Security Tools

Essential security tools for scanning, secrets management, and maintaining a secure DevOps pipeline.

Trivy - Vulnerability Scanner

Comprehensive security scanner for containers and code.

# Install Trivy
brew install aquasecurity/trivy/trivy
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

# Scan Docker image
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL myapp:1.0

# Scan filesystem
trivy fs --scanners vuln,secret,config ./

# Scan Git repository
trivy repo https://github.com/myorg/myrepo

# Scan Kubernetes cluster
trivy k8s --report summary cluster
trivy k8s --namespace production deployment/app

# Generate reports
trivy image -f json -o report.json nginx:latest
trivy image -f sarif -o report.sarif nginx:latest

# In CI/CD (fail on HIGH/CRITICAL)
trivy image --exit-code 1 --severity HIGH,CRITICAL myapp:${IMAGE_TAG}

Trivy Configuration

# trivy.yaml
scan:
  scanners:
    - vuln
    - misconfig
    - secret
severity:
  - HIGH
  - CRITICAL
vulnerability:
  type:
    - os
    - library
  ignore-unfixed: true
secret:
  config-path: trivy-secret.yaml

SonarQube - Code Quality & Security

Continuous inspection of code quality and security.

# docker-compose.yml
version: '3'
services:
  sonarqube:
    image: sonarqube:community
    ports:
      - "9000:9000"
    environment:
      - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar
      - SONAR_JDBC_USERNAME=sonar
      - SONAR_JDBC_PASSWORD=sonar
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
  
  db:
    image: postgres:15
    environment:
      - POSTGRES_USER=sonar
      - POSTGRES_PASSWORD=sonar
      - POSTGRES_DB=sonar
    volumes:
      - postgresql_data:/var/lib/postgresql/data

volumes:
  sonarqube_data:
  sonarqube_extensions:
  postgresql_data:

# SonarScanner CLI
sonar-scanner \
  -Dsonar.projectKey=myproject \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=token

SonarQube in CI/CD

# GitHub Actions
- name: SonarQube Scan
  uses: sonarqube-quality-gate/action@master
  with:
    host: ${{ secrets.SONAR_HOST }}
    token: ${{ secrets.SONAR_TOKEN }}
    projectKey: myproject

Secrets Management

HashiCorp Vault

# Start Vault dev server
vault server -dev

# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root-token'

# Write secret
vault kv put secret/api-key key=abc123xyz

# Read secret
vault kv get secret/api-key

# Enable database secrets engine
vault secrets enable database

# Configure database connection
vault write database/config/my-postgresql \
  plugin_name=postgresql-database-plugin \
  allowed_roles="app" \
  connection_url="postgresql://{{username}}:{{password}}@localhost:5432/mydb" \
  username="vaultadmin" \
  password="vaultpass"

# Create role
vault write database/roles/app \
  db_name=my-postgresql \
  creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl="1h" \
  max_ttl="24h"

# Get dynamic credentials
vault read database/creds/app

AWS Secrets Manager

# Create secret
aws secretsmanager create-secret \
  --name prod/api/key \
  --description "API key for production" \
  --secret-string '{"api_key":"abc123xyz789"}'

# Get secret value
aws secretsmanager get-secret-value --secret-id prod/api/key

# Rotate secret
aws secretsmanager rotate-secret \
  --secret-id prod/api/key \
  --rotation-lambda-arn arn:aws:lambda:...:function:rotate-secret

# In application (Python)
import boto3
import json

client = boto3.client('secretsmanager')
response = client.get_secret_value(SecretId='prod/api/key')
secret = json.loads(response['SecretString'])
api_key = secret['api_key']

Kubernetes External Secrets

# External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: api-key
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: api-key-secret
    creationPolicy: Owner
  data:
  - secretKey: API_KEY
    remoteRef:
      key: prod/api/key
      property: api_key

Snyk - Developer Security

# Install Snyk
npm install -g snyk

# Authenticate
snyk auth

# Test for vulnerabilities
snyk test
snyk test --severity-threshold=high

# Test Docker image
snyk container test myimage:latest

# Monitor project
snyk monitor

# Fix issues
snyk fix

# Code test (SAST)
snyk code test

# IaC test
snyk iac test

# In CI/CD
snyk test --severity-threshold=high || exit 1

OWASP ZAP - DAST

# Baseline scan
docker run -t owasp/zap2docker-stable zap-baseline.py \
  -t https://example.com

# Full scan
docker run -t owasp/zap2docker-stable zap-full-scan.py \
  -t https://example.com \
  -g gen.conf \
  -r report.html

# API scan
docker run -t owasp/zap2docker-stable zap-api-scan.py \
  -t https://example.com/openapi.json \
  -f openapi

# GUI mode
docker run -p 8080:8080 -d owasp/zap2docker-stable

GitLeaks - Secret Detection

# Install
brew install gitleaks

# Detect secrets in repo
gitleaks detect --source . --verbose

# Scan commit history
gitleaks detect --source . --verbose --no-git

# Protect (pre-commit hook)
gitleaks protect --staged

# Generate report
gitleaks detect --source . --report-format json --report-path report.json

Checkov - IaC Scanning

# Install
pip install checkov

# Scan Terraform
checkov -d .
checkov --file main.tf

# Scan Kubernetes manifests
checkov -d k8s/ --framework kubernetes

# Scan Dockerfiles
checkov --file Dockerfile

# Skip checks
checkov -d . --skip-check CKV_AWS_20,CKV_AWS_57

# Generate report
checkov -d . --output json --output-file report.json

Quiz

Next Steps

Now let's explore high availability and disaster recovery strategies.