GitHub: A DevSecOps Platform

Introduction

The software development involves various tasks which need to be automated to minimize the human effort and increase the software quality. There are several methodologies and practices available which evolves with time and followed while software development.

Currently DevSecOps is most popular practices getting popularity among developer communities along with Agile based software development and life cycle management. The DevSecOps is just combination or introduction of security practices along with DevOps practices. Due to increasing risk of security, it is very good idea to introduce the security practices along with DevOps. It is much beneficial in several manner and give a thought of “Design by Security” to the software architects.

Along with time, the software and tools being used in DevOps are also being revisited for enhanced features from cost, performance, monitoring and maintenance perspectives. There are various giant players are available who are strengthening the DevOps/DevSecOps practices with a ready made solutions as a platform. GitHub is also a similar platform which offers various features for developers to build a robust platform for source code management along with DevSecOps automation platform.

About GitHub

GitHub is an open source software development project which provides Source Code Management (SCM) and version control using Git along with powerful platform DevSecOps automation using CICD pipeline.

GitHub has been become subsidiary of Microsoft since 2018 and has been enhanced more to increase support of Azure Cloud. It offers both ‘free’ public / private repositories along with ‘paid’ enterprises solutions for software developments.

GitHub has become largest source code repository host in November 2021. In June 2022, GitHub reported 200 million repositories include 28 million public repositories and 83 million developers using the GitHub.

GitHub provides complete platform for project, iteration and issue management, SCM, DevOps/CICD pipeline, delivery and release management, wiki for documentation, IAM solution and so on.

GitHub is available in two forms:

1. Self hosted — GitHub is open source project, one can download and on own infrastructure. It is available for Windows and Mac. You can download and install.
2. Internet Hosted Service — GitHub is provided as Internet Hosted Service with URL https://github.com

Before doing any further steps in GitHub, you must have an account in GitHub if you using ‘github.com’. Create GitHub account by opening GitHub sign up page. If you have already a GitHub account, login in GitHub.

Below are major features offered by GitHub:

1. Organization management — Create, manage organization in GitHub to manage the projects. An organization, means it may have project, repositories and teams.

It will prompt for plan, you can choose plan based upon need. For learning perspective you can select free plan. A new page will be displayed asking organization name and email. Provide the details and create organization.

Once organization will be created, it will look like:

Where you can create repositories, projects, packages, teams and add/remove people.

2. Project Management — A project can be created, managed project and items and view under it.

3. Repository Management — You can create and manage SCM (Source Code Management) repositories to store the source code.

It will ask repository name and other important information:

Once repository created, you can check-in code, raise Pull-Requests (PRs), manage issue tickets, create GitHub Action pipeline, link with project, create wiki pages, manage repository security, monitor insights and manage settings for the repository:

4. Gist — A gist is code block which can be created for referring purpose.

5. Other Features: There are several other features are available to support the complete DevOps platform like:

• User/people/account and team management
• Authentication and authorization for different set of objects
• Accessibility
• Notification setting
• Integrations with other applications
• Developer settings
• Code security and analysis

GitHub Action

The most important feature which allows to create DevOps pipeline is GitHub Action.

It allow to create declarative pipeline using YAML where pipeline steps (DevOps stages) created. This pipeline is also stored with the same repository under the .github/workflows directory.

GitHub Action provides user interface to choose the steps to create the declarative pipeline. Once YAML is generated, the developer can customize it based upon need. Custom steps can be added/modified.

GitHub Action provides rich support of different programming languages & build tools and their respective default pipeline which spread across different categories:

• Automation e.g. greetings, labeler, stale etc.
• Continuous Integration e.g. Publish Java package with Maven, Java with Gradle, Android CI, Node.Js, .Net, Ada, Ruby, iOS, Webpack, Swift, Go, Elixir, Symphony, Docker and many more.
• Deployment — Deploy to Azure, Deploy to Amazon ECS, Build and Deploy to GKE, Terraform, Openshift etc.
• Security — Dependency Review, CxSAST, Code Security Scan, Code Scan etc.
• Pages — Hugo, Next.js, Static HTML, Jekyll, GatsBy etc.

Apart from the predefined workflows, we can create custom workflow pipeline by writing commands in YAML.

We will see one pipeline in details in subsequent sections.

Use Case

To demonstrate the GitHub platform DevSecOps, we will take a Java based project example. We write code for Java project, create an repository in GitHub and check-in code into the repository. These steps performed as prerequisite at: https://github.com/siddhivinayak-sk/spring-reactor-reactive

Now to create pipeline, there are two ways: ‘manual’ or ‘by using GitHub Action page’. If we need to create the pipeline manually, we need to study the GitHub declarative pipeline language, a huge documentation is available for this: https://docs.github.com/en/actions/learn-github-actions

For this use case, we use the GitHub Action Page.

1. Open the repository on browser (e.g. https://github.com/siddhivinayak-sk/spring-reactor-reactive)
2. Open Actions Tab by clicking on it

3. Click on ‘New workflow’

4. Choose Java with Maven and click on ‘Configure’ button. It will open an YAML editor with auto generated pipeline configuration e.g.

name: Java CI with Maven
on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
jobs:
  build:
runs-on: ubuntu-latest
steps:
    - uses: actions/checkout@v3
    - name: Set up JDK 11
      uses: actions/setup-java@v3
      with:
        java-version: '11'
        distribution: 'temurin'
        cache: maven
    - name: Build with Maven
      run: mvn -B package --file spring-reactor/pom.xml

you can make modification in steps as per need and click on ‘start commit’ button to commit it.

5. Once committed, it will automatically invoke the pipeline. To check, open the GitHub Action tag again.

Under all workflows, whatever pipeline created will show, and corresponding runs will show in middle area.

6. Click on any run e.g. the first run entry named with ‘Update maven.yaml’. It will open the detail about the stages in the pipeline as graphical representation.

Since this created pipeline has only one state ‘build’ it is showing build stage. Many stages can be created with pipeline similar to Jenkins and then can be made dependent on other states as well. For this, GitHub actions provides various declarative commands to support the different functionalities.

7. Click on ‘build’ stage button to see details about it.

You can expend each task of the stage to see their details.

Additionally, it provides various features like rerun pipeline, download logs, download artifacts (based on configuration) etc.

Although, this use case is very simple, but it can be enriched as complex as required.

We can add security pipelines like dependency check, CVE analysis stages to adhere with DevSecOps practices very easily with workflow pipelines. GitHub provide many prebuild templates or custom pipeline can be created.

Conclusion

GitHub is largest internet hosted service for public repositories. It is continuously enhancing its capability to make it single platform for complete DevSecOps practices.

It has offered various tools and artifacts which can be used for organization, project, repositories, CI pipelines management at single place.

The CI pipelines / workflows are being supported for various programming languages & build tools with declarative YAML based pipeline creation. It provide various predefined pipeline workflow templates which can be utilized for easy pipeline development and supports customization with huge number of tools and commands.

GitHub provides Integrated security, dependency analysis and reporting to adhere the DevSecOps practices and provides various reports. It also supports ‘Dependabot’, an automation tool for dependency scanning and upgrade which provides notification whenever some new version of dependency available and can raise PR automatically based upon configuration. Because of these features, it getting more popular day by day.

References

• GitHub — https://github.com/
• GitHub SignUp — https://github.com/signup
• GitHub Desktop — https://desktop.github.com/
• Installing GitHub — https://gist.github.com/derhuerst/1b15ff4652a867391f03
• Git SCM — https://medium.com/r/?url=https%3A%2F%2Fgit-scm.com%2F
• GitHub Action — https://docs.github.com/en/actions/learn-github-actions
• DevOps — https://medium.com/r/?url=https%3A%2F%2Fsiddhivinayak-sk.medium.com%2Fcontinuous-integration-continuous-deployment-ci-cd-with-jenkins-sonarqube-nexus-docker-and-45a309bde131