GitHub ActionRelease: Add DAST and OSINT to your security pipelines

Howdy!

I'm excited to share with you my latest contributions to the GitHub community: a collection of free GitHub Actions designed to streamline and enhance security practices utilizing DAST and OSINT tooling that is widely used - sqlmap, bbot and nikto. There were no GH Actions that I could find, so I made them for my use case, but figured everyone can benefit from those awesome tools.

# Action - 🗺️ - sqlmap

The famous sqmap - perform automated (or semi-automated) penetration testing on your releases:

https://github.com/marketplace/actions/thereisnotime-action-sqlmap

# Action - 🤖 - bbot

One of the newer OSINT automation tools on the block, I personally love it so here it is:

https://github.com/marketplace/actions/thereisnotime-action-bbot

# Action - 🎯 - nikto

A stable and tested tool that can easily scan a ton of endpoints for security issues:

https://github.com/marketplace/actions/thereisnotime-action-nikto

WIP: Currently I am working on a nice workaround to generate outputs from the actions and not directly from the tools (but you can still use the tool outputs in your job steps) and after that I will add more examples (the way I use it for regular security compliance reports etc.).

Because those amazing tools have a ton of parameters, one of my main goals was to provide an easy option to provide custom arguments instead of wrapping each one and also re-use as much as possible from the official or at least most supported Dockerfiles where available.

Feel free to try them out, provide feedback, or even contribute to their development. The actions are under active development but they are working. Your input is valuable in making these actions even more robust and effective.

If you find them useful, please leave a ⭐ in GitHub.

https://redd.it/13v3ega
@r_devops

Seeking advice for joining a DevOps team for the first time

I'm starting an internship in a couple weeks as a software engineer on the companies DevOps team and I haven't been given a lot of information on the tech stack other than them saying to learn groovy (I'm already pretty experienced in java, so syntax shouldn't be problematic to learn). I understand that groovy is used to write scripts in Jenkins for CI/CD pipelines, but I'm not sure if that's exactly what I'll be doing. Does anyone have any advice of things to be aware of / things I should give extra attention to when learning groovy in the context of this role?

https://redd.it/13v538h
@r_devops

Angular universal with docker giving bad gateway

I am trying to dockerizing a angular universal app using nginx, and it's giving me really hard time.
It keeps saying 502 bad gateway and I am unable to wrap my head around it.

Here is my docker file

​

FROM node:14-alpine AS builder
WORKDIR /app
COPY . .
RUN npm i && npm run build:ssr
FROM nginx:alpine
WORKDIR /usr/share/nginx/html
RUN rm -rf ./
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY --from=builder /app/dist/front-end-kevi .
ENTRYPOINT ["nginx", "-g", "daemon off;"]


In my server.ts file, I am starting the app on port 4000.So I am starting the docker image using this command


>
docker run -d -p 4000:80 kevin


for the reference, here is my nginx conf file.

​

server {
listen 80;
server_name localhost;

root /usr/share/nginx/html;
index index.html index.htm;

location ~ \.(eot|ttf|woff|woff2)$ {
addheader Access-Control-Allow-Origin *;
}

location / {
proxypass https://localhost:4000;
tryfiles $uri $uri/ =404;
}

location /OrderMationApi/api/v3/ {
proxypass https://102.133.225.222;
}
}

and I am getting this error in error logs

​

>
7#7: *1 connect() failed (111: Connection refused) while connecting
to upstream, client: 172.17.0.1, server: localhost, request: "GET /
HTTP/1.1", upstream: "https://127.0.0.1:4000/", host: "localhost:4000"


​

Any idea where I am doing wrong?
Any help is highly appreciated.
Thanks in advance.

https://redd.it/13uyyfj
@r_devops

Cloud providers - VPC

I am architecting a cloud based solution where proxmox will be the main hypervisor and VMs LXC etc will be hosted. I will have people from all over the world connecting via VPN to mostly windows machines and I am looking for a reliable provider that has different regions.

OVH does the trick as it has got data centers in all regions and it is definitely a candidate. I like to keep my infrastructure tidy and manageable but in other hand, having all the eggs in one basket has never been best practice.

What is your opinion here? Let’s say I’m to build 3 proxmox builds in different geographical regions, all in OVH or spread them out?

https://redd.it/13ux67u
@r_devops

Seeking Best Practices for Local Development in a Microservices Environment

I am currently working on a personal learning endeavor by standing up a Kubernetes-based microservices architecture with Docker containers. I can already anticipate facing challenges enabling effective local development while ensuring that production environments are not endangered. In my career, we almost always blur the lines between healthy local development, shared test clusters, and pushing the boundaries of working within production...

Some paint points I'm encountering already:

1. Setting up local environments: What's the best way to run and debug a specific microservice locally? We've looked into Minikube and Docker Compose, but are there other options we should consider? Is this even tenable at a certain size?

2. Managing dependencies: With so many interdependent microservices, how do we stub or mock these services locally for development purposes?

3. Configuration management: How do you manage shared configuration and secrets in a way that is secure but also accessible for developers?

Any suggestions on tools, best practices, or resources (books, blogs, courses) are highly welcome. Thanks in advance for your help!

https://redd.it/13vg0sm
@r_devops

Looking for DevSecOps Practical Guides or Tutorials

So I'm currently into DevOps and would love to move into DevSecOps. There are plenty of blogs on internet but all the talk about the methodology and theory part of DevSecOps not the practical part. I only got one link which showed how to implement Security in CI CD Pipeline using Jenkins and SonarQube with Some SCA tool. Any link regarding the DevSecOps practice will be really helpful.

Thanks 🙏🏻

https://redd.it/13vi12w
@r_devops

Felon looking to get into software dev

Looking for guidance and advice on entering the software development community with a felony. What certs should I aim to test for to likely land an entry level job, what jobs are in highest demand in 2023 and how much will my felony record (one felony, drug related and 5 years old) impact my ability to get a job in this industry. Thanks

https://redd.it/13vmnk0
@r_devops

Work from Home requirements

Hi. Not sure if this is the correct place to ask this question but after getting no response from other subs thought I would ask here. I’m curious to learn if being in a hotel would disqualify my ability to secure a role WFH. I have been considering getting a travel modem as well as signing up for a firewall/vpn service; not sure if this adequately secured my privacy in general much less to be able to be employed as a WFH executive. Any insight or direction would be most appreciated.

https://redd.it/13vohu4
@r_devops

sonarqube 9.9 LTS error

Hi Team , we are testing sonar 9.9 LTS and encountered this error message in jenkins console, even i trying to pass java home to 11 still same issue , also on jenkins console output if i echo java -version it says **openjdk version "11.0.16" 2022-07-19**

mvn sonar:sonar -Dsonar.qualitygate.wait=true -Dsonar.host.url=https://xx.xx.xx.xx:9000 -Dsonar.java.jdkHome=/data/jenkins_home/tools/jdk-11

**failed: An API incompatibility was encountered while executing org.sonarsource.scanner.maven:sonar-maven-plugin:3.9.1.2184:sonar: java.lang.UnsupportedClassVersionError: org/sonar/batch/bootstrapper/EnvironmentInformation has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0**

https://redd.it/13vqbey
@r_devops

Understanding Metrics, Events, Logs and Traces - Key Pillars of Observability

https://last9.io/blog/understanding-metrics-events-logs-traces-key-pillars-of-observability/

https://redd.it/13vsn8n
@r_devops

Advice for new employee in a (so far) toxic work environment

Started a new devops job a few weeks ago as a new college grad and it isn't going particularly well. The organization has a pretty restrictive environment with barely any public facing services which means that doing anything on the network requires knowledge of the internal architect to get anything done.

Issue is is my counterparts are supposed to be helping me and guiding me through this environment but it's not going well at all. Simple questions are often left with with one word answers that don't explain what I need help with. It's seems as if they are annoyed with me for asking simple things, but how am I supposed to know where the test certificates are or what the authentication is for a server when there is zero documentation. I am often sitting at my desk for hours rerunning the same commands while they watch my command history on my account just to bring it up later on in a meeting or something to have a laugh.

Ive been assigned a simple app update as my first solo task and while I know the general steps of redeploying the app with the update, I am hitting every small road block you can think of because of the architecture. I can't get anything answered for me like how should I bring up this database, how do I auth with our repo, how do I access server X, why can't I hit this webpage, etc etc.

I came from an internship of great people who genuinely wanted to help me. And this team even seems fine outside of these 3 bozos. Problem is, the rest of the team isnt DevOps but instead SW Engineers they can't help much. I feel like I'm in a place where not knowing is offensive, and the stress just doesn't feel worth it. Of course I moved to a small town where the industry knows each other.

Any advice from someone who has maybe been here before? I'm losing my mind

https://redd.it/13vu90h
@r_devops

0auth2 issues with curl script in Python

Hi, I'm new to 0auth2 and using it to get creds for REST APIs. I fill in this info and drop the script in my Windows CLI and the script just drops with no value return. I try to run 0auth2 in Postman and I get the below output.

Any ideas?

{"detail":[{"loc":["body","grant_type"],"msg":"field required","type":"value_error.missing"}]}

​

curl -X POST https://HIDDEN.com \
-H "Accept: application/json" \
-H "API-Token: <INSERT API TOKEN>" \
-u "<INSERT CLIENT ID>:<INSERT CLIENT SECRET>" \
-d "grant_type=client_credentials"

https://redd.it/13vtiz1
@r_devops

Suggestions on architecture

I have a service, customer facing, I have 10 pods in Parallel, I have to limit the request I get in a queue and send the request to the servers based on their cpu/mem usage? What’s the best way to implement this? Can we do this using kafka?

https://redd.it/13vxeg9
@r_devops

Anyone else feels like that after many years of devops?

https://youtu.be/-UYgORr5Qhg

https://redd.it/13vyr79
@r_devops

London , need help

Hiya guys,

I was wondering if anyone can help me get started in the tech industry within London, I'm really struggling to get jobs by myself, I don't know if it has anything to do with my CV (will send you if you pm me) or just my lack of experience. I'm looking for a junior/entry-level job or apprenticeship in any field in tech tbh.

Thank you to anyone who gives me advice

https://redd.it/13w0xmf
@r_devops

Should I always carry a second phone specifically for work?

I currently have one personal phone with no work-related accounts set up on it. I do not want to set up work accounts on my personal phone for 2 main reasons:
I would need to send my internet traffic through my employer's VPN.
My employer would have access to my phone, up to and including the ability to lock and wipe it remotely.

So far I have gone 3 years at this company without a second, work-specific phone. I get pages to my personal phone via SMS, and use my work laptop for all Slack, email, and video calls. I am occasionally level 3/4 on call, for which I am not expressly paid, but also rarely receive any pages.

I am interested to know whether others in the industry think that my current approach is ok, or if it is expected for DevOps engineers to always be reachable not only by phone, but also via Slack and email.

Thanks in advance for your perspectives!

Update: My employer is willing to provide the phone and cell service, so cost is not the issue. Just the fact that I'd always have to carry 2 phones, and be tuned into work communications at all times.

https://redd.it/13w21ny
@r_devops

Open source IAM-as-code through IAMbic

Hello everyone!
We are working on an open-source IAM-as-code solution called IAMbic, and recently added AWS Service Control Policy support (AWS guardrails, typically used for compliance).
IAMbic represents your IAM in Git as YAML Files (called iambic templates). An example repository of templates managed by IAMbic is here. The goal is that you can download IAMbic, and go from your cloud to code in \~10 minutes without needing to write any code. Any changes you make (via clicking in the cloud console, running `terraform apply`, etc) are captured by IAMbic and updated in Git, so you have a running Git history of all IAM changes over time, and Git is an eventually consistent, reliable source of truth for permissions.
IAMbic templates are bi-directional, so when you want to start managing identities in IAMbic (like cookie-cutter engineering IAM roles or AWS SSO permission sets), You go through a GitOps workflow, get approval, and instruct IAMbic to apply the changes. We have some examples in our IAMOps Philosophy docs. If you want resources to be solely managed by IAMbic, you can instruct IAMbic to prevent drift on these resources.
You can also declaratively define temporary access or permissions in the format (Like: "I want userA to have access to the Salesforce app in Okta for 12 hours" or "I want to have S3 permissions to BucketA on the engineering role on the prod AWS account until DATE").
We're really looking for feedback because we want this to be a compelling solution. What are your thoughts? How can we make this better?

https://redd.it/13w4bb2
@r_devops

Do you sometimes also feel like you're too slow?

Small rant.
2nd year in devops - working for a company built by devs for devs.
I had enough grit to learn to be able to build solutions in Python, Java and Go (or whatever other scripting language) in a decent manner.


You throw a problem at me and I fix it.
Have an idea? No problem - I'll make it happen.


Still. They make me feel like I'm too slow, like I'm not respected because of my ops background - but I think that in reality the tasks I get are novel enough to become slogs and need quite a bit of planning, experimentation and creativity to be finished. And more often than not some help from GPT to simplify and optimize code.
Every project is a context change for me and has more often than not never been done in our environment - most of the time using new technologies - and they still get angry that I'm just a tad faster than our junior devs (and I myself am a junior, find the error).
Next to that my focus is in stability - theirs is in getting it done yesterday.
Doesn't work as expected? Pff... just debug it 100 times till it works together with the devs.
Why do it right the first time?


The ones that actually think like me are my sysadmin friends. They understand me and my worries.
They know that we have to make blood sacrifices to the observability gods (as an example).

But for real now, what is going on?
I don't have a handful of techs I use for every single project because I'm specialized in doing one thing every day and because my solutions are routine.
I don't have any framework I can use as crooks or any mentor to fall back on if the project is novel to everyone. Ok, no, even for the simplest stuff I don't have anyone to ask.
I don't even have a teammate and have to handle 30 devs.
I even do my own task planning and whatever else you need to do to keep the ball rolling in an efficient manner.


Is there someone else here in a similar situation?
Any thoughts?

https://redd.it/13vvnwg
@r_devops

Rancher vs OpenShift opinions

I'm thinking of going with Rancher for cluster management and stuff. However, I'm aware there's also OpenShift. I'm wondering which of the two do you guys recommended, and what are you basing this on? Seems to me Rancher is less opinionated and can manage any cluster, anywhere, while OpenShift seems more opinionated and likely more suited for workloads already on Open-hift. I might be wrong, just wanna hear your thoughts. I'm a noob to kubernetes.

https://redd.it/13w5mz7
@r_devops

Retriggering github workflow from github action

Hi,

&#x200B;

I have a couple different github jobs that run when a PR is opened on my terraform repo. The first job is it runs terraform format, and if there's a diff, it creates a commit and pushes it. This hasn't been an issue until recent updates to our github actions.

I recently added tflint and tfsec jobs with an integration to problem matcher so I can get annotations on the files that changed in the PR. The issue is, when terraform format does actually make a change, the follow on jobs running tflint/tfsec put their annotations on the commit that triggered the action, not the commit that terraform format created. I've tried passing in the latest commit id,etc and that doesn't seem to solve the annotations being on the previous commit, instead of latest commit.

Is there some way to basically re-trigger this workflow when terraform format creates a commit. I've tried doing a couple things with passing in PATs vs the github token but it seems like the github action backend is still not firing the action. I feel like there is something obvious I'm not seeing but my rubber ducky isn't talking back lol.

Here's a little snippet of the github action file:

name: Terraform Pipeline
on:
pull_request:
branches:
- main
paths:
- terraform/**
permission:
id-token: write
contents: write
pull-requests: write

jobs:
format:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkou@v2
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Set up Terraform
uses: hashicorp/[email protected]
- name: Format Terraform code
id: tf-fmt
run: terraform fmt -recursive
continue-on-error: false
- name: Push changes to Pull Request
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git status | grep -q "nothing to commit, working tree clean" && echo "Formatting ok, no changes made" || git commit -am "terraform fmt - PR #${{ github.event.pull_request.number }}" && git push

otherjobs:
...

&#x200B;

https://redd.it/13w4kvy
@r_devops

Creating ChangeLogs/Auto Tag Releases in mono-repo

I've been looking for a good system to automatically create ChangeLogs and tag commits for release. Seems like there are tons of options, but no consensus on what is wildly used. Any advice/articles to point me in the right direction would be amazing.

Primarily use Azure Pipelines for work, but looking at gitea actions, GitHub actions, or gitlab for personal projects and would most likely self host.

Thanks in advance!

https://redd.it/13w7ir1
@r_devops