.
-
Third-Party Plugin Integration: We’ll explore tools like SonarLint, which can be integrated into the IDE to aid in linting and SAST. We will also review GitHub Copilot.
Part 1 - Module 1: IDE Integration -
Pre-Commit Hooks: This section covers setting up pre-commit hooks using Talisman.
Part 1 - Module 2: Pre-Commit Hooks -
Git Ignore: You will learn how to use
.gitignorefiles to prevent committing sensitive or unwanted files.
Part 1 - Module 3: Preventing Accidental Commits
We will cover repository scanning techniques, including secrets scanning and vulnerability detection, using tools like GitHub's Dependabot and Tartufo. Additionally, we will explore Endor Labs' advanced features for reachability analysis, SBOM generation with VEX reachability data, and running SCA tests locally.
-
Secrets Scanning: Learn how to scan for secrets in your source code using tools like Tartufo/TruffleHog, GitHub, and Horusec.
Part 2 - Module 4: Secrets Scanning -
Handling Secrets in GitHub: Learn how to store and handle secrets securely in GitHub.
Part 2 - Module 5: Handling Secrets in GitHub -
Detecting Security Vulnerabilities: Understand how to detect security vulnerabilities in your repository.
Part 2 - Module 6: Detecting Security Vulnerabilities -
Vulnerable Dependency Detection: Learn how to detect vulnerable dependencies using GitHub's Dependabot.
Part 2 - Module 7: Vulnerable Dependencies -
Static Analysis: This section covers GitHub's SAST tool built on CodeQL and other tools like Horusec.
Part 2 - Module 8: Static Analysis -
Branch Protection and PR Gating: Learn about using branch protection rules to enforce security checks on pull requests.
Module 9: Branch Protection Rules -
SBOMs (Software Bill of Materials): Explore how to extract and use SBOMs from your GitHub repositories.
Part 2 - Module 10: SBOMs -
Endor Labs Reachability Analysis: Learn how Endor Labs' reachability analysis helps prioritize security findings by identifying which vulnerabilities in your code are actually exploitable.
Part 2 - Module 11: Endor Labs Reachability Analysis -
Generating SBOM with VEX Reachability Data: Understand how to generate Software Bill of Materials (SBOM) with VEX (Vulnerability Exploitability eXchange) reachability data to provide insights into whether vulnerabilities found in components are actually reachable.
Part 2 - Module 12: Generating SBOM with VEX
We'll conclude with a discussion on future trends in DevSecOps and a recap of the topics covered in this workshop.
