DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Cover image for 🎞️ This is how we maintain & release Secured Software on Github πŸ€–
adriens for opt-nc

Posted on • Updated on

🎞️ This is how we maintain & release Secured Software on Github πŸ€–

❔ About

As many organizations, we have to develop & maintain (aka. BUILD & RUN) common software.

☝️ This process involves a lot of things that have to be achieved... (if you want to get a robust and secured software release pipeline).

I'll showcase here how we achieved all theses challenges on a common Java library dedicated to logging :

GitHub logo opt-nc / opt-logging

La librairie de rΓ©fΓ©rence pour gΓ©nΓ©rer des logs bien formatΓ©es Γ  l'OPT.

semantic-release

SonarCloud Quality Gate Status

❔ opt-logging

Cette librairie contient les 2 fichiers de configuration de logback prΓ©conisΓ©s pour les dΓ©veloppements d'application Γ  l'OPT-NC.

Toutes les logs sont dans le mΓͺme fichier .log (${LOG_FILE}) Γ  l'exception des logs mΓ©tiers qui se trouvent dans un seul fichier .json (${LOG_FILE_JSON}) si le besoin est exprimΓ©.

⬇️ Import de la dΓ©pendance publique

Cette dΓ©pendance est disponible publiquement via Jitpack.

πŸͺΆ Maven

Ajouter la repo Jitpack :

<repositories>
  <repository>
    <id>jitpack.io</id>
    <url>https://jitpack.io</url>
  </repository>
</repositories>
Enter fullscreen mode Exit fullscreen mode

Puis la dΓ©pedance :

<dependency>
  <groupId>com.github.opt-nc</groupId>
  <artifactId>opt-logging</artifactId>
  <version>Tag</version>
</dependency>
Enter fullscreen mode Exit fullscreen mode

🐘 Gradle

Ajouter la repo :

allprojects {
  repositories {
            ...
  maven { url 'https://jitpack.io' }
        }
}

Puis la dΓ©pendance :

dependencies {
  implementation 'com.github.opt-nc:opt-logging:Tag'
}

:octocat: Import de la dΓ©pendance via GH

…

🏎️ Time to Market

Software release pipeline gains everyday a shorter Time To Market.

In fact there is no real option :

maintenance & release tasks have to be drastically automated... and should embed security concerns on the left side of the pipeline.

πŸ›‘οΈ Security

We have three complementary ways of achieving security tasks on our pipeline :

  1. Dependabot alerts : so we get Pull Requests to notify us what are the risks
  2. CodeQL Scan as part of GitHub Advanced Security (aka. GHAS)
  3. Docker Image scan (see previous dedicated post)

Then to release software we rely on semantic-release to implement a solid Semantic Versioning scheme and get a

fully automated version management and package publishing pipeline.

🍿 Démo

Here is the full secured & automated release process πŸ‘‡

🧰 Stack

πŸ”– Related contents

β›― Scan Docker images πŸ›‘οΈ

πŸ”‚ Semantic release demo 🎞️

Semantic release intro demo :

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Good news! You can update to dark mode in your DEV settings.