DevSecOps (short for development, security, and operations) is the new mantra replacing simply DevOps and means to integrate security during the software development lifecycle. The COSMOS pipeline integrates Sec (security) into our CI/CD (Continuous Integration / Continuous Deployment) pipeline in a few ways. This post will focus on the workflows in our open source COSMOS pipeline but we have the same workflows in our Enterprise COSMOS pipeline.

All of our PRs (Pull Requests) perform the same Github checks (pipeline stages) simultaneously. We perform static code analysis using both the built-in Github CodeQL and SonarCloud. These tools analyze the code without running it looking for potential bugs or simply "code smells" (bad practices) that could be improved.

We run unit tests in both Python and Ruby. These checks test the low level Python and Ruby code that powers the COSMOS backend. The COSMOS architecture is based on a Javascript frontend calling APIs powered by either Ruby or Python.

We run API tests to again test that the Python and Ruby backend APIs are callable and consistent with what the frontend expects.

We run CLI tests to ensure that our shell scripts are performing as expected.

We run Playwright tests which are performed on the fully deployed COSMOS application. Playwright is a Microsoft sponsored test suite which allows us to write test scripts that click buttons and UI elements in the browser to test the full COSMOS application just as an end user would. These tests are invaluable for testing the and f of the full COSMOS framework in a fast, fully automated way.

Finally we perform both ClamAV scans for viruses and Trivy scans for CVEs. Our ClamAV scan exports our docker containers to a tar file and then individually scans each layer of the docker file. Any viruses found (non so far) would halt the build. The Trivy scan checks for known CVEs (Common Vulnerabilities and Exposures) and exports them as a list which Github imports for us as well as we attach to our builds. We look these over during our releases for anything found in our own code and dependency chain. Almost all our CVEs are found in Redis, Minio, and Traefik as these are popular, complex and well analyzed libraries used by thousands of businesses. We incorporate new releases of these and all our other dependencies on a monthly basis as we perform our own releases.

In light of the xz utils hack I thought it was a good time to explain our processes when it comes to development and security. Our primary approach is to always maintain our dependencies and stay up to date. There is no such thing as a "safe version" as software is always evolving and maturing and bugs are being continually being patched and unfortunately they're also being introduced.

If you're sitting on a pile of software written months, years, or decades! ago, Contact Us and learn how modern software DevSecOps can improve your test integration and operations campaigns.