From code development and approval to continuous integration and deployment, each stage presents unique challenges and opportunities to enhance the security of your applications.
By following the recommendations in this cheat sheet, you will be able to:
- Identify and fix vulnerabilities in your code early using the Snyk CLI and Snyk IDE plugins.
- Prevent secrets from being committed to your repository with GitGuardian's ggshield.
- Safely store and share secrets using encryption or secrets managers.
- Protect your source code from compromise using honeytokens.
- Conduct code reviews and address security weaknesses during the code approval stage.
- Analyze infrastructure code for misconfigurations using Snyk Infrastructure as CodeI.
- Scan your code and artifacts for vulnerabilities during the continuous integration and deployment process.
- Ensure that no secrets are leaked in the final artifact with GitGuardian integration.
- Be alerted if your CI/CD service gets compromised using Honeytokens.
- Scan container images for vulnerabilities and leaked secrets.
With these security measures in place, you can have confidence in the integrity and security of your code as it moves from development to deployment in the cloud.
Let's dive into each stage and explore the tools and practices that will help you build secure and robust applications.
Stage 1: Code Development
At this stage, you are crafting your code, adding dependencies, preparing your app to interface with external systems (backends, SaaS, databases, etc.), and hopefully writing tests!
The main threats here are committing a secret, misconfiguration, coding a vulnerability, or adding a malicious dependency. To prevent these outcomes, there is a lot that you can set up to detect and fix issues early on:
- Get security feedback right into your IDE with the Snyk IDE plugin. This plugin provides real-time security feedback as you code, helping you identify and fix vulnerabilities and issues directly within your development environment.
- Detect and fix vulnerabilities with the Snyk CLI. Install the Snyk CLI globally by running
npm install snyk-g. This allows you to run various commands such as
snyk code test,
snyk container test, and
snyk iac testto scan your code, dependencies, containers, and infrastructure-as-code for vulnerabilities and misconfiguration. Never commit a secret again with GitGuardian ggshield. Install GitGuardian by running the following command (on macOS):
brew install gitguardian/tap/ggshield
Then automatically get a token for scanning with:
gghsield auth login
To prevent committing secrets, add the ggshield secret scan pre-commit hook to your local .git/hooks folder by using the command:
gghsield install --mode local --hook-type pre-commit -a
You can also scan your local repository immediately to identify hard-coded secrets by running
gghsield secret scan repo.
- Store and share secrets safely: To securely store and share secrets, you can either encrypt your secrets in your repository using tools like SOPS or call a secrets manager from your code using clients such as hvac (for Hashicorp’s Vault) or boto3 (for AWS Secrets Manager). Check out examples of how to handle secrets in Python here. Protect against code compromise: Malicious actors actively seek source code to compromise organizations of all scales. Fortunately, you can protect your source code by using honeytokens. Use the
gghsield honeytoken createcommand to create honeytokens if enabled in your workspace. Honeytokens can help detect if an unauthorized actor accessed your source code or if it was publicly exposed on GitHub. Learn how to secure your SCM repositories with GitGuardian honeytokens here.
Stage 2: Code Approval
Whether you are working alongside dozens of fellow coders or contributing to an open-source project, the next step is to push your work to a central repository. This is the occasion for your changes to get reviewed by peers. The goal is to keep code quality consistent, get feedback, and fix security vulnerabilities and license issues.
To ensure the security of your code during the code approval stage, consider the following guidelines:
- Get feedback: When working in a team, it's essential to have at least one pair of eyes review the code for quality, security, and adherence to coding standards. Code reviews can help identify potential security vulnerabilities and provide valuable feedback.
- Check for security failures: Use Snyk Open Source to assess the reliability of the added dependencies. Additionally, it can help identify if a license is compliant with your organization's policy. This ensures that the dependencies you are using are secure and meet the necessary licensing requirements.
- Check for common security weaknesses: Leverage Snyk Code, a real-time static analysis tool, to identify common security weaknesses in your code. It can provide alerts and recommendations to help you address these weaknesses and improve the overall security of your codebase. Enforce no secrets get leaked: Implement a check for leaked secrets in the main repository. This can be done by integrating GitGuardian into your code approval process. By scanning for hard-coded secrets during the code approval stage, you can ensure that no secrets are leaked and avoid the need for a secret rotation procedure.
- Analyze Infrastructure code (IaC) for misconfigurations: Use Snyk Infrastructure as Code (IaC) to analyze your IaC templates and configurations for misconfigurations and vulnerabilities. This helps ensure that your infrastructure is properly configured and secure before deployment.
Stage 3: Continuous Integration and Deployment
After being approved, your changes finally get merged into the main branch (or the appropriate trunk) of your project. The code is now ready to be built, tested, and eventually deployed. However, before that can happen, multiple checks are needed. Welcome to the automated test kingdom, where the inner workings of the code are scrutinized to ensure quality and security requirements are met.
During the Continuous Integration and Deployment (CI/CD) pipeline, consider implementing the following steps to ensure the security of your code:
- Scan the source code for vulnerabilities: Integrate Snyk with your CI/CD pipelines to scan for vulnerabilities during the build process. This ensures that any vulnerabilities in your code are identified and can be addressed before deployment.
- Ensure no secrets are found in the final artifact: Integrate GitGuardian into your CI/CD pipeline to detect any hard-coded secrets during the pipeline execution. This helps prevent secrets from being included in the final artifact and ensures that sensitive information is not exposed.
- Detect intrusions in your CI/CD pipelines: Enhance the security of your build process by using Honeytokens. Place Honeytokens in the secure store of your CI/CD provider (as secrets, or environment variables) to ensure that you receive alerts if your builds are compromised. This helps detect any unauthorized access to pipelines and allows you to take appropriate actions. Learn more here.
- Scan artifacts: Even if your source code passes all security checks, it's important to scan the final artifact for vulnerabilities. Use tools like Snyk Container and ggshield secret scan docker to scan container images and ensure that the end product is clean and free from vulnerabilities and leaked secrets.
By following these steps in the CI/CD pipeline, you can ensure that your code is secure and meets the necessary quality and security requirements before deployment.
Stage 4: Deploy
Once your code has been approved and tested, it's time to deploy it to a cloud environment or infrastructure. However, before doing so, it's important to ensure the security of your deployment process. Here are some steps you can take:
- Secure your deployment pipeline: Implement secure deployment practices such as using secure connections (HTTPS), verifying the integrity of your deployment artifacts, and using secure authentication methods.
- Scan your deployment configuration: Use Snyk IaC to scan your infrastructure-as-code (IaC) templates and configurations for misconfigurations and vulnerabilities. This will help you identify any security issues before deploying your code.
- Monitor your deployment: Implement monitoring and logging solutions to track the performance and security of your deployment. This will help you identify any anomalies or potential security threats. Implement security best practices: Follow security best practices for cloud deployments, such as using strong access controls, regularly updating your software and dependencies, and encrypting sensitive data.
Stage 5: Cloud
Once your code is deployed to a cloud environment, it's important to continuously monitor the security of your cloud infrastructure and applications. Here are some steps you can take to ensure the security of your cloud environment:
- Implement logging and monitoring: Set up logging and monitoring solutions to track and analyze the activity in your cloud environment. This will help you detect any security vulnerabilities or threats.
- Implement threat detection: Use threat detection tools and services to identify and respond to potential security threats in real-time. This can include detecting unauthorized access attempts, unusual network traffic, or suspicious behavior.
- Regularly update and patch: Keep your cloud infrastructure and applications up to date by regularly applying security patches and updates. This will help protect against known vulnerabilities and exploits.
- Implement access controls: Use strong access controls and authentication mechanisms to ensure that only authorized users and services can access your cloud resources. This can include implementing multi-factor authentication, role-based access controls, and least privilege principles. Get the IAM cheat sheet here.
- Regularly review and audit: Conduct regular security reviews and audits of your cloud environment to identify any potential security weaknesses or misconfigurations. This can help you proactively address any security issues before they are exploited.
By following these steps and utilizing tools like Snyk and GitGuardian, developers can ensure the security of their code throughout the entire development and deployment process.