[10.14 Workshop] Full-link experience of container DevSecOps-Alibaba Cloud Developer Community

Scenario introduction

[Vulnerability risk detection and automatic blocking] During code iteration, developers are at high risk of container images due to incorrect Base Image. The cloud-native application delivery chain supports automatic image security scanning and policy blocking. When the security policy fails, the R & D application is interrupted and a notification message is received.

[One-click vulnerability fix and automatic delivery] Developers can fix vulnerabilities in the console and automatically trigger security scanning. After the security policy is verified, the signature of the image is automatically triggered and delivered to ACK for deployment.

Prerequisites

• create a ACR EE instance-Advanced Edition. For more information, see create an enterprise edition instance.
• Initialize the Enterprise edition instance and add a VPC as the channel for security center to access the Enterprise edition instance. For more information, see configure VPC access control.
• Activate the Codeup code source and click on the right add database , Select import code library . In the import code library dialog box, select import URLs. In source code library address in: https://github.com/susanna8930/workshop完成导入 。

procedure

step 1: bind a code source

log on to Codeup and click personal Settings , click the personal access token.

1. In personal Access token select the minimum permission required for the current experiment.

• • read-only permissions on user-related information: read:user
  • read-only permission of the code library: read:repo
  • read-only permission for the branch of the code library: read:repo:branch
  • read-only permissions on code library tags: read:repo:tag
  • all read and write permissions Webhook the code library: read:repo:webhook, write:repo:webhook
  • code group all the read access: read:group
  • read-only permissions on Enterprise Information: read:org

1. in personal information medium, dialog box left side navigation bar click HTTPS password to view the clone account. Obtain the corresponding account name.

Log on to the ACR console and configure account name and the personal access token.

Display Codeup on the code source page bound , the binding is successful. For more information about source code binding, see.

Step 2: Create a source code repository

1. in the left-side navigation pane of the Enterprise edition instance management page, choose warehouse Management > image Repository , click create an image repository.
2. Create namespace demo repository name workshop, set warehouse type public. (This parameter is Workshop only. We do not recommend that you enable this parameter in the production environment.).
3. Select pre-imported Codeup code repository , enabled by default automatically build images for code changes , click create an image repository .
4. On the image repository page, click manage. Click in the left navigation bar build , in build rule settings region click add rule , configure the build rule, and then click determine .

1. 1. Build information page: Select the Branch type and select the master Branch from the drop-down list.
   2. Image version page: Enter the image version v1.0 and click save.

After the creation is complete, you can view the corresponding build rules in the source code repository and click build now to pull the container image from Codeup for construction.

Step 3: create a cloud-native application delivery chain

1. in the left-side navigation pane of the Enterprise edition instance management page, choose cloud Native delivery chain > delivery chain .
2. In create a delivery chain page basic information enter the following information.

• • Delivery chain name: Set the delivery chain name.
  • (Optional) delivery chain description: sets the basic description of the delivery chain.
  • Scope of delivery chain: Select the source code repository created previously.

1. In the delivery chain security Scan node, configure the information.

1. 1. Security Engine: Select security Center security Engine .
   2. Whether to block: Select block.
   3. Delete or not: Select do not delete .
   4. Vulnerability level: Select high-risk , number of vulnerabilities: 1 A .

Step 4: modify the Codeup source code to trigger automatic delivery chain building and security scanning

1. in Codeup, modify the content of the hello-world.go file.
2. On the execution records page of the delivery chain, view the execution status of the current delivery chain. Wait a moment and find that the delivery chain has been blocking , the execution status is cancel .

3. Click operation details to view the vulnerability of the container image.

Step 5: repair the container image with one click and trigger the delivery chain process again

1. click one-click repair, if you select not to overwrite, a new container image version is created with the suffix_fixed. Click fix now .

2. On the execution records page of the delivery chain, view the execution status of the current delivery chain. Wait a moment and find that the container image has been repaired. Follow the delivery chain to complete the subsequent process.

3. Click the security scan node to find that all image vulnerabilities have been fixed.

Summary

• [Security policy] container security protection needs to be "left-shifted" to ensure the security and credibility of the image content from the build phase of the container supply chain source.
• [DevSecOps] based on ACR cloud-native application delivery chain, DevOps can be fully upgraded DevSecOps. The end-to-end security policy is observable, traceable, and customizable.

Appendix

• complete Demo video

• schematic source code repository address

• • https://code.aliyun.com/jing.ljljljNU/workshop.git
  • https://github.com/susanna8930/workshop