GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-28 07:14:05 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
9c03fd5d3f
quartz/content/Devops&DevSecOps/Azure DevOps.md
ErdemOzgen 7b3321b522 Remove outdated DevOps and DevSecOps content
2023-12-04 15:08:09 +03:00

116 lines
4.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Tools for Microsoft provides version control, reporting, requirements management. Project management. automated builds , testing and release capabilities.
### Continuous Integration 
- Automated tests make sure that the bugs are captured in the early phases, and fewer bugs reach the production phase. 
- After the issues are resolved efficiently, it becomes easy to build the release.
- Developers are alerted when they break any build, so they have to rebuild and fix the build before moving forth on to the next task.
- - As Continuous Integration can run multiple texts within seconds, the costs for testing decreases excessively.
- When lesser time is invested in testing, more time can be spent in the improvement of quality.
### Continuous Delivery
- The process of deploying software is no more complex, and now the team does not need to spend a lot of time preparing the release anymore.
- - The releases can be made more frequently, this in turn speeds up the feedback loop with the customers.
- The iterations in the case of the process become faster.
### Continuous Deployment
- There is no need to stop the development for releases anymore, as the entire deployment process is now automated.
- - The release process is less prone to risks and is easily fixable in the case of any issues, as only the small batches of changes are deployed.
- There is a continuous chain of improvements in quality with every passing day. The process of development now does not take long duration like a month or a year.
Continuous Delivery vs Deployment
Continuous Delivery is a software engineering practice where the code changes are prepared to be released.
Continuous Deployment aims at continuously releasing the code changes into the production environment.
# Azure pipelines
* **Build pipelines**:
These takes instructions from yaml file and build and publish artifacts from cloned source code.
* **Release pipeline**
These pipelines are deploy build artifacts into Agent machines.
* **Create release**
This one help us for complete end to end pipeline for ci/cd impl.
Example azure yaml templates [url](https://github.com/microsoft/azure-pipelines-yaml)
Azure Board supports Agile boards
# Azure DevSecOps [URL](https://havelsan.udemy.com/course/devsecops-with-azure-devops/learn/lecture/33386494#overview)
![[Screenshot from 2023-03-13 14-15-06.png]]
* [[SAST(Static Application Security testing)]]
* [[SCA (Software Composition Analysis)]]
* [[DAST (Dynamic Application Security Testing)]]
* [[IAST(Interactive Application Security Testing)]]
* [[IAC(infrastructure as code)]]
* [[API Security]]
Shift left approach is DevSecOps approach.
## Development stage
* Git secrets
* Security Plugins in IDE
* TruffleHog (has enterprise license) similar to git secrets
## Security
* Code Quality tools (Sonarqube)
* SAST security tools (Fortify, Veracode,Chackmarx)
* SCA tools (Snyk,veracode, fortify,blackduck)
* DAST tools (OWASP,ZAP,WebInspect,Veracode,DAST,ACunetix)
* IAC tools (Synk, bridgecrew)
* Container security (Aqua,Qualys,PrismaCloud)
## Operations
* Build pipeline tools (Jenkins, AWS, GCP Cloudbuild,Azure devops, github actions, Gitlab)
* Cloud security posture (AQUA, bridgeCrews)
* Container Registry Scanning Tools (Aqua,AWS native registry scanning)
* Infrastructure Scanning tools ( Chef inspec(Compliance) ,nessus)
* Clouud security (Azure defender, aws security hub )
# Devsecops in Azure DevOps
![[Screenshot from 2023-03-13 14-34-07.png]]
Take a look at repository section.
https://github.com/asecurityguru/just-another-vulnerable-java-application
Added Azure DevOps yaml ==>
https://github.com/asecurityguru/devsecops-azure-devops-simple-yaml-file-repo
# SonarCloud
SaaS code quality and security tool. #todos/recordingangel
Sonar cloud custom quality gate ==> for devsecops pipeline add azure yaml.
use section 4 for custom show examples.
**Need to add quality gate for our pipeline**
Use enviroment section in azure devops for token in YAML.
# Snyk
* Source code
* SaaS
* Open source Third party libraries
* Containers
* Infra as Code.
# OWASP ZAP
Reference in New Issue View Git Blame Copy Permalink