Cloud Native Apps

 View Only

What's New with DevSecOps on IBM Cloud

By Steve Weaver posted Fri April 29, 2022 01:29 PM

The IBM Cloud DevSecOps reference implementation has been enhanced to: 
  • Implement continuous compliance checks
  • Execute dynamic scans for code and apps using OWASP ZAP
  • Improve pipeline performance and user experience
  • Enhance resiliency using async pipelines
  • Deploy your app on multiple clusters using Satellite Config.


Last year, IBM introduced the
DevSecOps Reference Implementation for audit-ready compliance across development teams, which provides a complete, secure software delivery lifecycle automated with IBM Cloud Continuous Delivery and other IBM Cloud services.

We've continued to improve the offering with new capabilities and enhancements. This further expands the penetration and coverage of audit preparedness, helps you improve your security and compliance posture, and aids your development teams in quickly instantiating and deploying the DevSecOps toolchains.

New Continuous Compliance toolchain

The new Continuous Compliance (CC) toolchain consists of a continuous compliance pipeline which is useful for a continuous scanning of existing deployed artifacts and their source repositories independent of your deployment schedule.

It runs static and dynamic scans on your application's source code, detects secrets in Git repos, performs a Bill of Materials (BOM) check,  a Center for Internet Security (CIS) security check,  and an IBM Vulnerability Advisor scan. After scanning and running checks on artifacts and source repositories, the pipeline creates new or updates existing incident issues in the incident repository. Finally, using these issues and the results, the pipeline collects evidence and summarizes the evidence that can be used to prepare for the audits.

DevSecOps Continuous compliance toolchainFigure 1: DevSecOps Continuous compliance toolchain

OWASP dynamic scan

The reference architecture already offered static application code scanning and vulnerability assessments, but now, we've added the world's most widely used open-source web app scanner - OWASP ZAP. With this capability, you can configure API and UI scans for the Continuous Integration (CI) and Continuous Compliance (CC) toolchains. Refer to configuring ZAP scans in the DevSecOps documentation to see how it can be achieved in practice.

Async pipelines

The CC pipeline uses an  asynchronous sub pipeline that runs in parallel to the main pipeline to optimize pipeline run time and improve pipeline resiliency.

With this feature, you can optimize your pipeline run time by initiating
time-consuming stages in a parallel "process," while the parent pipeline might process other stages without awaiting the results of the triggered async stage. In this way, pipeline resiliency can be improved in case the async pipeline run fails - for example, because of transient infrastructural errors, like network timeouts. You are able to easily rerun the failed stage, and keep the state from its first initialization.

Deploy to multiple clusters using Satellite config

IBM Cloud Satellite brings public cloud services to any environment, allowing customers with stringent regulatory requirements to use the flexibility and agility of these services for their secure on-premises data center. The DevSecOps reference implementation uses Satellite Config to deploy an app across a group of clusters in IBM Cloud Satellite. With Satellite Config, you create a configuration to specify which Kubernetes resources you want to deploy to a cluster group of Red Hat® OpenShift® clusters that are running in your Satellite location or in IBM Cloud.

Improved user experience

We have been improving the user experience with a goal to ensure the users can quickly and easily create a toolchain and its dependencies from scratch. If you had already tried an older version, then you will see an improved and more detailed Welcome page that explains the toolchain creation journey in more detail, along with the ability to automate the population of IBM Cloud Object Storage bucket details.
I invite you to try the DevSecOps toolchain templates today!

Get started