Free Tools DevOps Teams can Use to Fix Security Risks

A cost-effective approach for limited budgets 

DevSecOps integrates security practices within the DevOps security processes, emphasizing a “shift-left” mentality. By considering security from the beginning of the software development lifecycle, teams can create more robust and secure applications.

In this article, we’ll cover five ways to ensure code quality and enhance the security of your CI/CD pipeline and the build stage using free security tooling.

written by
Shay El Gold
published on
November 19, 2024
topic
Application Security
SCA Security

DevSecOps integrates security practices within the DevOps security processes, emphasizing a “shift-left” mentality. By considering security from the beginning of the software development lifecycle, teams can create more robust and secure applications.

In this article, we’ll cover five ways to ensure code quality and enhance the security of your CI/CD pipeline and the build stage using free security tooling:

  1. Detecting and preventing hardcoded secrets – Gitleaks
  2. Generating a software bill of materials (SBOM) – Syft
  3. Checking for vulnerabilities in dependencies – OWASP Dependency-Check
  4. Enforcing code quality and best practices –  Linters and Hadolint
  5. Implementing organizational policies – Polaris

Please note that open-source tools like Gitleaks and Syft are a strong start for CI/CD security—they cover the basics. But as your team scales, so do the stakes. Open-source lacks the depth, speed, and integration that mature security teams need to keep up with complex threats. When security becomes mission-critical and false positives or slow updates become deal-breakers, it’s time to consider commercial tooling. These solutions bring the precision, support, and scale needed to move beyond “just good enough” and stay truly secure.

Now, let’s dive into these security measures and explore the tools that can help implement them.

1. Detecting and Preventing Hardcoded Secrets with Gitleaks

Hardcoded secrets embedded in your source code pose a significant security risk. In this example, we’ll use Gitleaks, an open-source SAST tool designed to detect and prevent hardcoded secrets such as passwords, API keys, and tokens in Git repositories.

$ docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source="/path" -v

# OUTPUT example

   ○

   │╲

   │ ○

   ○ ░

   ░    gitleaks

Finding:     k8s_hf_secret_list             = var.k8s_hf_secret == null ? [] : [var...

Secret:      var.k8s_hf_secret

RuleID:      generic-api-key

Entropy:     3.616875

File:        benchmarks/benchmark/tools/locust-load-inference/main.tf

Line:        50

Commit:      6d21def955d77cd130309318928f102ef0ac6e58

Author:      vivianrwu

Email:       vivianrwu@google.com

Date:        2024-07-15T19:12:58Z

Fingerprint: 6d21def955d77cd130309318928f102ef0ac6e58:benchmarks/benchmark/tools/locust-load-inference/main.tf:generic-api-key:50

Finding:     var jobKey = "759730a97e4373f3a0ee12805db065e3a4a649a5"

Secret:      759730a97e4373f3a0ee12805db065e3a4a649a5

RuleID:      generic-api-key

Entropy:     3.653702

File:        tpu-provisioner/internal/cloud/gke_test.go

Line:        143

Commit:      6d21def955d77cd130309318928f102ef0ac6e58

Author:      vivianrwu

Email:       vivianrwu@google.com

Date:        2024-07-15T19:12:58Z

Fingerprint: 6d21def955d77cd130309318928f102ef0ac6e58:tpu-provisioner/internal/cloud/gke_test.go:generic-api-key:143

9:30PM INF 1 commits scanned.

9:30PM INF scan completed in 3.28s

9:30PM WRN leaks found: 2

Gitleaks scans your codebase for potential secrets, such as API keys, passwords, and tokens. It provides detailed output, including the location of the secret, the type of secret detected, and the commit information.

2. Generating an SBOM with Syft

A Software Bill of Materials is crucial for tracking and auditing the components used in your software. We’ll use Syft to generate a list. Syft is a CLI tool and Go library for generating SBOM from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.

# Installation for MacOs

brew install syft # you can check the link for other installation methods

# execution

syft scan docker:jenkins/jenkins:latest

Syft scans container images and filesystems, providing a comprehensive list of all software components and their versions.

Here is example output:

generating an SBOM
Figure 1. Example of Syft output.

3. Checking for Vulnerabilities in Dependencies with OWASP Dependency-Check

To identify known vulnerabilities in your project dependencies, we’ll use OWASP Dependency-Check. OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

DC_VERSION="latest"

DC_DIRECTORY=$HOME/OWASP-Dependency-Check

DC_PROJECT="dependency-check scan: $(pwd)"

DATA_DIRECTORY="$DC_DIRECTORY/data"

CACHE_DIRECTORY="$DC_DIRECTORY/data/cache"

if [ ! -d "$DATA_DIRECTORY" ]; then

   echo "Initially creating persistent directory: $DATA_DIRECTORY"

   mkdir -p "$DATA_DIRECTORY"

fi

if [ ! -d "$CACHE_DIRECTORY" ]; then

   echo "Initially creating persistent directory: $CACHE_DIRECTORY"

   mkdir -p "$CACHE_DIRECTORY"

fi

# Make sure we are using the latest version

docker pull owasp/dependency-check:$DC_VERSION

docker run --rm \

   -e user=$USER \

   -u $(id -u ${USER}):$(id -g ${USER}) \

   --volume $(pwd):/src:z \

   --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data:z \

   --volume $(pwd)/odc-reports:/report:z \

   owasp/dependency-check:$DC_VERSION \

   --scan /src \

   --format "ALL" \

   --project "$DC_PROJECT" \

   --out /report

Dependency-Check downloads vulnerability data from the National Vulnerability Database API and scans your project dependencies against this information. Some points to note about this Dependecy-check: 

  1. Initial download: on the first execution, the tool will download all disclosed vulnerabilities from the NVD. This process may take a very long time, so be patient during the initial setup.
  2. Scanning and reporting: Dependency-Check will scan your project and create a comprehensive report after downloading the vulnerability data.
  3. Improving performance: To speed up subsequent executions, you can request an official API key from the NVD and configure Dependency-Check to persist the downloaded data between executions.

After execution, discovered vulnerabilities are saved in a report that can be exported in multiple formats like the HTML shown below.

devops security process
Figure 2. Example of Dependency-Check

4. Enforcing Code Quality and Best Practices with Linters and Hadolint

Linters analyzes source code for errors, vulnerabilities, and stylistic issues to improve code quality and enforce security best practices. For the Dockerfile example below we’ll use Hadolint:

FROM python:3

# Set the working directory in the container

WORKDIR /app

# Copy files

COPY . /app

# Install system dependencies

RUN apt-get update && apt-get install -y \

   gcc \

   libpq-dev \

   && rm -rf /var/lib/apt/lists/*

# Install python dependencies

RUN pip install --no-cache-dir flask gunicorn psycopg2

# Make port 5000 available to the world outside this container

EXPOSE 5000

# Define environment variable

ENV FLASK_APP=app.py

# Run app.py when the container launches

CMD ["gunicorn", "-b", "0.0.0.0:5000", "app:app"]

Figure 3. Hadolint analyzes Dockerfiles for potential issues and security risks, helping standardize and secure your container builds.

5. Implementing Organizational Policies with Polaris

To enforce organizational policies, especially for Kubernetes manifests, we’ll utilize Polaris, an open-source policy engine. Polaris helps ensure that Kubernetes deployments conform to best practices, enhancing the security, efficiency, and reliability of your clusters.

Polaris works by performing a series of policy checks on Kubernetes manifests. It evaluates configurations such as resource limits, container privileges, and image security. Specifically, Polaris can be integrated into your Continuous Integration (CI) pipeline to enforce these policies during the build and deployment phases, catching potential misconfigurations early.

# Installation for macOS

brew tap FairwindsOps/tap

brew install FairwindsOps/tap/polaris

# usage

polaris audit --audit-path ./manifests/ --format=pretty

enforce devops security policies
Figure 4. Polaris checks Kubernetes manifests against common issues and security misconfigurations, helping prevent potential vulnerabilities from reaching production.

Yes, free tooling can be utilized to manage security workflows for restricted budgets

As demonstrated, you can improve security with free tooling by Implementing security measures such as detecting hard-coded secrets, generating SBOMs, checking for vulnerabilities, enforcing best practices, and applying organizational policies. Utilizing these tools and implementing security processes into your workflows can significantly boost the security of your CI/CD pipeline. 

However, everything has a cost… even free tooling.

Managing tasks with separate tools can quickly become a labor-intensive and time-consuming process, often requiring multiple integrations, custom scripts, and continuous maintenance across various platforms.

This fragmented approach slows development and increases the risk of gaps in your security coverage. 

devops security process

Implement security process and keep in budget with runtime security platform

Instead of juggling individual solutions, a unified runtime security platform like Kodem Security can dramatically simplify the process. Kodem integrates these critical security measures into one streamlined solution, reducing the complexity and overhead typically associated with multiple tools.

Our suite of tooling covers every part of your stack— source code scanning, containers, APIs, and more—while helping your teams prioritize and remediate real risks in real-time. With advanced features like Attack Chain Analysis, Adversarial Risk Prioritization, dynamic SBOMs, Kodem ensures your security teams focus on what attackers will actually exploit.

Kodem helps ensure consistent enforcement of security policies while allowing your team to focus on building and delivering applications without interruptions. Remember, security is an ongoing process—regularly reviewing and updating your approach is crucial to staying ahead of emerging threats. With Kodem, you can manage this process more efficiently and effectively.

Blog written by

Shay El Gold

Principal DevOps Engineer

Shay has over nine years of experience in cloud-native architectures and Kubernetes implementations. Specializing in AWS and GCP, he architects scalable infrastructure using Terraform and GitOps methodologies. His expertise focuses on DevSecOps implementation and secure Kubernetes deployments, driving technical excellence through leadership and team enablement.

A Primer on Runtime Intelligence

See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced

Platform Overview Video

Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.

5.1k
Applications covered
1.1m
False positives eliminated
4.8k
Triage hours reduced