This project is intended for use as a model to play with some more DevSecOps principles in a practical way. It is an enrichment activity and is not graded.
This exercise will take you through setting up a simple DevSecOps pipeline for a Python project. The example Python project is a simple client that interacts with the OpenWeatherMap API. The project contains some limited tests.
In the course of this exercise, you will set up your own copy of the repo to build in TravisCI, using pytest to perform automated testing and coverage analysis, SonarCloud to perform security scanning and reporting, and Coveralls.io to provide coverage reporting.
After setting up the pipeline, there are some opportunities to improve the project's performance in the pipeline.
- Python 3.7+ (tested against 3.8 and 3.9)
- Python virtual environment module (I use
virtualenv
(pip3 install virtualenv
)) - Github account
- travis-ci.com account (https://travis-ci.com, sign in with your Github account, choose the free plan, don't add any projects yet)
- coveralls.io account (https://coveralls.io, sign in with your Github account, choose the free plan, don't add any projects yet)
- sonarcloud.io account (https://sonarcloud.io, sign in with your Github account, choose the free plan, don't add any projects yet)
- Fork the repo https://github.com/jwoytek/2021-lge-devsecops to your own Github account
- Go into your Github user settings
- Scroll down to select "Applications". You should see TravisCI and SonarCloud here.
- Click "Configure" for TravisCI.
- Under Repository Access, choose "Only select repositories", and select your fork of the 2021-lge-devsecops repository from the drop-down.
- Read and click through any approval prompts.
- Click Save.
- Click again on "Applications" on the left bar.
- Click "Configure" for SonarCloud.
- Under Repository Access, choose "Only select repositories", and select your fork of the 2021-lge-devsecops repository from the drop-down.
- Read and click through any approval prompts.
- Click Save.
- Clone your forked repository to your development machine.
- cd into the 2021-lge-devsecops directory.
- Create a virtual environment for testing:
virtualenv -p python3 venv
- Activate the virtual environment:
. venv/bin/activate
- Install the Python requirements:
pip3 install -r requirements.txt
Run local tests: py.test --cov --cov-report=xml owm tests -vv
All tests should complete successfully.
This is not required, but if you would like to see the client in action,
you will need to sign up under the free plan for the OpenWeatherMap API.
Once you have signed up, get your API key, and paste it into a file in the
repository root named .apikey
. Once this is done, you should be able
to run test.py
to see the weather in Pittsburgh and at a nearby
location.
- Go to your SonarCloud.io account.
- Use the "+" menu at the top right to add a new project.
- You should see your repo listed here. Select it to import the project.
- Once the initial import and analysis is complete, click on the project to view it.
- Under the Administration menu, choose "Analysis Method".
- Turn OFF "SonarCloud Automatic Analysis". This needs to be OFF so that TravisCI can trigger the analysis as part of the pipeline.
- Under Administration menu, go to "Update Key".
- Copy the update key listed. We will use this in a future step.
- Click your profile photo in the top right, then go to the Security tab.
- Create a token. The name does not matter. Copy the token. We will use this in a future step.
- Go to the Organizations tab.
- Copy the "Key" for your organization. We will use this in a future step.
- Go to your TravisCI account.
- Select your 2021-lge-devsecops repository.
- From the menu at the right, choose "Settngs".
- Under Environment Variables, enter a new variable named "SONAR_TOKEN", and paste in the security token you created in step 10.
- In the repository directory, edit the
.travis.yml
file. This is the TravisCI configuration file. - Locate the "organization" value under "sonarcloud". It is set to "jwoytek" by default. Change this to the organization key copied in step 12.
- Save the
.travis.yml
file. - Edit the
sonar-project.properties
file. This is the SonarCloud configuration file. - Change the value of the
sonar.projectKey
to the "update key" copied in step 8. - Save the
sonar-project.properties
file. - Go to your coveralls.io account.
- Click the "+" to add a repo.
- Locate your repo in the list and click the switch to "on".
TravisCI will build whenever a commit is pushed to your repo. You can also trigger a build manually from within TravisCI. Here, we are going to commit the changes to the TravisCI and SonarCloud files, which will trigger a build, and should execute all of the steps to test, scan, and report scan and coverage results if all went well.
Commit the two modified configuration files in your repo, and push them to github. This will trigger an automatic build cycle in TravisCI.
Go to your TravisCI account, and in the dashboard you should see a new job running.
Follow along in the log, and you should see TravisCI set up the the environment, execute the python tests, execute the SonarCloud scan, report the SonarCloud results, and then upload the coverage results to coveralls.io.
Once the build is complete and if it succeeds, you should see the build job logs in TravisCI, Github should show a green check on the project by the latest commit, SonarCloud.io should show a report on the project scan, and coveralls.io should show a report on code coverage from the tests.
You should notice that the code is not 100% covered by tests. Use the reporting in coveralls.io to locate the code that is not covered by tests, and create tests such that coverage reaches 100%.
SonarCloud.io will show two "code sniffs", pointing out some things that could be improved in the code. Attempt to fix one or both of these inefficiencies.
Create a branch and made some modifications to the branch, then create a pull request. Observe the automatic testing and reporting that Github will show during the TravisCI pipeline run to assist in evaluating a pull request prior to merging.