feature/add-early-stages-of-development

nanlabs · Jan 23, 2024 · d3a192e · d3a192e
1 parent 60e187d
commit d3a192e
Show file tree

Hide file tree

Showing 5 changed files with 141 additions and 0 deletions.
diff --git a/examples/security-assessments-guide/README.md b/examples/security-assessments-guide/README.md
@@ -0,0 +1,55 @@
+## Readme
+
+En esta guia se analizaran principalmente tres formas distintas a traves de las cuales podemos realizan un analisis de nuestro proyecto, con el objetivo de evitar posibles vulnerabilidades. Cada una de estas formas sera en un momento distintos de la etapa de desarrollo, con lo cual pretendemos se puedan adoptar segun la estrategia mas conveniente para cada proyecto y equipo.
+
+Los puntos que se analizaran, seran:
+
+1. Early stages of Development Workflows
+
+- Integrar tools existentes con IDEs como VS Code e Intellij
+- Git workflow:
+  - pre-commit/pre-push con Snyk/Trivy
+  - Linter configurations
+  - Husky
+
+2. Continous integration
+
+- Como realizar los distintos tipos de analisis ya mencionados, en un flujo de CI/CD.
+- Stack principal a analizar: Github actions.
+- Stack extra: Gitlab CI/CD, AWS Code Pipeline, Jenkins, Bitbucket.
+- Analisis de Github Enterprise - Github Security.
+
+3. Scans
+
+- Scan de Filesystem (codigo en repositorios)
+- Infra as Code
+- Kubernetes
+- Seguridad en contenedores
+
+# Readme
+
+In this guide, we will primarily analyze three different ways through which we can make an analysis of our project with the goal of avoiding potential vulnerabilities. Each of these methods will be applicable at different stages of the development process, allowing them to be adopted based on the most suitable strategy for each project and team.
+
+The points that will be analyzed include:
+
+## 1. Early Stages of Development Workflows
+
+- Integrate existing tools with IDEs such as VS Code and Intellij.
+- Git workflow:
+  - Pre-commit/Pre-push with Snyk/Trivy.
+  - Linter configurations.
+  - Husky configurations.
+
+## 2. Continuous Integration
+
+- How to perform differents types of analyses mentioned, in a CI/CD flow.
+- Primary stack for analysis: Github Actions.
+- Additional stacks: Gitlab CI/CD, AWS Code Pipeline, Jenkins, Bitbucket.
+- Analysis of Github Enterprise - Github Security.
+
+## 3. Scans
+
+- Filesystem scan (code in repositories).
+- Infra as Code.
+- Kubernetes.
+- Container Security.
diff --git a/examples/security-assessments-guide/assets/severity-snyk.png b/examples/security-assessments-guide/assets/severity-snyk.png
diff --git a/examples/security-assessments-guide/assets/snyk-vscode.png b/examples/security-assessments-guide/assets/snyk-vscode.png
diff --git a/examples/security-assessments-guide/assets/trivy.png b/examples/security-assessments-guide/assets/trivy.png
diff --git a/examples/security-assessments-guide/early-stages-of-development-workflow/README.md b/examples/security-assessments-guide/early-stages-of-development-workflow/README.md
@@ -0,0 +1,86 @@
+# Early stages of development workflow
+
+## Overview
+
+This guide provides a compilation of various tools that can be implemented in the early stages of development to enhance the security of your web projects.
+
+## Table of Contents
+
+- [IDE Integrations](#ide-integrations)
+- [Git Workflow](#git-workflow)
+  - [Pre-commit/Pre-push with Snyk/Trivy](#pre-commitpre-push-with-snyktrivy)
+  - [Linter Configurations](#linter-configurations)
+  - [Husky](#husky)
+  - [Examples with Python in Pre-commit](#examples-with-python-in-pre-commit)
+
+## IDE Integrations
+
+In this section, you will find a guide on how to implement tools like Snyk or Trivy in the IDE you are using. The goal is to have a powerful tool that allows you to perform scans on your code and detect important security-related points in the early stages of development.
+
+## Visual Studio Code
+
+### Snyk
+
+Follow the steps below to install Snyk in Visual Studio Code:
+
+1. Visit the [Snyk Visual Studio Code Extension Documentation](https://docs.snyk.io/integrate-with-snyk/ide-tools/visual-studio-code-extension).
+2. Install the extension and configure it as necessary.
+
+Example of how you will see snyk in Visual Studio Code:
+
+![Snyk VsCode Extension](examples/security-assessments-guide/assets/snyk-vscode.png)
+
+Once you have installed the extension and made the required configurations, you can scan the repository you are working on. The analyses you can perform include:
+
+- **Open Source Security:** This scan primarily focuses on your dependencies and devDependencies. If vulnerabilities are found, they will be indicated using notations such as CVE, CWE, CVSS, etc. Recommended actions for such scans usually involve updating dependencies to newer versions.
+- **Code Security:** This scan assesses the security of your code, detecting potential issues such as XSS attacks, SQL injections, detection of hardcoded secrets, etc.
+
+- **Configuration Issues:** This section analyzes various configurations of your application, such as .yml files, cloud environment configurations, etc.
+
+- **Code Quality:** This analysis is related to the quality of your code, providing recommendations for code formatting, implementation of best practices, etc.
+
+All the above mentioned scans will give results according to the level of criticality, which may have different severities:
+
+![Severity in Snyk](examples/security-assessments-guide/assets/severity-snyk.png)
+
+If you want to learn more about analyzing the results obtained, you can check this [link](https://docs.snyk.io/integrate-with-snyk/ide-tools/visual-studio-code-extension/view-analysis-results-from-visual-studio-code-extension).
+
+Snyk will run an analysis each time you start VsCode, and you have the option to perform a rescan whenever needed.
+
+### Trivy
+
+Here, you can find the documentation for installing Trivy in Visual Studio Code: [Trivy VSCode Extension](https://github.com/aquasecurity/trivy-vscode-extension).
+
+Trivy performs a scan on your entire code, providing results aimed at preventing the following types of vulnerabilities:
+
+- **Code vulnerabilities:** Prevent DDOS, SQL Injection, XSS attacks, etc.
+- **Infra vulnerabilities:** Analyzes Infrastructure as Code (AWS, Azure, Terraform, etc.) and provides recommendations to avoid security flaws, such as incorrect implementation of Secrets Manager, preventing the use of hardcoded keys, etc.
+- **Container analysis:** Provides results on the analysis of containers (Dockerfiles, docker-compose). Some possible results include prevention of using the root user, no HEALTHCHECK defined, etc.
+
+Here's how you'll see the results obtained in each scan:
+
+![Trivy scan](examples/security-assessments-guide/assets/trivy.png)
+
+## JetBrains
+
+--ToDo
+
+## Git Workflow
+
+En esta seccion se mencionaran herramientas que nos permitiran realizar distintos tipos de scans en nuestro git workflow. De esta forma, todavia estando en early stages de nuestro proceso de desarrollo, podremos detectar vulnerabilidades y corregirlas.
+
+### Pre-commit/Pre-push with Snyk/Trivy
+
+--ToDo
+
+### Linter Configurations
+
+--ToDo
+
+### Husky
+
+--ToDo
+
+### Examples with Python in Pre-commit
+
+--ToDo