Wednesday, January 8, 2025

How to Set Up AquaSec Trivy Scanner | How to install AquaSec Trivy Scanner on Linux OS

What is Trivy?

  • open-source security scanner tool developed by Aqua Security. 
  • Used for vulnerability scanning in such as 
    • container images 
    • file systems/folders 
    • Git repositories
    • Kubernetes clusters
    • misconfiguration in files such as Terraform, K8S manifest files
  • Trivy helps identify security issues and misconfigurations early in the software development lifecycle.

How to Install Trivy scanner on Linux OS?

Trivy scanner can be installed so many ways. Check here for more information. But we will using APT package manager to install on Ubuntu.

sudo apt-get install wget gnupg -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null 
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list 
sudo apt-get update 
sudo apt-get install trivy -y

Check Trivy got installed
trivy --version


This confirm that Trivy got installed successfully.

Perform some scan locally

trivy image nginx


Complete Roadmap for 2025 to become a DevSecOps Engineer | Top DevSecOps Skills for 2025 | Skills required to become a DevSecOps engineer |

 Complete Roadmap to become a successful DevOps Engineer



We all know how DevOps is trending right now. And we know where it is going. Let's get to know what skills will make you a successful a DevOps engineer.

Top DevOps skills

1. Linux knowledge and scripting - basic troubleshooting, intermediate scripting, looking at the logs

2. Experience in Git, GitHub, Bitbucket or any version control systems such as SVN, TFVC

3. Experience in Continuous Integrations tools such as Jenkins, TeamCity, Circle CI 

4. Experience in Code quality tool/security scanning tools - Sonarqube, Aquasec Trivy

5. Experience in Infrastructure automation tools such as Terraform, AWS cloud formation

6. Experience in Configuration Management tools such as Ansible, Puppet or Chef

7. Experience in scripting languages such as YAML, groovy, Ruby, Python and Shell

8. Experience in containers such as Docker, Kubernetes and Helm

9. Experience in Monitoring tools such as Prometheus, Grafana

10. Ability to troubleshoot in case builds, deployments failure.

11. Any cloud knowledge and experience - AWS, Azure and Google cloud

Soft skills employers are looking:

These days employers are not only looking for strong technical skills but also looking "soft skills" which are essentials to become successful in IT. If you think if you are lagging on any of these skills, no worries. All these skills can be developed and improved over period of time by practicing.

1. Open minded

2. Willingness to learn new skills

3. Communication

4. Approachable

5. "Get it done" attitude

6. Being adaptable. 

Saturday, September 14, 2024

What is the difference between Code Coverage and Code Analysis

Both code coverage and code analysis are methods used to improve software quality, but they differ in their approach, goals, and implementation. Here's a detailed comparison:

Code Coverage:

  • Definition: Code coverage is a metric that measures the amount of code that is executed during automated tests.
  • Purpose: The main goal is to ensure that the test suite exercises as much of the codebase as possible, helping to identify untested areas.
  • How it Works:
    • Tools run the tests and track which parts of the code (lines, branches, functions) are executed.
    • Coverage is expressed as a percentage indicating how much of the code has been executed during tests.
  • Metrics Tracked:
    • Line Coverage: How many lines of code are executed.
    • Branch Coverage: How many decision points (e.g., if statements) are tested.
    • Function Coverage: How many functions or methods are invoked during tests.
  • Example Tools: JaCoCo, Coverage.py, Istanbul.
  • Output: Reports showing which portions of the code are covered by tests and which are not.
  • Use Case: Primarily used during the testing phase to gauge the extent to which the code is exercised by tests.

Code Analysis:

  • Definition: Code analysis is a technique used to evaluate the quality, structure, and potential errors in the codebase. It can be performed either statically (without executing the code) or dynamically (during runtime).
  • Types of Code Analysis:
    • Static Code Analysis: Inspects the source code for issues such as coding standards violations, potential bugs, or security vulnerabilities without running the code.
    • Dynamic Code Analysis: Involves analyzing the behavior of the code during execution, often looking for performance issues, memory leaks, or runtime errors.
  • Purpose: The goal is to find potential problems or improve code quality by identifying security risks, performance bottlenecks, or areas that violate best practices.
  • How it Works:
    • Static analysis tools scan the code for patterns that match predefined rules (e.g., code smells, unused variables).
    • Dynamic analysis tools monitor the code while it's running to observe its actual behavior.
  • Example Tools:
    • Static Analysis: SonarQube, Pylint, ESLint.
    • Dynamic Analysis: Valgrind, Dynatrace.
  • Output: Reports showing potential bugs, security vulnerabilities, code smells, or violations of coding standards.
  • Use Case: Can be performed during development to ensure code quality and prevent issues from entering production.

Sunday, May 12, 2024

DevOps Interview Preparation Useful real time tips | Crack DevOps Interviews | How to clear DevOps Interviews

 Are you failing in DevOps Interviews? Are you not be able to go to next round in the Interview process? 

First of all you need to have clear story about following five key items:

#1.     Come up with a story to talk about your back ground and over all experience 

            What are the Devops tools you have worked in, what cloud platform you are familiar ?

#2.     Have clear idea to talk about your role in your current project

           Your role instead of what whole team did

#3.     Your day to day responsibilities as a DevOps engineer

           How you spend your day 9-5. Starting with stand up, cicd, infra automation, collaborate with teams, meetings and documentation.

#4.     Be ready to talk about the challenges, how you overcome them in your current project

           What challenges you had, how did you over-come and what was the outcome?

#5.     Be clear about what you know and what you don’t know.            

  • It is OK to say you don’t know or have not worked that specific tool when asked about it. Show some willingness to learn
  • For e.g you may be good in CICD but not good in,  let’s say in container orchestration tools such as Kubernetes, which is OK.

Saturday, April 20, 2024

Fix for Jenkins slowness when Running in AWS EC2 instance | Jenkins Very Slow Upon Starting EC2 Instance after Stopping

Let's say that you have configured Jenkins in AWS EC2 instance and you are using AWS free tier and you are NOT using Elastic IP, so when ever you start EC2 instance after stopping, you would have noticed Jenkins UI is taking a lot of time to come up. You try to access any page in Jenkins, it will be really slow.

What is the root cause of the issue?

Because EC2 configured in AWS free tier account would have new IP after every restart, Jenkins was trying to use old IP address when you are trying to start Jenkins. Due to this issue, Jenkins will be very slow.

Pre-requisites:

  • Jenkins is setup in AWS cloud using free-tier account.

There are two ways you can fix this issue:

First option using command line

Make changes in the xml file by logging into EC2 instance through command line using Git bash or any SSH tool.

Connect to Jenkins EC2 instance using Git bash or iTerm:

Navigate to Jenkins installation directory:

cd /var/lib/jenkins/

Modify jenkins.model.JenkinsLocationConfiguration.xml file by executing below command:

sudo nano jenkins.model.JenkinsLocationConfiguration.xml

Make sure you provide Jenkins current URL in below location and restart Jenkins.

sudo service jenkins restart

Now try accessing Jenkins through UI, it will be really performing well.

Second option us using Jenkins UI

Change public URL under Manage Jenkins->System

Change Jenkins URL to current Jenkins URL:

Click on Apply-> Save.

that's it. You will notice Jenkins is performing well now.

Watch steps in YouTube channel: 

GitHub Actions CICD Pipeline to Deploy Java WebApp into Azure App Service | Integration GitHub Actions with Azure App Service

 


Pre-requisites:

  • Make sure Java web app is setup in GitHub
  • Azure subscription to create web app
What are we going to do in this lab?
1. Create a Web App in Azure Cloud
2. Configure WebApp to Deploy using gitHub Actions
3. Create workflow yaml
4. Add steps/tasks in the yaml file
5. Run the workflow yaml
6. Check if Java Web App is deployed in Azure App Service

How to Create WebApp in Azure Portal?

1. Login portal.azure.com
2. Click on App services


3.Click on + Add or click on Create app service


Click on Web App. Choose your Azure subscription, usually Pay as you Go or Free trial subscription
Create a new resource group or you can use existing resource group)


Enter App service name(it should be unique)
Publish as Code
Run time stack as Java 17
Java Web Server stack --> Tomcat 10.0
Operating System as Linux
Region as Central US or where ever you are based at

Enter LinuxPlan name
Choose pricing plan

Now go to Deployment tab:
Enable basic authentication
and enable Continuous Deployment 


Click on GitHub account, Authorize.
Authorize AzureappService
now select organization, repo, branch



You can also click on preview file to get pipeline YAML code 

Click on Review and Create




Create Web App
Now make sure AzureAppService_PublishProfile secret is automatically created in GitHub repo you selected.



Create GitHub Actions CICD workflow yaml:

name: Build and deploy WAR app to Azure Web App
on:
  push:
    branches:
      - main
  workflow_dispatch:
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Java version
        uses: actions/setup-java@v2
        with:
          java-version: '11'
          distribution: 'adopt'
      - name: Build with Maven
        run: mvn clean install -f MyWebApp/pom.xml
      - name: Upload artifact for deployment job
        uses: actions/upload-artifact@v3
        with:
          name: MyWebApp
          path: '${{ github.workspace }}'
  deploy:
    runs-on: ubuntu-latest
    needs: build
    environment:
      name: 'Production'
      url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
    steps:
      - name: Download artifact from build job
        uses: actions/download-artifact@v3
        with:
          name: MyWebApp
      - name: Deploy to Azure Web App
        id: deploy-to-webapp
        uses: azure/webapps-deploy@v2
        with:
          app-name: 'spingbootwebapp'
          slot-name: 'Production'
          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_76B948D486E54ED7B06775D572207D40 }}
          package: '*.war'


Check the output after running the pipeline:


Verify if WebApp has been deployed into Azure App Service by browsing Web App url.

https://mysuperjavaapp.azurewebsites.net/MyWebApp/

Watch here all the steps in YouTube channel: