How to Build a Software Factory

(This page is still in the draft stage and have not been formally published.)

This post covers how to build a CI/CD pipeline, on AWS, with SAST and DAST tools of your choice. The architecture of this solution is provided by Mr. Manepalli, senior Solutions Architect at AWS and is avialable at this link. The end product is that you only need to publish your code to a git repository, and the rest is automated (except where manual approval is required).


Prerequisites

This post requires that you have these seven items completed before starting the tutorial:

  1. A region selected
  2. Enable AWS Config and AWS Security Hub.
  3. An application (a simple Hello World can do) deployed on Elastic Beanstalk
  4. The application’s code repository on CodeCommit

Next, to complete the prerequisites,

  1. Download this project on github
  2. Move just the Lambda functions (as zip archives) to an S3 bucket
  3. And move the .properties, .json, .neon, and all the buildspec*.yml files to the root folder of your CodeCommit repository.

If you’ve completed Part I of this series, you have an app deployed on Elastic Beanstalk. Here, we’ll continue where Part I ends: steps 1-3 will deal with prerequisites 5-7.

1. Go to this GitHub page and download the project.

2. From that unzipped folder, find the file codepipeline-template.yaml . Using a text editor of your choice, replace every occurrence of arn:aws-us-gov to arn:aws . Also, replace amazonaws-us-gov.com with aws.amazon.com .

3. From the same unzipped folder, find the folder lambda-functions. Zip that folder with any means. You can do that with the zip command from the command line. Or, if you are on Mac, you can navigate to the folder, ctrl-click on it, and choose Compress "lambda-functions". Once you have a .zip file, rename it to import_findings_security_hub.zip . Then, upload that file to the S3 bucket.

zip deployment to Lambda from S3

4. Next, move the .neon, .properties, and buildspec*.yml files to your code commit repository. To accomplish this, various ways are available. One of them is the following: go to https://console.aws.amazon.com/codecommit, choose on your Beanstalk app repository, and click the “Add file” button on the right hand.

5. At this point, you have completed all seven prerequisites. Now you can deploy the CloudFormation template that AWS provided (which you have downloaded.) Go to the CloudFormation console, choose Stacks on the left-hand menu, then click the “Create stack” button (stack “with new resources”.)

6. Choose “Template is ready”, and “Upload a template file”, which is the codepipeline-template.yaml from the package you downloaded in step 1.

  • BranchName: if you were following Part I of the series, use master .
  • RepositoryName: this is the name of the CodeCommit repository where the code for your Beanstalk app resides.
  • LambdaPackageLoc: this is the name of your S3 bucket.
  • LambdaPackageS3Key: if you followed the steps above, this is import_findings_security_hub.zip .
  • LambdaHandlerName: unless you changed it, the name is import_findings_security_hub.lambda_handler .
  • ElasticBeanstalkEnvironment: enter the name of your Elastic Beanstalk environment. If you are using Part I, the value is my-env for both STG and PRD.
  • ApplicationName: enter your Beanstalk application name. If you forgot, you can find it on the Elastic Beanstalk console, under Applications on the left-hand menu.
  • SAST: choose SonarQube or PHPStan for your static analysis tool. You can skip the SonarQube details if you opt for PHPStan.
  • DAST: Choose your dynamic analysis tool (OWASP-Zap); enter the API key, the tool URL, and the app/scan URL.

7. Click the “Next” button, and then follow the prompt.

Leave a Comment