Integrating Automated Security and Testing in Your CI/CD Pipeline
Security is no longer an afterthought, it’s an integral part of our continuous integration and delivery (CI/CD) pipeline. While DevOps practices focus more on agility and speed, DevSecOps ensures security is embedded tightly in the delivery pipeline. The competition is fierce, and customers demand new features fast. It is up to the organization's skill set and the tools they use that decide how quickly the new software and features are released to customers.
With so many tools, it can sometimes be overwhelming to determine how to integrate security into your DevOps toolchain. Today, we will show you how to integrate security tools, suites and frameworks of your choice into your CI/CD pipeline using the Harness platform.
Security in CI/CD Pipeline
CI/CD is a process where you build and deploy code automatically as soon as a new commit is made. The process usually involves building code, running test cases, executing static code analysis, and finally deploying the application. There are many tools that run on top of a CI/CD pipeline and help companies automate their workflow. To automate security testing in your CI/CD pipeline, you will need an automated way to run security scans against your code. This can be done by integrating different security tools into your CI/CD pipeline.
Automating Manual Testing in CI/CD Pipeline
Manual testing is a time-consuming process and does not scale. While it’s good practice to do some manual testing before each release, it should be automated wherever possible. Testing can be automated by following these steps:
- Set up a test environment that mirrors the production environment. Once the environment is set, you can start adding test cases to execute your tests.
- Next, you will need to identify what needs to be tested. You can use risk analysis to identify the areas of concern in your code. Risk analysis is finding code viilations, stability and performance issues if any. Risk analysis helps you prioritize your tests and ensure you are not missing out on any critical test cases.
- Once you have your test cases ready, you need to set up your test data manually before you can automate the test. Once the test data is ready, you can integrate a testing tool into your CI/CD pipeline.
- The other option is, integrating different testing tools and suites in the 'Build & Test' stage, where a CI tool will run all your tests and builds the code. Selecting a modern tool that incorporates these integration capabilities and custom test capabilities is very important. This is where a platform like Harness helps organizations counter security and vulnerability threats.
Test Tools and Parameters
Running multiple security tests in parallel is a good practice, and we will demonstrate the same in this tutorial. Let us see some examples of test suites and tools we will be using.
- Assertible
- Snyk
- Pm2
- SonarQube
- BrowserStack
- AppSignal
Let us go through one by one and see what they are.
Assertible
Assertible ensures the uptime and availability of your APIs and websites and the correctness of your data.
Snyk Test
Snyk finds open-source vulnerabilities and license issues in your applications.
Pm2 Test
PM2 is a production process manager for Node. js applications with a built-in load balancer. It allows you to keep applications alive forever, to reload them without downtime and to facilitate common system admin tasks.
SonarQube
Sonarqube reports the code quality of your application.
BrowserStack
BrowserStack does cross-browser testing of your application.
AppSignal
AppSignal does error tracking and performance monitoring of your application.
Harness integrates with over 40 of the most popular application security scanners available today.
Automated Testing Using Harness CI
Harness integrates well with all major tools, and the pipeline can be customized accordingly by choosing various tools and platforms at different stages of CI/CD. Similarly, when it comes to testing, the CI (Harness CI in our case) tool can be integrated with different tests to find bugs and vulnerabilities. Let us see how to configure Harness CI with all the above-mentioned security tests.
Start by forking the sample Node.js application:https://github.com/pavanbelagatti/harness-ci-example
Next, signup for the Harness platform free trial and select the CI module.
Create the project and configure the “Build & Test” stage.
Under ‘‘Build & Test”, you can configure your different custom test suites. Use the “Run” step to configure as below.
You can configure all the different test suites using the “Run” step. Once all the tests are configured, save and run the pipeline. All the tests can be easily configured and the pipeline can be run with a single click. You should see the successful execution of the pipeline and all the tests passing. If there are any vulnerabilities, bugs, or mistakes found, the pipeline doesn’t move forward and halts there itself.
You can see all the tests passing.
Bringing DevSecOps and CI/CD Together
CI/CD is a process that helps teams build, test, and deploy code faster and more efficiently. Since engineers must perform manual testing, there are more chances of error. As automation is becoming the centre of DevOps best practices, a tool carrying out security testing automation is preferred more. No doubt, security testing is a critical part of CI/CD and can be automated to save time and effort. In addition, it can reduce the risk of deploying unsafe code when done correctly.
Many tools can help you automate your CI/CD pipeline security testing. They include vulnerability scanners, code coverage analyzers, code review tools, static code analysis tools, post-failure tools, etc. All you need is a platform like Harness with CI/CD and security testing capabilities to ensure your deployments are 100% safe.
If you're interested in learning more about using Harness and intelligent software delivery, try it for free and check out our Developer Hub for more step-by-step tutorials, videos, and reference docs.