Tools
To carry out the workflow described above, we will use a series of tools that will be detailed in the following phases.
Password Leak Searchβ
- Tool: Gitleaks
- Explanation: Gitleaks scans the code repository for potential leaks of passwords and sensitive data, preventing unwanted exposure of confidential information.
Dependency Analysis (SBOM)β
- Tool: CycloneDx
- Explanation: CycloneDx performs a thorough analysis of project dependencies, providing a clear picture of the libraries used and helping to identify potential vulnerabilities.
Unit Testing and Integrationβ
- Tool: PHPUnit
- Explanation: PHPUnit allows the creation and execution of unit tests to validate the correct functioning of individual parts of the code, ensuring the integrity of the software.
Static Code Analysis (SAST)β
- Tool: SonarQube
- Explanation: SonarQube performs a static analysis of the code for vulnerabilities and quality issues, improving security and code quality.
Dockerfile analysisβ
- Tool: Hadolint
- Explanation: Hadolint is a specialized tool that scans Dockerfiles for potential issues or configurations that may compromise the security of building container images.
Container Constructionβ
- Tool: kaniko
- Explanation: kaniko allows the construction of container images using the "docker build" command, configuring secure and efficient execution environments.
Container Analysisβ
- Tool: Trivy
- Explanation: Trivy scans container images for vulnerabilities in components, providing information about possible risks and enabling corrective actions.
Container Signingβ
- Tool: Cosign
- Explanation: Cosign provides digital signatures for containers, ensuring their authenticity and integrity, which reinforces security and reliability in the deployment.
Dynamic Analysis (DAST)β
- Tool: OWASP ZAP
- Explanation: OWASP ZAP performs dynamic security analysis, simulating real-time attacks on running code to identify vulnerabilities and risks in the deployed system.