Speaker: Brian Gorman @blgorman
Repo: https://github.com/blgorman/codemash-rugged-devops
For more, see theĀ table of contents
DevOps
- Process, not product
- Can’t buy tool (but can buy an existing team)
- Goal: reduce cycle time form idea to production with minimal error
- Automated testing
- Gates – automated and human, quality, release
- Avoid 2am support calls. Or at least only have to push a button to recover
Shift left
- Less cost if find bug early
- Reusable processes
- Push quality upstream
- Dev machine is as far left as can go
- Build scanning tools into process
- Sell the vision
Prereq
- Cloud env exists
- Templates
Actions
- .github/workflows – folder
- Actions tab to see result
YAML
- on: the triggers (ex: push, pull_request)
- env: (ex: branch)
- jobs: want you want to do
- with: trigger another job
Infrastructure as Code
- Declarative
- Repeatable Results
- Ensures no configuration drift
- Azure has imperative and complete options for ARM templates – complete is destructive and dangerous. Anything added outside code deleted.
- Tools – ARM templates (Bicep) , Terraform, Ansible, Puppet/Chef, Pulumi
Security
- App registration so github actions get access to Azure and add credential
- Setup github token
SonarCloud Scanner
- Most popular
- Not free
- Can choose whether to require fixing of warnings
Dependabot
- Brining in dependencies without knowing
- Alerts on insecure package
- Options for security updates
OWASP
- Zap Scan
- Baseline (lightweight) scan for pull requests
- Full scan overnight
- For penetration test, provide valid URL so can try to hit it
- WhiteSource – GP Security Scan
Q&A
- Azure DevOps pipelines easier if new team
- Azure DevOps has better gating
- GitHub getting better.
My take
The room was full. When I walked in, Brian was talking. I was worried he started early, but did not. He was just talking to the audience who arrived early separate from the session. It was a good intro to github actions. Also if it has been a while (more features now.) I’m glad the code was in a repo so I could read it on my screen. I’m sitting in the back (because my talk is right after this and I need to leave early) and can’t read the code from here. It’s also nice to have as a reference. I also like that he covered integrations like Sonar.