spinny:~/writing $ vim devsecops-shift-left-security-guide.md
1~2Mia eypatheia pou vrethike kata ti syngraphi kodika kostizei ston programmatisti lepta gia na diorothothi. I idia eypatheia pou entopistike stin paragogi kostizei ena olokliro sprint. Kai an tin vrei protos enas epititethemenos, kostizei ekatommyria. Ayto einai to vasiko epikheirima yper tou **shift-left security** - ti metakinisi ton elegkhon asfaleias oso to dynaton noristera ston kyklo zois tis anaptixis.3~4To DevSecOps pairnei ayti tin idea kai tin metatrepei se praksi: i asfaleia den einai mia xekhoristi fasi sto telos, alla mia synekhi diadikasia yphasmeni se kathe stadio tis anaptixis - apo tin proti grammi kodika eos tin egkatastasi stin paragogi.5~6## To kostos tis kathysterimeneis asfaleias7~8I ekthesi Cost of a Data Breach tis IBM deikhnei systimatika oti to kostos diorothotis ton thematton asfaleias ayxanei ektheetika oso argotera entopizontai:9~10| Stadio | Kostos diorothotis | Khronos diorothotis |11|--------|--------------------|--------------------|12| **IDE / Topiki anaptyksi** | Lepta | Defterolepta eos lepta |13| **Code Review / PR** | Ores | Lepta eos ores |14| **CI/CD Pipeline** | Imeres | Ores eos imeres |15| **Staging / QA** | Evdomades | Imeres |16| **Paragogi** | Mines | Evdomades eos mines |17| **Meta apo paraviasi** | Ekatommyria ($) | Mines eos khronia |18~19To symperasma einai saphe: kathe stadio pou othoumele tin asfaleia noristera exoikonomoume mia taxi megethous se kostos kai khrono.20~21## To Pipeline DevSecOps22~23Ena orimo pipeline DevSecOps ensomatonei elegkhous asfaleias se kathe stadio:24~25```mermaid26graph LR27 IDE[IDE / Editor] --> PC[Pre-commit Hooks]28 PC --> PR[Pull Request]29 PR --> CI[CI Pipeline]30 CI --> Build[Build / Package]31 Build --> Deploy[Deploy]32 Deploy --> Runtime[Runtime / Production]33~34 IDE -.- S1[SAST\nSecret Detection\nLinting]35 PC -.- S2[Secrets Scan\nFormat Check]36 PR -.- S3[Code Review\nDependency Audit]37 CI -.- S4[SAST\nSCA\nContainer Scan\nSBOM]38 Build -.- S5[Image Signing\nArtifact Verification]39 Deploy -.- S6[Policy Enforcement\nAdmission Control]40 Runtime -.- S7[DAST\nWAF\nMonitoring]41```42~43As analysoume kathe stadio me sygkekrimena ergaleia kai diametrisi.44~45## Stadio 1: Asfaleia sto IDE46~47O takhyteros vrokhos anaskhesis. Entopiste eypathies prin kan apothikefsete to arkheio.48~49### Protenomena ergaleia50~51- **Semgrep**: elafria statiki analysi me kanones koinotitas gia eypathies OWASP52- **Snyk IDE Extension**: sarosi eypathion exartiseon se pragmatiko khrono53- **GitLens + GitLeaks**: entopismos mystikon ston epexergasti sas54- **ESLint Security Plugins**: `eslint-plugin-security` gia Node.js, `eslint-plugin-no-unsanitized` gia DOM XSS55~56### Paradeigma: Diametrisi ESLint Security57~58```json59{60 "extends": ["eslint:recommended"],61 "plugins": ["security", "no-unsanitized"],62 "rules": {63 "security/detect-object-injection": "warn",64 "security/detect-non-literal-regexp": "warn",65 "security/detect-unsafe-regex": "error",66 "security/detect-buffer-noassert": "error",67 "security/detect-eval-with-expression": "error",68 "security/detect-no-csrf-before-method-override": "error",69 "security/detect-possible-timing-attacks": "warn",70 "no-unsanitized/method": "error",71 "no-unsanitized/property": "error"72 }73}74```75~76## Stadio 2: Pre-commit Hooks77~78I defteri grammi amynas. Ekteleitai aytomata prin apo kathe commit, empodizomtas epikindyno kodika na eiselthei sto apothetisio.79~80### Gitleaks: Piaste ta mystika prin ftasoun sto Git81~82To pio sykhno lathos asfaleias stis vaseis kodika einai to commit mystikon - API kleidia, kodikoi prosavassis vaseon dedomenon, tokens. Molis ena mystiko ftasei sto istorieto tou git, einai exairetika dyskolo na afairethei pliros (akoma kai me force push, ta fork kai oi kryft mnimes mporei na to diatirissoun).83~84```yaml85# .pre-commit-config.yaml86repos:87 - repo: https://github.com/gitleaks/gitleaks88 rev: v8.21.089 hooks:90 - id: gitleaks91~92 - repo: https://github.com/semgrep/semgrep93 rev: v1.90.094 hooks:95 - id: semgrep96 args: ['--config', 'auto']97```98~99Egkatastasi kai energopoiisi:100~101```bash102pip install pre-commit103pre-commit install104```105~106Tora kathe `git commit` saronei aytomata gia diarroesvmena mystika kai syniotheis eypathies. An vrethei kati, to commit mplokaretai.107~108### Prosarmosmenoi kanones Gitleaks109~110Mporete na prosthesete prosarmosmena protyma gia ta mystika tou organismou sas:111~112```toml113# .gitleaks.toml114title = "Custom Gitleaks Config"115~116[[rules]]117id = "internal-api-key"118description = "Internal API key detected"119regex = '''INTERNAL_KEY_[A-Za-z0-9]{32}'''120tags = ["key", "internal"]121```122~123## Stadio 3: Asfaleia pipeline CI/CD124~125Edo ginetai i varia douleia. To CI pipeline sas prepe na trexei pollaplous elegkhous asfaleias se kathe pull request.126~127### SAST (Static Application Security Testing)128~129Ta ergaleia SAST analyoun ton pigaio kodika khoris na ton ekteloun, psakhnontas gia protyma pou ypodeiknoyoun eypathies.130~131```yaml132# .github/workflows/security.yml133name: Security Scan134on:135 pull_request:136 branches: [main]137~138jobs:139 sast:140 name: Static Analysis141 runs-on: ubuntu-latest142 steps:143 - uses: actions/checkout@v4144~145 - name: Run Semgrep146 uses: semgrep/semgrep-action@v1147 with:148 config: >-149 p/owasp-top-ten150 p/typescript151 p/nodejs152 p/react153 generateSarif: true154~155 - name: Upload SARIF156 uses: github/codeql-action/upload-sarif@v3157 with:158 sarif_file: semgrep.sarif159```160~161To `p/owasp-top-ten` ruleset tou Semgrep pianel tis pio sykhnes eypathies: SQL injection, XSS, SSRF, path traversal, insecure deserialization kai alla.162~163### SCA (Software Composition Analysis)164~165To SCA saronei tis exartiseis sas gia gnostes eypathies. Ayto einai kritiko - pano apo to 80% tou kodika ton synchronon efarmogon provainei apo exartiseis open-source.166~167```yaml168 dependency-scan:169 name: Dependency Audit170 runs-on: ubuntu-latest171 steps:172 - uses: actions/checkout@v4173~174 - name: Run Snyk175 uses: snyk/actions/node@master176 env:177 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}178 with:179 args: --severity-threshold=high180~181 - name: npm audit182 run: npm audit --audit-level=high183```184~185### Asfaleia containers me Trivy186~187An khtiizete Docker images, i sarosi tous gia eypathies einai aparaititi. To **Trivy** einai o pio dimophilis open-source container scanner.188~189```yaml190 container-scan:191 name: Container Security192 runs-on: ubuntu-latest193 steps:194 - uses: actions/checkout@v4195~196 - name: Build image197 run: docker build -t my-app:${{ github.sha }} .198~199 - name: Run Trivy200 uses: aquasecurity/trivy-action@master201 with:202 image-ref: my-app:${{ github.sha }}203 format: 'sarif'204 output: 'trivy-results.sarif'205 severity: 'CRITICAL,HIGH'206 exit-code: '1'207~208 - name: Upload Trivy SARIF209 uses: github/codeql-action/upload-sarif@v3210 with:211 sarif_file: trivy-results.sarif212```213~214### Dimiourgia SBOM215~216To **Software Bill of Materials (SBOM)** einai enas plireis katalogos kathe synisrosas stin efarmogi sas. Apaiteitai olo kai perisotero apo plasia symmorphotis kai kyvernitikous kanonismous (to Ektelestiko Diatagma ton IPA gia tin Kyvernoasfaleia epivalei SBOM gia to omospondiako logismiko).217~218```yaml219 sbom:220 name: Generate SBOM221 runs-on: ubuntu-latest222 steps:223 - uses: actions/checkout@v4224~225 - name: Generate SBOM with Syft226 uses: anchore/sbom-action@v0227 with:228 format: spdx-json229 output-file: sbom.spdx.json230~231 - name: Upload SBOM232 uses: actions/upload-artifact@v4233 with:234 name: sbom235 path: sbom.spdx.json236```237~238## Stadio 4: Asfaleis Docker images239~240Ena Docker image paragogis prepei na akolouthei tin arkhi tis elakhistis pronoias. Etsi fainetai ena eniskhymeno Dockerfile:241~242```dockerfile243# Build stage244FROM node:22-alpine AS builder245WORKDIR /app246COPY package.json package-lock.json ./247RUN npm ci248COPY . .249RUN npm run build250~251# Production stage252FROM node:22-alpine AS runner253WORKDIR /app254~255# Install dumb-init before dropping root256RUN apk add --no-cache dumb-init257~258# Don't run as root259RUN addgroup -S app && adduser -S app -G app260~261# Copy only what's needed262COPY --from=builder --chown=app:app /app/dist ./dist263COPY --from=builder --chown=app:app /app/node_modules ./node_modules264COPY --from=builder --chown=app:app /app/package.json ./265~266# Drop to non-root user267USER app268ENTRYPOINT ["dumb-init", "--"]269~270# Health check271HEALTHCHECK --interval=30s --timeout=3s --retries=3 \272 CMD wget -qO- http://localhost:3000/health || exit 1273~274EXPOSE 3000275CMD ["node", "dist/server.js"]276```277~278Vasikes praktikes:279~2801. **Khrisimopoiiste multi-stage builds**: to stadio builder ekhei exartiseis anaptixis; to stadio runner ekhei mono kodika paragogis2812. **Min trexete os root**: dimiourggiste enan mi-root khristi kai allaxte se ayton2823. **Khrisimopoiiste images Alpine**: mikrotori epiphania epithotsis (ligotera paketa egatestatoumena kata proepilogi)2834. **Karfonoste ekdoseis images**: `node:22-alpine` anti gia `node:latest` gia na apofeygete epitotheseis alytsidas efodiasmou2845. **Khrisimopoiiste `npm ci`**: deterministikes egkatastaseis apo to lock file, okhi `npm install`285~286## Stadio 5: Diakheirisi mystikon287~288Ta sklirokentered mystika einai i pio synithismeni aitia paraviaseon se peristatika pou provokountai apo programmatistes.289~290### Ti NA MI kanete291~292```typescript293// NEVER do this294const API_KEY = "sk-1234567890abcdef";295const DB_PASSWORD = "supersecret123";296~297const client = new Client({298 connectionString: `postgres://admin:${DB_PASSWORD}@db.example.com/prod`299});300```301~302### Ti na kanete anti gia ayto303~304```typescript305// Use environment variables306const client = new Client({307 connectionString: process.env.DATABASE_URL308});309~310// Or use a secret manager311import { SecretManagerServiceClient } from '@google-cloud/secret-manager';312~313const client = new SecretManagerServiceClient();314const [version] = await client.accessSecretVersion({315 name: 'projects/my-project/secrets/db-password/versions/latest',316});317const dbPassword = version.payload?.data?.toString();318```319~320### Ierarkhia diakheiriseis mystikon321~322```mermaid323graph TD324 A[Secret Manager\nAWS Secrets Manager\nGCP Secret Manager\nHashiCorp Vault] --> B[Best: Rotated, audited, centralized]325 C[Environment Variables\nInjected at deploy time] --> D[Good: Not in code, but static]326 E[.env files\nWith .gitignore] --> F[Acceptable: Local development only]327 G[Hard-coded in source] --> H[NEVER: Instant breach risk]328~329 style A fill:#d4edda330 style C fill:#fff3cd331 style E fill:#ffeeba332 style G fill:#f8d7da333```334~335## OWASP Top 10: Mia grigori anafora336~337Kathe programmatistis tha prepei na gnorise to OWASP Top 10. Syntomi ekdosi:338~339| # | Eypatheia | Ti einai | Prolipsi |340|---|----------|---------|---------|341| 1 | **Broken Access Control** | Khristes provainoun se porous pou den tha eprepe | Arnisi kata proepilogi, epikyrosi ston server |342| 2 | **Cryptographic Failures** | Asthenis kryptographia, dedomena se katharo keimeno | Iskhyroi algorithmos (AES-256, bcrypt), TLS pantou |343| 3 | **Injection** | SQL, NoSQL, OS command injection | Parametropoiimena erotimata, epikyrosi eisodou |344| 4 | **Insecure Design** | Elatomatiki arkhitektoniki | Modelopoiisi apeilon, asfali skhediostika protypa |345| 5 | **Security Misconfiguration** | Proepologismeni pistopoiitika, anoiktoi cloud buckets | Eniskhymenes proepologes, aytomatopoiimenoi elegkhoi diametrisis |346| 6 | **Vulnerable Components** | Gnoista CVE stis exartiseis | Sarosi SCA, taktikes enimeroses |347| 7 | **Auth Failures** | Astheneis kodikoi, katestrammenoi synedries | MFA, rate limiting, asphali diakheirisi synedrias |348| 8 | **Data Integrity Failures** | Mi ypogegrammenes enimeroses, mi axiopisites CI/CD | Ypographi kodika, SBOM, akeraiottita pipeline |349| 9 | **Logging Failures** | Den yparkhei monopati elegkhou | Domiino katakraphi, eidopoiisi gia anomalies |350| 10 | **SSRF** | Server-side request forgery | Allowlist exerkhomenon URL, epikyrosi eisodou |351~352## Plires workflow asfaleias GitHub Actions353~354Ena plires, ethoimo gia paragogi workflow pou syndyazei ola ta parapano:355~356```yaml357# .github/workflows/security.yml358name: Security Pipeline359on:360 pull_request:361 branches: [main]362 push:363 branches: [main]364~365permissions:366 contents: read367 security-events: write368~369jobs:370 secrets-scan:371 name: Secret Detection372 runs-on: ubuntu-latest373 steps:374 - uses: actions/checkout@v4375 with:376 fetch-depth: 0377 - uses: gitleaks/gitleaks-action@v2378 env:379 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}380~381 sast:382 name: Static Analysis (SAST)383 runs-on: ubuntu-latest384 steps:385 - uses: actions/checkout@v4386 - uses: semgrep/semgrep-action@v1387 with:388 config: p/owasp-top-ten p/typescript p/nodejs389~390 dependency-audit:391 name: Dependency Scan (SCA)392 runs-on: ubuntu-latest393 steps:394 - uses: actions/checkout@v4395 - uses: actions/setup-node@v4396 with:397 node-version: 22398 - run: npm ci399 - run: npm audit --audit-level=high400 - uses: snyk/actions/node@master401 env:402 SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}403 with:404 args: --severity-threshold=high405 continue-on-error: true406~407 container-scan:408 name: Container Scan409 runs-on: ubuntu-latest410 needs: [sast, dependency-audit]411 steps:412 - uses: actions/checkout@v4413 - run: docker build -t app:${{ github.sha }} .414 - uses: aquasecurity/trivy-action@master415 with:416 image-ref: app:${{ github.sha }}417 severity: CRITICAL,HIGH418 exit-code: '1'419~420 sbom:421 name: SBOM Generation422 runs-on: ubuntu-latest423 needs: [container-scan]424 steps:425 - uses: actions/checkout@v4426 - uses: anchore/sbom-action@v0427 with:428 format: spdx-json429 output-file: sbom.spdx.json430```431~432```mermaid433graph TD434 PR[Pull Request] --> S1[Secret Detection]435 PR --> S2[SAST - Semgrep]436 PR --> S3[SCA - Snyk + npm audit]437 S2 --> S4[Container Scan - Trivy]438 S3 --> S4439 S4 --> S5[SBOM Generation]440 S5 --> Deploy[Deploy]441~442 S1 -.- F1[Block if secrets found]443 S2 -.- F2[Block on critical vulns]444 S3 -.- F3[Block on high severity]445 S4 -.- F4[Block on critical CVEs]446```447~448## Metrikes pros parakolouthisi449~450Pos gnorizete oti to programma DevSecOps sas leitourgei? Parakolouthiste aytes tis metrikes:451~452- **Mean time to remediate (MTTR)**: poso grigora diorothinete eypathies meta ton entopismo453- **Vulnerability escape rate**: to pososto ton eypatheion pou ftanoun stin paragogi454- **False positive rate**: polloi psefdeises thestikoi odigoun se koposi apo eidopoiiseis kai agnoisi proeidopoiiseon455- **Dependency freshness**: i mesi ilikia ton exartiseon sas (paliotera = megalyteri pithanotita gnoston CVE)456- **SBOM coverage**: pososto ergon me enimeromena SBOM457~458## Xekinontas: Enas praktikos odigikos khartis459~460Min prospathisete na efarmasete ta panta tautokhrona. Mia fasiaki prosengisi leitourgei kalytera:461~462```mermaid463flowchart TD464 A[Week 1-2: Foundations] --> B[Week 3-4: CI/CD Integration]465 B --> C[Month 2: Container Security]466 C --> D[Month 3+: Advanced]467~468 A --> A1[Add Gitleaks pre-commit hooks]469 A --> A2[Enable npm audit in CI]470 A --> A3[Add .gitignore for .env files]471~472 B --> B1[Add Semgrep to GitHub Actions]473 B --> B2[Add Snyk dependency scanning]474 B --> B3[Set up SARIF upload to GitHub]475~476 C --> C1[Add Trivy container scanning]477 C --> C2[Harden Dockerfiles]478 C --> C3[Generate SBOMs]479~480 D --> D1[Secret manager integration]481 D --> D2[Runtime protection - DAST]482 D --> D3[Policy as code - OPA]483```484~485## Symperasma486~487To DevSecOps den aforá tin prosthiki perissoteron ergaleion sto pipeline sas - aforá to na kanete tin asfaleia fysiko meros tou tropou pou ftiakhnete logismiko. O stokhos den einai na mplokarete kathe PR me proeidopoiiseis asfaleias, alla na dosete stous programmatistes grigori anaskhesi oste na mporoun na diorthosetoun provlimata oso o kodikas einai akomi freskos sti mnimi tous.488~489Xekiniste me ta vasika: pre-commit hooks gia mystika, sarosi exartiseon sto CI kai sarosi containers gia Docker images. Meta sinekiste me vasi auti pou khreiazetan i omada sas.490~491I asfaleia den einai ena kharaktiristiko pou paradidete mia fora. Einai mia praktiki pou khtizete se kathe commit.492~493> **Lista elegkhou DevSecOps gia xekinima:**494>495> - [x] Egkatestatoumena pre-commit hooks Gitleaks496> - [x] Arkheia .env kai arkheia mystikon sto .gitignore497> - [x] Semgrep SAST sto CI pipeline498> - [x] Snyk i npm audit gia sarosi exartiseon499> - [x] Trivy gia sarosi image containers500> - [x] Mi-root khristis sta Dockerfiles501> - [x] Mystika se metablites perivaollontos i secret manager502> - [x] Dimiourgia SBOM se kathe ekdosi503> - [x] Enimerothita gia OWASP Top 10 se oli tin omada504~
NORMAL · devsecops-shift-left-security-guide.md [readonly]504 lines · :q to close