DevSecOps is the philosophy of developing applications and infrastructure securely from ideation to deployment. It requires consideration of security risks at all stages of the development lifecycle. While DevOps teams have historically focused on automating the building, testing, and deployment of their applications, DevSecOps includes automating security practices to allow teams to increase security without losing velocity.

要构建,部署和测试您的应用程序,您的应用程序CI / CD.管道访问您的技术堆栈中的每个资源。这些资源包括分析键,代码签名凭据,安全秘密,专有代码和数据。必须安全地保护您的CI / CD管道,以便从未将受保护的信息暴露给不需要的派对。如果没有故意努力保护和保护您的管道,这些资源中的任何一个都是潜在的安全漏洞。

Recently, we defined three important categories ofCI / CD的安全最佳实践。它们包括保护您的管道配置,保护代码和Git历史分析,并执行安全策略。Circleci Orbs.只需几行代码,允许您轻松地添加到工具和服务的集成,以解决管道中的这些类别。ORB是Circleci Config的可重用,可共享的开源包,可立即集成这些服务。有了ORBS,您可以获得一个用于保护您的管道的开箱即用的解决方案。

Secure your CI/CD pipeline with these orbs:

alcide.
当您运行Kubernetes集群时,检测在开发中早期漂移的漏洞和错误配置。


Add Anchore image scanning to any CircleCI workflow.

Aqua Security
Remediate vulnerabilities within your pipeline and enforce regulatory compliance with granular container-level controls and reporting.

AWS Parameter Store
管理和加载AWS参数存储中的环境秘密。

对比度安全
为自定义代码和开源库添加漏洞发现到Circleci构建环境。

Cryptomove.
Consolidate management of versioning and sharing by storing your encrypted keys and secrets on CryptoMove.

Fortanix
使用安全的分布式密钥管理服务存储和管理秘密,API键和其他敏感数据。


将OSS合规性和漏洞集成到CI / CD工作流程中。

GCP班授权
配置Google的二进制授权服务以签名和证明要部署的容器图像。

NeuVector
在构建期间扫描容器图像的漏洞和Neuvector在运行时安全的Kubernetes集装箱部署。

Probely
将imploy oc / cd管道集成,以持续扫描您的Web应用程序以获取安全漏洞。

Snyk
在应用程序的开源依赖关系和容器图像中查找,修复和监视漏洞。

stackhawk.
使用动态应用程序安全测试查找,分类和修复应用程序安全错误。

Twistlock
Integrate Twistlock vulnerability and compliance issue scans into your CircleCI workflows.

WhiteSource
扫描您的产品以了解已知的开源漏洞,并接收可操作的修复建议。

我们的合作伙伴在说什么:

“作为容器采用继续加速,enterprises require a solution that allows them to automate security comprehensively throughout the application lifecycle. We are very excited to work with CircleCI to continue to bridge the gap between development and security teams and help them build and run applications securely without forfeiting speed or performance,” said Upesh Patel, VP of Business Development,Aqua Security

“完整的生命周期漏洞管理解决方案对于Neuvector客户至关重要。使用NeuVector Circleci ORB,开发人员和Dev118金宝博娱乐城OPS团队可以通过在Circleci管理的构建过程中触发容器图像扫描来将自动安全性建立到CI / CD管道中。这使Neuvector客户能够在构建,船舶和运行阶段来强制执行安全策略,“加里·杜安,联合创始人和首席技术官NeuVector

“在Cryptomove,我们希望开发人员和团队更容易,以便在我们的产品中获取数据,移动118金宝博娱乐城目标防御。使用Circleci和他们的开发团队的帮助,我们建立了我们的ORB,允许开发人员将敏感信息无缝阅读,因为环境变量在他们的Circleci构建和部署中的移动目标防御,“尼古拉118金宝博娱乐城斯Schook,Solutions工程师表示,Cryptomove.

你可以做什么

Is there something else that you would like to do to secure your pipeline that isn’t available from an orb? Orbs are open source, so adding functionality to an existing orb is just a matter of getting your PR approved and merged. Check out all of the available orbs in theorbs registry。你有一个用例,你的觉得你的觉得与当前的专注球组相比?您可以author one yourself并为社区做出贡献。我们甚至发布了用于创建自动构建,测试和部署管道的最佳实践(第1部分and第2部分)帮助你沿着你的方式。

To secure your pipeline, let your team take advantage of third-party services and eliminate the need for in-house development. With orbs, your team only needs to know how to use those services, not how to integrate or manage them.