nunet_security_pipeline

Last updated: 2025-06-24 01:08:02.490528 File source: link on GitLab

Tl;DR

• Before diving into this please read: DevSecOps Maturity Models

• Get yourself familiar with our Vulnerability Management Software: DefectDojo

1. Introduction

This document aims to provide a comprehensive overview of the security pipeline architecture implemented in NuNet. It is designed to serve as an informative guide for developers, and stakeholders involved in the software development and deployment process. The primary focus is to detail the various stages of the pipeline, the security tools integrated at each stage, and the specific roles these tools play in enhancing the security of the software development lifecycle. By outlining the workflow, tool specifics, and the conditions under which the pipeline is triggered.

2. DevSevOps Maturity Level 2

3. Pipeline Workflow

Reference Pipeline

The security tools are applied in different stages of the pipeline workflow. These tools are:

• Commit

  • Static Analysis Security Testing (SAST)

  • Secret Detection

  • IaC Best Practices

  • Dependency Scanning

  • Coverage Fuzz Testing (Not in use)

• Build

  • Container Scanning

• Test

  • API Security (Not in use)

  • Dynamic Application Security Testing (DAST) (TBD)

• Deploy

  • Operational Container Scanning (TBD)

3.1 Static Analysis Security Testing (SAST)

While GitLab's SAST framework supports many programming languages, at NuNet, our primary programming languages are Python, Golang and JavaScript.

This pipeline applies to both container and binary projects.

Tools

Triggers

• This pipeline is triggered on merge request to every branch.

Stages

It is run on the test (or Security-Test-1) stage.

3.2 Secret Detection

The Secret Detection tool scans repositories to help prevent secrets from being exposed during commits. The primary Secret Detection tool is Gitleaks.

This pipeline applies to both container and binary projects.

Tools

Gitleaks is used for secret detection in repositories.

Triggers

This pipeline is triggered on merge request to every branch.

Stages

It is run on the test (or Security-Test-1) stage.

3.3 Dependency Scanning

This stage analyzes an application's dependencies for known vulnerabilities.

Tools

The primary tool for scanning application dependencies is Gemnasium.

Triggers

This pipeline is currently disabled but can be configured to run every branch commit.

Stages

It is run on the test (or Security-Test-1) stage.

3.4 Container Scanning

The container scanning tool inspects docker images for known vulnerabilities.

Tools

After building the docker image, the following tools scan the built containers.

• Trivy (Default Gitlab container scanner)

• DockerBench

• ClairScan

Triggers

This pipeline is triggered on merge request to every branch.

Stages

This stage is run on the test (or Security-Test-1) stage, primarily after the build stage.

4. Mapping Current Pipeline on Maturity Level 2

• Static Depth

  • Run SAST scans with minor tweaks to rules. ✅

  • Run SCA scans with minor tweaks to rules. ✅

  • Run Secret scans with minor tweaks to rules. ✅

• Dynamic Depth

  • Run DAST scans with minor tweaks to baseline settings. (Binary case) ❌

  • Run DAST scans with minor tweaks to baseline settings. (Container Scanning) ✅

• Intensity

  • Scans to be twice a month. Frequency here is too much, every commit on every branch

• Consolidation

  • The findings in a vulnerability register after analysis. Vulnerability Management Process designed for this purpose