From the course: Building Secure Software Supply Chains with Open-Source Tools

Automating dependency scans in CI/CD pipelines

From the course: Building Secure Software Supply Chains with Open-Source Tools

Start my 1-month free trial Buy for my team

Automating dependency scans in CI/CD pipelines

- [Speaker] You scan your app locally, scan your image, but what happens when a new developer joins your team or a new dependency is added? If you're relying on manual scans, vulnerabilities can slip unnoticed. That's why automation is key. By integrating Trivy in your CI/CD pipeline, you ensure that every pull request, every container build, every deployment is automatically checked for vulnerabilities every time. Let's see how it works. In GitHub actions. Here's a basic workflow that scans a container image after it's built. We have the name of the GitHub workflow, Trivy Juice Shop Dependency Scan Test. This option Workflow Dispatch allows us to trigger the workflow whenever we want, so please do not forget it. Then we have a job, a scan that will run on to the ubuntu latest version and a step. So we're going to scan the image with Trivy using the Trivy action and the specific version. After that, we're going to use the juice-shop latest version image that we're been using since the beginning of this course, the format, exit code that you'll have to change in the next video in order to block the pipeline. We ignore unfixed vulnerabilities, define the library vulnerability type that will allow us to dependency, scan this image and the severity. We want to only see medium, highs, and criticals. As soon as you have this, you can trigger the workflow right there. Please note that if you want to see the specific workflow in this panel, you'll have to merge the code in your main branch. Let's trigger the workflow and use the specific branch. (clicking loudly) As you can see, the scan has started. Please also note that Trivy also integrates with GitLab CI, Jenkins, CircleCIs, and other platforms. That allows you to scan either images or file systems like we've seen depending on your specific needs. If you want to check in real-time what's happening during your pipeline run, you can click on this little icon that will bring you to the webpage. (clicking loudly) Everything has been completed, so we've set up the job. Scan image with Trivy, having a post-scan image with Trivy and completed the job. Everything has been automated. Once again, if you want to see results, you can click on this icons and you'll see everything that happens in the ubuntu latest version that we've been using. As you can see here, we have all the vulnerabilities, high, medium, and critical, and we don't have any low-vulnerabilities for example. If you want to change that, you can change it in the parameters like we've seen before. Automating scans, transform security from a once in a while task to a built-in quality gate. In the following video, you'll practice what you just learned in the Hands-On-Lab. Let's turn knowledge into practice.

Contents