DEV Community

Cover image for ๐ŸŽž๏ธ This is how we maintain & release Secured Software on Github ๐Ÿค–
opt-nc profile image adriens
adriens for opt-nc

Posted on • Edited on

๐ŸŽž๏ธ This is how we maintain & release Secured Software on Github ๐Ÿค–

#github #java #security #devops

โ” About

As many organizations, we have to develop & maintain (aka. BUILD & RUN) common software.

โ˜๏ธ This process involves a lot of things that have to be achieved... (if you want to get a robust and secured software release pipeline).

I'll showcase here how we achieved all theses challenges on a common Java library dedicated to logging :

GitHub logo opt-nc / opt-logging

La librairie de rรฉfรฉrence pour gรฉnรฉrer des logs bien formatรฉes ร  l'OPT.

semantic-release

SonarCloud Quality Gate Status

โ” opt-logging

Cette librairie contient les 2 fichiers de configuration de logback prรฉconisรฉs pour les dรฉveloppements d'application ร  l'OPT-NC.

Toutes les logs sont dans le mรชme fichier .log (${LOG_FILE}) ร  l'exception des logs mรฉtiers qui se trouvent dans un seul fichier .json (${LOG_FILE_JSON}) si le besoin est exprimรฉ.

โฌ‡๏ธ Import de la dรฉpendance publique

Cette dรฉpendance est disponible publiquement via Jitpack.

๐Ÿชถ Maven

Ajouter la repo Jitpack :

<repositories>
  <repository>
    <id>jitpack.io</id>
    <url>https://jitpack.io</url>
  </repository>
</repositories>
Enter fullscreen mode Exit fullscreen mode

Puis la dรฉpedance :

<dependency>
  <groupId>com.github.opt-nc</groupId>
  <artifactId>opt-logging</artifactId>
  <version>Tag</version>
</dependency>
Enter fullscreen mode Exit fullscreen mode

๐Ÿ˜ Gradle

Ajouter la repo :

allprojects {
  repositories {
            ...
  maven { url 'https://jitpack.io' }
        }
}

Puis la dรฉpendance :

dependencies {
  implementation 'com.github.opt-nc:opt-logging:Tag'
}

:octocat: Import de la dรฉpendance via

โ€ฆ
View on GitHub

๐ŸŽ๏ธ Time to Market

Software release pipeline gains everyday a shorter Time To Market.

In fact there is no real option :

maintenance & release tasks have to be drastically automated... and should embed security concerns on the left side of the pipeline.

๐Ÿ›ก๏ธ Security

We have three complementary ways of achieving security tasks on our pipeline :

  1. Dependabot alerts : so we get Pull Requests to notify us what are the risks
  2. CodeQL Scan as part of GitHub Advanced Security (aka. GHAS)
  3. Docker Image scan (see previous dedicated post)

Then to release software we rely on semantic-release to implement a solid Semantic Versioning scheme and get a

fully automated version management and package publishing pipeline.

๐Ÿฟ Dรฉmo

Here is the full secured & automated release process ๐Ÿ‘‡

๐Ÿงฐ Stack

๐Ÿ”– Related contents

โ›ฏ Scan Docker images ๐Ÿ›ก๏ธ

opt-nc

โš–๏ธ Bench (and choose) Java-8 docker images with anchore/grype

adriens for opt-nc ใƒป Apr 25 '22

#docker #security #devsecops #infosec

๐Ÿ”‚ Semantic release demo ๐ŸŽž๏ธ

Semantic release intro demo :

Top comments (0)

Read next

iammikeade profile image

๐’๐ˆ๐„๐Œ ๐„๐ฑ๐ฉ๐ฅ๐š๐ข๐ง๐ž๐: ๐–๐ก๐š๐ญ ๐ˆ๐ญ ๐ˆ๐ฌ ๐š๐ง๐ ๐–๐ก๐ฒ ๐ˆ๐ญโ€™๐ฌ ๐‚๐ซ๐ข๐ญ๐ข๐œ๐š๐ฅ ๐Ÿ๐จ๐ซ ๐‚๐ฒ๐›๐ž๐ซ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ?

Adedeji Michael -

giveitatry profile image

How to Install k3s with High Availability (HA)

giveitatry -

chintanonweb profile image

From Sunshine to Snowfall: Crafting Weather-Based UIs with DevCycle Feature Flag Challenge

chintanonweb -

adzhydra profile image

Azure OpenAI vs OpenAI

Adam -