...
Following up on our call last week with the LFN infra workgroup and our action item :
https://wikilf-networking.lfnetworkingatlassian.orgnet/wiki/display/LN/LFN+Infra+Work+Group+1+Feb+19
I went ahead trying the SCM features and CI of github, my goal was to reach a point where I could replicate the verify job and see the hurdles I would face.
I did the following :
...
- All in one
- CI/CD
- artifact management
- documentation
- built-in web site
- open source solution
- it is free
- native integration with kubernetes /prometheus (even if we did not really used it so far)
- All of the features available for free for education & open source projects hosted on gitlab.com (https://about.gitlab.com/2018/06/05/gitlab-ultimate-and-gold-free-for-education-and-open-source/)
the -
- All in one
- no SLA on performance/availability (but we did not pay for an Ultimate or Gold version and on gitlab.com, the aaS is very good - we experienced some rarely problem time to time (e.g. after Microsoft announced they bought github, it was very slow, as lots of communities were moving to gitlab..))
- CI runners are available to launch CI jobs but you still needs need cloud resources ressources to do the job (we are using our own server), no idea how much it woudl cost if it was fully externalized
- no native integration so far with docker hub found (as github) BUT built-in docker registry
Focus on security aspects:
gitlab includes a docker registry and native integration with lots of open source tools
https://docs.gitlab.com/ee/user/project/merge_requests/
- Analyze the impact of your changes with Code Quality reports
- Manage the licenses of your dependencies with License Management
- Analyze your source code for vulnerabilities with Static Application Security Testing
- Analyze your running web applications for vulnerabilities with Dynamic Application Security Testing
- Analyze your dependencies for vulnerabilities with Dependency Scanning
- Analyze your Docker images for vulnerabilities with Container Scanning
- Determine the performance impact of changes with Browser Performance Testing
Static Application Security Testing
this testing focuses on code vulnerability
- java / Maven => find-sec-bugs https://find-sec-bugs.github.io/
- Python => bandit
- JavaScript => ESLint security plugin
- NodeJs => NodeJsScan
it also evaluate potential XXS attacks
Dynamic Application Security Testing
https://docs.gitlab.com/ee/user/project/merge_requests/dast.html
=> OWASP ZAProxy
Addon to chain CI pipelines shared at ONS Europe: https://events.linuxfoundation.org/wp-content/uploads/2017/12/Orange-Openlab-A-Full-Automated-Telco-Stack-for-the-Community-David-Blaisonneau-Nicolas-Edel-Orange.pdf
...