DevSecOps best practices
timoa opened this issue · 2 comments
Hi Amit!
Thanks for this project! It's a perfect start for newcomers on Go backend development!
I'm preparing a Medium post about DevSecOps best practices and I took your project since you released it recently and have enough code to show security use cases.
I was not able to do that with a fork since most of the tools are not supporting it, but I will create PR to help implement automation if you are OK 👍
This is the list of the changes I already made to my cloned project:
- Use Renovate to update the dependency vulnerabilities with automated PR
- Added pre-commit to enforce check + security scan before committing (Go fmt, GoSec, Checkov, Hadolint, etc.)
- Created a Makefile to the same commands between the local dev and CI/CD pipelines
- Added a GitHub Workflow to test and build the app + code coverage + SonarCloud + SAST scan + versioning + CHANGELOG
- Added a GitHub Workflow to review the PR with ReviewDog
- Added a GitHub Workflow to provide the ScoreCard of the project (how secure is it)
- Added a GitHub Workflow to test the project with GitHub CodeQL (detect security issues like SQL injection, etc.)
These changes are already on the following repo: https://github.com/timoa/secure-go-backend-clean-architecture
I will add the following:
- Postman collection to run the API testing on the CI/CD
- Smoke tests
- OWASP ZAP Proxy scan to check the security of the API (HTTP headers, cookies, etc.)
Hi @timoa
You are most welcome. Please create the PR, I am sure it is going to help everyone.
I will don't worry 👍