🎞️ This is how we maintain & release Secured Software on Github 🤖

❔ About

As many organizations, we have to develop & maintain (aka. BUILD & RUN) common software.

☝️ This process involves a lot of things that have to be achieved... (if you want to get a robust and secured software release pipeline).

I'll showcase here how we achieved all theses challenges on a common Java library dedicated to logging :

opt-nc / opt-logging

La librairie de référence pour générer des logs bien formatées à l'OPT.

❔ `opt-logging`

Name: 🎞️ This is how we maintain & release Secured Software on Github 🤖
Rating: 1.3 (3065 reviews)
Author: adriens

Cette librairie contient les 2 fichiers de configuration de logback préconisés pour les développements d'application à l'OPT-NC.

Toutes les logs sont dans le même fichier .log (${LOG_FILE}) à l'exception des logs métiers qui se trouvent dans un seul fichier .json (${LOG_FILE_JSON}) si le besoin est exprimé.

⬇️ Import de la dépendance publique

Cette dépendance est disponible publiquement via Jitpack.

🪶 Maven

Ajouter la repo Jitpack :

<repositories>
  <repository>
    <id>jitpack.io</id>
    <url>https://jitpack.io</url>
  </repository>
</repositories>

Puis la dépedance :

<dependency>
  <groupId>com.github.opt-nc</groupId>
  <artifactId>opt-logging</artifactId>
  <version>Tag</version>
</dependency>

🐘 Gradle

Ajouter la repo :

allprojects {
  repositories {
            ...
  maven { url 'https://jitpack.io' }
        }
}

Puis la dépendance :

dependencies {
  implementation 'com.github.opt-nc:opt-logging:Tag'
}

Import de la dépendance via

…

View on GitHub

🏎️ Time to Market

Software release pipeline gains everyday a shorter Time To Market.

In fact there is no real option :

maintenance & release tasks have to be drastically automated... and should embed security concerns on the left side of the pipeline.

🛡️ Security

We have three complementary ways of achieving security tasks on our pipeline :

Dependabot alerts : so we get Pull Requests to notify us what are the risks
CodeQL Scan as part of GitHub Advanced Security (aka. GHAS)
Docker Image scan (see previous dedicated post)

Then to release software we rely on semantic-release to implement a solid Semantic Versioning scheme and get a

fully automated version management and package publishing pipeline.

🍿 Démo

Here is the full secured & automated release process 👇

🧰 Stack

🔖 Related contents

⛯ Scan Docker images 🛡️

🎞️ This is how we maintain & release Secured Software on Github 🤖

❔ About

opt-nc / opt-logging

La librairie de référence pour générer des logs bien formatées à l'OPT.

❔ `opt-logging`

⬇️ Import de la dépendance publique

🪶 Maven

🐘 Gradle

Import de la dépendance via

🏎️ Time to Market

🛡️ Security

🍿 Démo

🧰 Stack

🔖 Related contents

⛯ Scan Docker images 🛡️

⚖️ Bench (and choose) Java-8 docker images with anchore/grype

adriens for opt-nc ・ Apr 25 '22

🔂 Semantic release demo 🎞️

🎞️ This is how we maintain & release Secured Software on Github 🤖

❔ About

opt-nc / opt-logging

La librairie de référence pour générer des logs bien formatées à l'OPT.

❔ opt-logging

⬇️ Import de la dépendance publique

🪶 Maven

🐘 Gradle

Import de la dépendance via

🏎️ Time to Market

🛡️ Security

🍿 Démo

🧰 Stack

🔖 Related contents

⛯ Scan Docker images 🛡️

⚖️ Bench (and choose) Java-8 docker images with anchore/grype

adriens for opt-nc ・ Apr 25 '22

🔂 Semantic release demo 🎞️

❔ `opt-logging`