Table of Contents
The DevSecOps Plugin is a comprehensive toolset designed to streamline and enforce DevSecOps practices in your development workflow. It integrates various tools and best practices for continuous integration, security scanning, code quality analysis, and deployment automation.
- Modular Architecture: Each tool and component has its dedicated configuration in
.config/ - Task Abstraction: All operations are abstracted through Taskfile.yml for consistency
- Comprehensive Security: Integrated security scanning and vulnerability assessment
- Code Quality Assurance: Automated linting, formatting, and complexity analysis
- Standardised Workflow: Enforced commit messages and code review processes
- Containerised Development: DevContainer support for consistent environments
- Task - Task runner & build tool
- Docker - Containerization
- MegaLinter - Code quality & security scanning
- Commitizen - Commit message standardization
- Lizard - Code complexity analysis
- Grype - Vulnerability scanning
- Trivy - Security scanner
- Copier - Project templating and scaffolding
.
βββ .config/ # Tool-specific configurations
β βββ bun/ # Bun package manager configuration
β βββ commitizen/ # Commit message standardisation
β βββ devsecops/ # DevSecOps pipeline stages
β βββ docker-ce/ # Docker configuration
β βββ ... # Other tool configurations
βββ .devcontainer/ # Development container configuration
βββ src/ # Source code
βββ Taskfile.yml # Task runner configurationThe plugin implements a complete DevSecOps lifecycle through distinct stages:
- π― Plan: Initial planning and setup
- π» Code: Development with integrated security checks
- Commitlint validation
- MegaLinter checks
- Commitizen formatting
- Lizard code analysis
- ποΈ Build: Automated building with security
- Docker image builds
- Security scans
- π§ͺ Test: Comprehensive testing
- Docker tests
- Security testing
- π¦ Release: Secure release management
- Version bumping
- Changelog generation
- π Deploy: Automated deployment
- π Operate: Operational management
- π Monitor: Continuous monitoring
- π Feedback: Continuous improvement
Before using the DevSecOps Plugin, ensure you have the following installed:
- Python 3.11 or higher
- Docker Desktop 4.x or newer (for container support)
- Visual Studio Code (recommended)
- Git
- Create and activate a Python virtual environment:
mkdir -p ~/workspace
python3 -m venv ~/workspace/venv- Install Copier in the virtual environment:
source ~/workspace/venv/bin/activate
pip install copier- Generate a new project using the template:
cd ~/workspace/path/to/your/new/project
source ~/workspace/venv/bin/activate
copier copy -a .config/devsecops/.copier-answers.yml https://gitlab.com/digital-commons/devsecops/tools/the-devsecops-plugin.git .Replace /path/to/your/new/project with your desired project location.
Use . to create in the current directory
The plugin uses Task for operation control. Key environment variables:
# Core Controls
export TASK_FLAGS=""
export TASK_SEPARATOR="----------------------------------------"
# Component Controls
export TASK_BUN_ENABLED=true
export TASK_COMMITIZEN_ENABLED=true
export TASK_DOCKER_CE_ENABLED=true
export TASK_MEGALINTER_ENABLED=true
export TASK_LIZARD_ENABLED=true
# Pipeline Stage Controls
export TASK_DEVSECOPS_PLAN_ENABLED=true
export TASK_DEVSECOPS_CODE_ENABLED=true
export TASK_DEVSECOPS_BUILD_ENABLED=true- Setup Development Environment:
task dev:setup-environment- Run Security Scans:
task devsecops:code:security- Validate Code Quality:
task devsecops:code:quality- Create Release:
task devsecops:releaseThe plugin is designed to be easily customizable for specific project needs. Each project can define its own tasks in src/Taskfile.yml following the same lifecycle stages:
# src/Taskfile.yml
tasks:
plan:
desc: Run project-specific plan tasks
cmds:
- custom-planning-command
code:
desc: Run project-specific code tasks
cmds:
- npm test
- custom-linting
build:
desc: Run project-specific build tasks
cmds:
- docker build -t myproject .
# ... other stages (test, release, deploy, operate, monitor, feedback)These project-specific tasks will be automatically integrated into the main pipeline while keeping the core DevSecOps features intact. This allows you to:
- Add your own build processes
- Integrate custom testing frameworks
- Include project-specific deployment steps
- Add custom monitoring solutions
- Implement project-specific security checks
# Run the complete DevSecOps pipeline
task
# Run individual stages
task plan # Initial planning
task code # Development and checks
task build # Build and security
task test # Run tests
task release # Handle releases
task deploy # Deployment
task operate # Operations
task monitor # Monitoring
task feedback # Feedback loop
# Run specific tools
task megalinter # Code quality & security
task commitizen # Manage commits
task docker-ce:test # Docker testsYou can customize the behavior of the plugin by setting these environment variables:
# Core Features
TASK_BUN_ENABLED=true # Enable/disable Bun runtime
TASK_COMMITIZEN_ENABLED=true # Enable/disable Commitizen
TASK_COMMITLINT_ENABLED=true # Enable/disable Commitlint
TASK_MEGALINTER_ENABLED=true # Enable/disable MegaLinter
TASK_DOCKER_CE_ENABLED=true # Enable/disable Docker CE features
TASK_LIZARD_ENABLED=true # Enable/disable Lizard code analysis
# DevSecOps Pipeline Stages
TASK_DEVSECOPS_PLAN_ENABLED=true # Enable/disable Plan stage
TASK_DEVSECOPS_CODE_ENABLED=true # Enable/disable Code stage
TASK_DEVSECOPS_BUILD_ENABLED=true # Enable/disable Build stage
TASK_DEVSECOPS_TEST_ENABLED=true # Enable/disable Test stage
TASK_DEVSECOPS_RELEASE_ENABLED=true # Enable/disable Release stage
TASK_DEVSECOPS_DEPLOY_ENABLED=true # Enable/disable Deploy stage
TASK_DEVSECOPS_OPERATE_ENABLED=true # Enable/disable Operate stage
TASK_DEVSECOPS_MONITOR_ENABLED=true # Enable/disable Monitor stage
TASK_DEVSECOPS_FEEDBACK_ENABLED=true # Enable/disable Feedback stageThe following variables need to be configured in your GitLab CI/CD settings:
CZ_DEPLOY_KEY: Base64 encoded SSH private key for git operations (required for releases)GITLAB_USER_LOGIN: Your GitLab username (automatically provided)GITLAB_USER_EMAIL: Your GitLab email (automatically provided)
- Clone the repository:
git clone https://gitlab.gitlab.com/digital-commons/devsecops/tools/the-devsecops-plugin.git
cd the-devsecops-plugin- Install Task:
sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d- Setup development environment:
task dev:setup-environment- Run the complete pipeline locally:
task devsecopsThe plugin follows a modular architecture:
.
βββ .config/ # Tool configurations
β βββ bun/ # Bun runtime config
β βββ commitizen/ # Commit message config
β βββ devsecops/ # Pipeline stage definitions
β β βββ Taskfile.plan.yml
β β βββ Taskfile.code.yml
β β βββ Taskfile.build.yml
β β βββ ...
β βββ docker/ # Docker configuration
β βββ megalinter/ # Linting configuration
βββ .devcontainer/ # Dev container setup
βββ src/ # Project-specific tasks
β βββ Taskfile.yml # Custom task definitions
βββ Taskfile.yml # Main task orchestration
Each project can extend the base functionality by adding custom tasks in src/Taskfile.yml,
which are automatically integrated into the main pipeline while preserving the core DevSecOps features.- βΎοΈ Automation: Automated workflows for common DevSecOps tasks
- π Modular Pipeline: Clearly separated stages with individual configurations
- ποΈ Flexible Control: Enable/disable features via environment variables
- π Security-First: Integrated security scanning at every stage
- π Quality Assurance: Comprehensive code quality checks
- π³ Container-Ready: Full Docker integration
- π Standardization: Enforced commit message formatting
- π Monitoring: Built-in monitoring capabilities
- π Project Customization: Extensible framework allowing projects to define custom tasks for each lifecycle stage π Plugin Architecture: Clear separation between core DevSecOps features and project-specific implementations
The plugin implements multiple security measures:
- Automated vulnerability scanning with Grype and Trivy
- Code quality checks with MegaLinter
- Dependency scanning
- Container security analysis
- Secure configuration validation
- Keep all dependencies updated
- Follow the principle of least privilege
- Use environment variables for sensitive data
- Regular security scans
- Code review enforcement
Please see our Contributing Guide for details on how to set up the development environment and contribute to the project.
- Thomas Sanson (https://github.com/ThomasSanson)
This project is licensed under the MIT License - see the LICENSE file for details.