Dastardly a free DAST for web app CI/CD Pipelines

PortSwigger has released this free solution for those dealing with web app CI/CD pipelines.

It is a free Dynamic Application Security Testing tool which which has native integration with:

Github actions - [https://github.com/PortSwigger/dastardly-github-action](https://github.com/PortSwigger/dastardly-github-action)
Jenkins - https://portswigger.net/burp/documentation/dastardly/jenkins
Team City - [https://portswigger.net/burp/documentation/dastardly/teamcity](https://portswigger.net/burp/documentation/dastardly/teamcity)
and then any other - https://portswigger.net/burp/documentation/dastardly/generic

"Find 7 issues you care about - in 10 mins or less

Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline. It looks at your application from the outside - just like an attacker - giving it the sort of accuracy that most static analysis tools can only dream of. Scans run no longer than 10 mins."


https://portswigger.net/blog/free-dastardly-from-burp-suite

https://redd.it/yfqqvk
@r_devops

kubelog - a graphical log viewer for Kubernetes.

Hi, I've been working for quite some time on kubelog now, and I'm happy to finally share it with you. The official website is here: [https://kubelog.de/](https://kubelog.de/)

Some highlights are:

* Tail multiple pods in one view, even from different namespaces. The log output is combined and sorted by timestamp.
* Timeline view to identify problems and navigate to results quickly.
* Search with regular expressions. Use custom colors to visually highlight, and a summary, to quickly find and navigate in the results.
* Save searches, so they can be easily reused. Mark them as default, and they will be active directly when opening a new log.
* Multiple tabs and clusters

You can find some screenshots here:

[https://kubelog.de/docs/getting-started/introduction/](https://kubelog.de/docs/getting-started/introduction/)

https://redd.it/yg1p09
@r_devops

Online DevOps labs or bash scripting exercises? = Prepare for interviews

Hi,


I recently applied for a DevOps role, and they required me to do an online bash scripting test-taking data from Virtual Machines, which I was unprepared for and very difficult. Are there labs online I can go through to practice this?


Thank you!

https://redd.it/yg2h7v
@r_devops

Need Help - Finding a GitLab versioning solution for Monorepos

For work, we're looking to do an automated changelog, versioning, and publishing to atrifactory strategy for a pnpm monorepo. The pnpm to artifactory publishing works great, but after days of searching, it seems like all the major versioning package options for monorepos like `lerna`, `changesets`, and `auto` don't work with GitLab; each one with open issues.

Does anyone know of a solution? I'm tearing my hair out trying to find something that works. Our team isn't migrating to GitHub anytime soon which would solve a lot of these issues.

https://redd.it/yg2913
@r_devops

Monitoring in DevOps

there’s many of monitoring tools and plug-in. requirements and goals are different for each .. what should I use for Gitlab ci-cd tracing and monitoring

https://redd.it/ygb2px
@r_devops

We code most of our DevOps tooling in typescript - are we bad people?

Our apps are written in typescript, node backend, react frontend. So it made sense to use typescript everywhere we could.

We use cdktf with typescript instead of using the native HCL language for terraform and almost all of our build, deploy etc scripts are typescript.

We use ts-node to execute them so we don't have to transpile them into js first (although obviously that happens in the background).

So far this is working really well for us but I know it's not the norm so just wondered if there was any obvious down sides you fine folk can think of?

https://redd.it/ygj2eh
@r_devops

What tools do you use to map out microservices?

Hey all! Just wanted to ask a pretty general question but its been bugging me.

Currently, just using a combination of Draw.io, custom solutions and grafana. It just seems like a lot of trade offs and work being repeated. Wondering if anyone has a solid solution for this "problem." I guess a bit more detail, just looking for something that lets teams manage their own portion of the "map" so we can hopefully get a high level overview and then "drop" into lower levels.

Seems like datadog comes up a lot when I poke around in this area but I can't say I've had experience with them.

Thanks!

https://redd.it/yglmre
@r_devops

As a devops engineer where have you done real coding not bash/powershell scripting

Just want to know what language current industry trends require and where exactly have you used it

Example: I have written python scripts for cleaning up azure resources but most of the work I get it done using bash/pwshell

https://redd.it/ygdtw2
@r_devops

Should I forget about it?

A recruiter reached out to me for a position of DevOps at a start-up that offers low cost food to less deserving school going children in Kenya and I bombed the interview (it was a simple on-site conversational interview about my past projects, experience and also programming languages I've used).

It seemed like it was a fairly simple solution that involved using IoT wrist bands and the tech stack is React + Spring Boot.

I was to start this month but I got an email that they were having internal issues and they've paused hiring for now. I have been jobless for the past 8 months and this news kinda sucked because I was very hopeful things would go my way and the fact that I was working for an NGO that was working to solve hunger in young children gave me a sense of purpose to work.

Was the HR politely rejecting me or should I give them more time maybe they'll get back at me?

https://redd.it/ygl0pn
@r_devops

Best way to learn YAML for Azure Pipelines?

Hi,

I'm looking for advice on how to become proficient in Azure Pipelines. Any good resources, training paths, roadmaps, general advice for this?

TIA!

https://redd.it/ygskku
@r_devops

How Are You Collecting CICD Metrics?

I think this is an area of observability that not many people are really doing well.

I'd like to start collecting metrics on the performance of our pipelines, and looked into something like Datadog metric collection via Github Actions.

But I'd just like to get your take on how you're collecting metrics for your pipelines. Are you running an extra step at the end, to collect the data per pipeline? Or per stage/step? Or are you running as a cron, hitting the api?

https://redd.it/ygzxor
@r_devops

Kibana asks for Enrollment Token while trying to implement ELK stack in ECS Fargate.

Kinda Noobie Question. I'm trying to implement ELK stack in ECS Fargate for my own practice.

I created individual basic docker images of Elasticsearch, Kibana and Logstash and pushed it to ECR registry.

I then use it to create a Task Definition and use the task definition to create a service and a cluster. There is only one Elasticsearch container, one Kibana Container, and one Logstash Container and no multiple containers with Loadbalancer. When I implement it this way Kibana is asking for Enrollment Token which we need to generate from the Terminal of Elasticsearch Container. But if I setup ELK stack with the same images in an EC2 instance or my local machine it's working properly with the token.

From what I've searched it might be because ECS automatically enables all the security features of Elasticsearch and we can't disable it. But not 100% sure. That might be the reason why I also can only access Elasticsearch page using HTTPS protocol instead of HTTP. I tried to disable the security but It is not getting disabled.

Is there any way to setup ELK in ECS Fargate without the means to generate Token or is there a way to execute commands to generate Token in the Elasticsearch container in Fargate.

https://redd.it/yh0z3z
@r_devops

What happens if a file hasn't changed while taking a snapshot in github?

So, git works like this:



1) You commit.

2) git takes picture(snapshot) of what all your files look like at that moment and stores reference to that "snapshot".

If files haven't been changed what happens here?

The answer is written in the source website, but I didn't get it.


Source: https://git-scm.com/book/en/v2/Getting-Started-What-is-Git%3F

https://redd.it/yh664o
@r_devops

Ansible introduction for beginners

I hope this quick Ansible introduction can help beginners understand why ansible is required. It can help you in your devops path.

https://redd.it/yha0h6
@r_devops

Can anyone ELI5 the difference of usecase for CloudFront vs Elasticache

Both are caching solution, but when is the other useful compared to the other one?

https://redd.it/yh9tkt
@r_devops

How push and pull-based communication architectures are used with synchronous and asynchronous services

Hi all, I spent some time writing up a guide to using message queues and streams especially on AWS. Would appreciate any and all feedback: https://yehudacohen.substack.com/p/a-comprehensive-guide-to-communication

https://redd.it/ygxno3
@r_devops

Network engineer or Devops engineer

I have a Masters in electrical and computer engineering. I have more of my background in controls(5years) and currently working as a controls engineer. I have lost interest in my field due to two reasons extra long working hours and having to stay away from family either due to long travel or working at remote locations.

I have a little bit of IT background as well with my coursework. I have build up an interest with some of my research and also because my friends work in the same fields. I started networking with learning CCNA for certification but for some reason i feel more interested in Devops, maybe also because my wife works in Devops.

It’s not a random decision. I want to give my proper time and learn the skills needed. I thought networking would be more aligned as I had taken some coursework.

I know I have to go through a lot of prep and build up my skills. I want to know what career would be good for long term. How successful can one be and how long is the road to being comfortable. Also, in terms of pay and work life balance.

Thank you!

https://redd.it/yhk4mv
@r_devops

Difference between DevOps Engineer, Site Reliability Engineer, Cloud Engineer, Software Engineer - Infrastructure, Platform Engineer?

What is the difference??? I am so confused.

https://redd.it/yhlwq6
@r_devops

What are the biggest issues faced by DevOps/DevSecOps developers?

I'm curious about the biggest pitfalls that DevOps engineers experience right now. I would love to know your tech stack and the specific issues you face at a production level. I'd be especially interested to hear from the senior engineers out there.

https://redd.it/yhmz89
@r_devops

[Q] I can't make work Drone CI secrets (type docker) - Extra: sometimes Drone doesn't run the CI

Hi everybody!

I'm new with Drone and I'm trying to figure out how it works.

Their documentation seems to be a little poor or outdated.

First I setup the secret called "secret_name" in the Secret Drone section in a repo called "test-repo".

Then I commit the "test-repo" with this `.drone.yml` file in it:

---
kind: pipeline
type: docker
name: Drone YAML CI testing
steps:
- name: test_drone_docker
image: alpine:3.9
commands:
- echo "show hello world by drone"
- echo $(pwd)
- echo -e ${user}
settings:
user:
from_secret: secret_name

And the result is the following:

latest: Pulling from library/alpine

Digest: sha256:bc41182b7ef5ffc53a40b044e762933bc10142b1243f395ee852a8c9730fc2ad

Status: Image is up to date for alpine:latest

+ echo "show hello world by drone"

show hello world by drone

+ echo $(pwd)

/drone/src

+ echo -e

What am I doing wrong or miss?


---


EXTRA:

I've Drone integrated to my Gitea instance and sometimes after a change, Drone CI never starts. It's like don't see some commits.

For example:

`git commit -m "Change readme.md"`

`git push`

Task #1 runs ok

`git commit -m "Add a line to readme.md"`

`git push`

Here the task #2 should run, but nothing happens.
Any idea?

It's Drone a little buggy or I just am I using it in a wrong way?

Thanks!

---

Drone image docker version: `drone/drone:2`

Drone runner version: `drone-runner-docker:1`

Gitea version: `gitea/gitea:1.17.3`
I've drone installed with Gitea

https://redd.it/yhmbwn
@r_devops

should i go for it?

I have 10years of experience in support/devops/infra, this is for sr. Devops role i have a final system design round pending. This is my first time in career giving a SD round. If i tell the panel that this is my first time for sd round. What message does it conveys? Would like to hear your thoughts

Edit: adding one more question

What smart questions i can ask the panels(2 members) at the end of interview. If selected they will be my future team-mates.

I thinking to ask below questions:

What traits you are looking in a teammate?
What does the regular day at work look like?
Of all my skills which is the most important for the role?

https://redd.it/ygrvke
@r_devops