Nicolas Dunke
Lead Developer
In this article we show how you can improve the security of your software supply chain without spending money for software licenses. For this, we present useful open-source tools for automated dependency updates, vulnerability scanning of dependencies, license scanning, SBOM generation, secret detection and scanning of infrastructure as code for vulnerabilities and misconfiguration.
As described in the article Software Supply Chain Security – Introduction, it is especially important to secure your implemented application against possible threats and hackers. For that, different topics provide security at a specific point during the software development process (for detailed information, please step back to our first article on software supply chain security).
There are distinct reasons why development teams do not implement security features and mechanisms during their software supply chain. For example, there is a lack of time, knowledge and sometimes there is no budge to buy licenses for security tools.
To prevent software teams from actively accepting security vulnerabilities due to missing licenses or money, we would like to present appropriate open-source tools in this article – with a focus on shift-left security (for detailed information, please step back to our first article on software supply chain security). With these tools, it is possible to make the software supply chain more secure and to make a large part of manual development work superfluous by means of automated processes and tasks within the framework of the CI pipeline.
What are the tools we are looking for?
As described before, we focus on the shift-left security in the supply chain and present one recommendation open-source favorite per topic, if possible. If there are several similarly good tools, they have also been considered in the open-source blueprint.
Before we investigate in detail how you can use the following tools to secure each of the identified topics, we will start with a brief introduction to each tool.
- Renovate Bot is designed to automate the process of dependency updates in software projects. It works by monitoring a project’s dependencies and creating automated pull requests to update them when new versions are available. Renovate Bot supports multiple programming languages and package managers as well as privately hosted dependencies, making it a useful tool for developers looking to streamline their workflow and ensure their projects are always up-to-date with the latest dependencies which works perfectly. Furthermore, it provides a wide range of configuration as code.
- Trivy is a comprehensive and versatile security scanner for git repositories, file systems, and container images. It finds dependencies with vulnerabilities, misconfigurations and secrets. According to the documentation, license scanning should be possible, but didn’t work in our exploration. Trivy supports multiple programming languages and IaC languages. Additionally, SBOM generation is possible. Results can be printed to the command line or exported in different formats. There is also a GitHub action to comment pull request findings on Terraform code.
- OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It can be used as command line tool or as a plugin (for e.g., gradle, maven and Jenkins). OWASP Dependency-Check supports multiple programming languages and package managers.
- Dep-scan is a security command line tool designed to scan dependencies of a software project and identify any security vulnerabilities or potential risks. It supports multiple programming languages and package managers. Dep-scan uses a combination of static analysis and real-time vulnerability feeds to detect known vulnerabilities in the project’s dependencies. It also provides actionable remediation advice, enabling developers to quickly address any issues that are identified. Furthermore, dep-scan supports license scanning and risk categorization with the consequence of a noticeably higher execution time.
- Cdxgen is the official command line tool from cyloneDX, which provides functionality to generate SBOMs. It offers multi-language support, container scanning and recursive scanning, which helps in huge projects or monorepositories.
- Checkov is designed to help organizations automate their cloud infrastructure compliance checks. It scans cloud infrastructure as code (IaC) files and identifies any compliance issues or security risks. Chekov CLI is highly customizable and supports multiple cloud platforms, making it a versatile tool for DevOps teams. It also integrates with popular DevOps tools like GitLab and Jenkins, enabling organizations to incorporate compliance checks into their existing workflows. Cons are, that checkov did not find plain text passwords (in our tests) but only secrets and IaC misconfiguration.
What does a corresponding CI pipeline look like?
Since each of these tools has a very specific scope, it is necessary to implement a CI pipeline using several tools to take all topics into account. We map the mentioned tools on our identified, necessary topics:
Are there some downsides?
In software development, it is essential to secure your CI pipeline against multiple threats. We can see that it is quite possible to implement a well-secured CI pipeline without buying software licenses and having recurring monetary expenditures. Only for open-source dependency quality was there no fitting tools in our exploration. All these tools provide specific security features and good documentation. But there are also some downsides that should be considered.
A disadvantage of the tools presented, which should not be neglected, is that they must be configured and set up individually for their explicit use in one pipeline. This becomes apparent as we observe that the presented CI pipeline, along with its identified security concerns, requires configuration alignment. This alignment is achieved not merely through one or two tools, but rather by employing a quartet of tools to attain the intended outcome. Furthermore, if you want to monitor multiple pipelines/applications, these tools do not offer a solution out of the box.
Another drawback is that all these tools are easy to configure for developers, but they don’t provide oversight for less technically involved team members. If it is necessary to provide appropriate functionality in the team, it requires implementing a custom solution or the using of paid tools.
Conclusion
As we can see, it is possible to secure the software security chain accordingly with open-source tools to minimize potential dangers. To point out, one of the highest threads mentioned by the OWASP Top 10 risks „Vulnerable and Outdated Components“ can easily be defused by the implementation of Renovate Bot in your CI pipeline. This is already a major improvement in software supply chain security for most projects and should therefore be more than adequate. Furthermore, we got a blueprint with state-of-the-art open-source tools to achieve good security in CI pipelines. In our next blog article, we will describe how we analyzed and compared those tools to each other and the key indicators for each topic.