/cdk-devsecops-cicd-pipeline

Primary LanguagePythonMIT No AttributionMIT-0

AWS CI/CD Pipeline for DevSecOps

This project is a reference implementation for a CI/CD pipeline integrated with security vulnerability scanning tools.

The pipeline is implemented as code using AWS CDK and the CDK Pipelines construct. The current implementation performs security vulnerability scanning using SonarQube and Dependency-Check. The pipeline sends to AWS Security Hub the reports for the security scanning executions. It also contains a sample application implementation for testing purposes.

Project structure

  • backend/infrastructure.py: definition of the infrastructure components necessary to run the backend component of the sample application.
  • backend/runtime/: the actual code of the sample application
  • shared/: definition of the core components that the security tools and components of the sample application share.
  • securityhub/: implementation of the integration with AWS Security Hub
  • sectools/: definition of all the security tools the pipeline uses for security vulnerability scanning.
  • pipeline.py: definition of the CI/CD pipeline as code.
  • deployment.py: definition of the deployment unit of the sample application that the pipeline will deploy.

Create development environment

See Getting Started With the AWS CDK for additional details and prerequisites

Clone the code

git clone https://github.com/aws-samples/cdk-devsecops-cicd-pipeline
cd cdk-devsecops-cicd-pipeline

Create Python virtual environment and install the dependencies

python3.7 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Deploy to a sandbox environment

To deploy the stacks, use CDK commands. If you are new to CDK, see Getting started with the AWS CDK.

Before proceeding, update the DEV_ACCOUNT_ID and REGION values on constants.py to the AWS account ID of your sandbox environment and your region of choice. After that, run a cdk ls command to test if everything is correct with your CDK app. This will list the 4 stacks existing on the CDK app. Note that a file called cdk.context.json will also be generated in the root of the project. This is the runtime context file, and it must be commited to your source control. See Runtime context to learn more about that.

Push the code to AWS CodeCommit

For this sample CI/CD pipeline, we are using AWS CodeCommit as a Git repository. For your own projects, you can update pipeline.py to use your Git repository of choice.

From the terminal, create a new Git repository on your sandbox environment:

aws codecommit create-repository --repository-name cdk-devsecops-cicd-pipeline

After you created the repository, push the code of this sample pipeline to CodeCommit. If you are new to CodeCommit, see Getting started with Git and AWS CodeCommit.

Bootstrap CDK

cdk bootstrap aws://<SANDBOX_ACCOUNT_ID/<AWS_REGION>

Deploy shared components

cdk deploy SharedInfraStack

Deploy security tools

cdk deploy SecToolsStack

After deploying the security tools, you'll see output values from CDK on your terminal. Find an output named SecToolsStack.SonarquebEcsTaskServiceURLABCXYZ, which is the URL from where your SonarQube instance is responding.

Example output:

 ✅  SecToolsStack

✨  Deployment time: 1018.67s

Outputs:
SecToolsStack.SonarQubeSecretArnOutput = arn:aws:secretsmanager:us-east-1:<MY_SANDBOX_ACCOUNT_UD:secret:SonarQubeSecretABCXYZ
SecToolsStack.SonarquebEcsTaskLoadBalancerABCXYZ = SecTo-Sonar-ABCXYZ.<REGION>.elb.amazonaws.com
SecToolsStack.SonarquebEcsTaskServiceURLE4434029 = http://SecTo-Sonar-ABCXYZ.<REGION>.elb.amazonaws.com

To interact with SonarQube's APIs, you need to generate a user token. See Generating and Using Tokens on SonarQube's documentation to learn how to create yours. You'll also have to create a project on SonarQube to represent the sample application we are using in this reference implementation. The deployment of DB instance associated with SonarQube service can take between 15 to 20 minutes.

As part of the SecToolsStack, a secret is created on AWS Secrets Manager. Find on the CDK output on your terminal the ARN of this secret, which must be similar to SecToolsStack.SonarQubeSecretArnOutput. Update this secret with the SonarQube access data:

aws secretsmanager put-secret-value \
    --secret-id <MY_SECRET_ARN> \
    --secret-string "{\"access_token\":\"<MY_SONARQUBE_TOKEN>\",\"host\":\"<MY_SONARQUBE_URL\",\"project\":\"<MY_SONARQUBE_PROJECT\"}"

The pipeline is sending the findings to AWS Security Hub. For that yo work, you have to enable Security Hub first:

aws securityhub enable-security-hub

In order to activate AWS CodeGuru Reviewerin your account and associate it to the repository used by the pipeline, just type the following command in the terminal:

aws codeguru-reviewer associate-repository \
    --repository CodeCommit={Name=cdk-devsecops-cicd-pipeline}

Deploy CI/CD pipeline

cdk deploy DevSecOpsPipelineStack

Go to the AWS CodePipeline console to see the pipeline execution.

After the pipeline execution, you'll be able to see on AWS Security Hub the pipeline findings, if there are any.

Security

See CONTRIBUTING for more information.

License

This code is licensed under the MIT-0 License. See the LICENSE file.