Uses a simple python program that ouputs some text.
It undergoes style, lint, unit testing, quality and security checks before a docker container is built, containing a fcgi set up nginx with the test program copied over. If this container is successfully built it is uploaded to a docker repo. Later manually deployed to a local Kubernetes cluster(minikube).
- Pre build step - only purpose is to ouput some GitHub variables.
- Style and linting on the python code. These are done in parallel. Style is done with pycodestyle. Linting is done with pylint. Pylint version 2.11.1 had to be used, because job did not complete with latest.
- Unit testing is performed. This job depends on style and lint jobs. Unit testing is done with doctest.
- SAST and SCA steps are performed in parallel. Sonarcloud is for SAST and Snyk for SCA.
- Build docker image and upload it to Docker Hub. The image is tagged with 8 symbols from the GitHub SHA and also with latest tag. An extra step was added here to handle image tag for the extra added config repo job. This job depends on SAST and SCA jobs. Image
can be pulled and run standalone with:
docker run -p 80:80 5ko5ko/telerikrepo:latest
and then in your browser:
http://localhost/cgi-bin/test.cgi- DAST scan. Uses StackHawk service and GitHub action to pull, run and security test the running application.
- Update the Kubernetes manifest file with the new image tag so ArgoCD can detect and reflect changes. Does a checkout on the config repo, edits the manifest file and then pushes the changes back. This job depends on DAST job. This job was added later(see *)
After the workflow completes successfully and a docker image is uploaded to Docker Hub registry the application is deployed to a locally runing Kubernetes cluster(minikube). Deployment is done manually. This was later amended using ArgoCD(see *)
*Added after project submission:
- Another config repo exists where configuration for ArgoCD is stored and Kubernetes manifest is monitored.
- Rewrite main repo workflow to include an extra step, which updates the Kubernetes manifest in above config repo with the docker image tag
- ArgoCD is set up to monitor the above config repo and re-deploy the cluster if changes in the manifest are detected.
- This step is configured to run after a successful DAST scan is completed.
- Add app monitoring(Maybe integrate with NewRelic)
- Add alerting
- Add worklflow process notifications(Slack, Teams, Email, etc.)
- Add a job to scan for exposed secrets
- Try IaC with Terraform
- SCA: Software composition analysis
- SAST: Static application security testing
- DAST: Dynamic application security testing