Free Tools DevOps Teams can Use to Fix Security Risks
A cost-effective approach for limited budgets
DevSecOps integrates security practices within the DevOps security processes, emphasizing a “shift-left” mentality. By considering security from the beginning of the software development lifecycle, teams can create more robust and secure applications.
In this article, we’ll cover five ways to ensure code quality and enhance the security of your CI/CD pipeline and the build stage using free security tooling.
DevSecOps integrates security practices within the DevOps security processes, emphasizing a “shift-left” mentality. By considering security from the beginning of the software development lifecycle, teams can create more robust and secure applications.
In this article, we’ll cover five ways to ensure code quality and enhance the security of your CI/CD pipeline and the build stage using free security tooling:
- Detecting and preventing hardcoded secrets – Gitleaks
- Generating a software bill of materials (SBOM) – Syft
- Checking for vulnerabilities in dependencies – OWASP Dependency-Check
- Enforcing code quality and best practices – Linters and Hadolint
- Implementing organizational policies – Polaris
Please note that open-source tools like Gitleaks and Syft are a strong start for CI/CD security—they cover the basics. But as your team scales, so do the stakes. Open-source lacks the depth, speed, and integration that mature security teams need to keep up with complex threats. When security becomes mission-critical and false positives or slow updates become deal-breakers, it’s time to consider commercial tooling. These solutions bring the precision, support, and scale needed to move beyond “just good enough” and stay truly secure.
Now, let’s dive into these security measures and explore the tools that can help implement them.
1. Detecting and Preventing Hardcoded Secrets with Gitleaks
Hardcoded secrets embedded in your source code pose a significant security risk. In this example, we’ll use Gitleaks, an open-source SAST tool designed to detect and prevent hardcoded secrets such as passwords, API keys, and tokens in Git repositories.
$ docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source="/path" -v
# OUTPUT example
○
│╲
│ ○
○ ░
░ gitleaks
Finding: k8s_hf_secret_list = var.k8s_hf_secret == null ? [] : [var...
Secret: var.k8s_hf_secret
RuleID: generic-api-key
Entropy: 3.616875
File: benchmarks/benchmark/tools/locust-load-inference/main.tf
Line: 50
Commit: 6d21def955d77cd130309318928f102ef0ac6e58
Author: vivianrwu
Email: vivianrwu@google.com
Date: 2024-07-15T19:12:58Z
Fingerprint: 6d21def955d77cd130309318928f102ef0ac6e58:benchmarks/benchmark/tools/locust-load-inference/main.tf:generic-api-key:50
Finding: var jobKey = "759730a97e4373f3a0ee12805db065e3a4a649a5"
Secret: 759730a97e4373f3a0ee12805db065e3a4a649a5
RuleID: generic-api-key
Entropy: 3.653702
File: tpu-provisioner/internal/cloud/gke_test.go
Line: 143
Commit: 6d21def955d77cd130309318928f102ef0ac6e58
Author: vivianrwu
Email: vivianrwu@google.com
Date: 2024-07-15T19:12:58Z
Fingerprint: 6d21def955d77cd130309318928f102ef0ac6e58:tpu-provisioner/internal/cloud/gke_test.go:generic-api-key:143
9:30PM INF 1 commits scanned.
9:30PM INF scan completed in 3.28s
9:30PM WRN leaks found: 2
Gitleaks scans your codebase for potential secrets, such as API keys, passwords, and tokens. It provides detailed output, including the location of the secret, the type of secret detected, and the commit information.
2. Generating an SBOM with Syft
A Software Bill of Materials is crucial for tracking and auditing the components used in your software. We’ll use Syft to generate a list. Syft is a CLI tool and Go library for generating SBOM from container images and filesystems. Exceptional for vulnerability detection when used with a scanner like Grype.
# Installation for MacOs
brew install syft # you can check the link for other installation methods
# execution
syft scan docker:jenkins/jenkins:latest
Syft scans container images and filesystems, providing a comprehensive list of all software components and their versions.
Here is example output:
3. Checking for Vulnerabilities in Dependencies with OWASP Dependency-Check
To identify known vulnerabilities in your project dependencies, we’ll use OWASP Dependency-Check. OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
DC_VERSION="latest"
DC_DIRECTORY=$HOME/OWASP-Dependency-Check
DC_PROJECT="dependency-check scan: $(pwd)"
DATA_DIRECTORY="$DC_DIRECTORY/data"
CACHE_DIRECTORY="$DC_DIRECTORY/data/cache"
if [ ! -d "$DATA_DIRECTORY" ]; then
echo "Initially creating persistent directory: $DATA_DIRECTORY"
mkdir -p "$DATA_DIRECTORY"
fi
if [ ! -d "$CACHE_DIRECTORY" ]; then
echo "Initially creating persistent directory: $CACHE_DIRECTORY"
mkdir -p "$CACHE_DIRECTORY"
fi
# Make sure we are using the latest version
docker pull owasp/dependency-check:$DC_VERSION
docker run --rm \
-e user=$USER \
-u $(id -u ${USER}):$(id -g ${USER}) \
--volume $(pwd):/src:z \
--volume "$DATA_DIRECTORY":/usr/share/dependency-check/data:z \
--volume $(pwd)/odc-reports:/report:z \
owasp/dependency-check:$DC_VERSION \
--scan /src \
--format "ALL" \
--project "$DC_PROJECT" \
--out /report
Dependency-Check downloads vulnerability data from the National Vulnerability Database API and scans your project dependencies against this information. Some points to note about this Dependecy-check:
- Initial download: on the first execution, the tool will download all disclosed vulnerabilities from the NVD. This process may take a very long time, so be patient during the initial setup.
- Scanning and reporting: Dependency-Check will scan your project and create a comprehensive report after downloading the vulnerability data.
- Improving performance: To speed up subsequent executions, you can request an official API key from the NVD and configure Dependency-Check to persist the downloaded data between executions.
After execution, discovered vulnerabilities are saved in a report that can be exported in multiple formats like the HTML shown below.
4. Enforcing Code Quality and Best Practices with Linters and Hadolint
Linters analyzes source code for errors, vulnerabilities, and stylistic issues to improve code quality and enforce security best practices. For the Dockerfile example below we’ll use Hadolint:
FROM python:3
# Set the working directory in the container
WORKDIR /app
# Copy files
COPY . /app
# Install system dependencies
RUN apt-get update && apt-get install -y \
gcc \
libpq-dev \
&& rm -rf /var/lib/apt/lists/*
# Install python dependencies
RUN pip install --no-cache-dir flask gunicorn psycopg2
# Make port 5000 available to the world outside this container
EXPOSE 5000
# Define environment variable
ENV FLASK_APP=app.py
# Run app.py when the container launches
CMD ["gunicorn", "-b", "0.0.0.0:5000", "app:app"]
5. Implementing Organizational Policies with Polaris
To enforce organizational policies, especially for Kubernetes manifests, we’ll utilize Polaris, an open-source policy engine. Polaris helps ensure that Kubernetes deployments conform to best practices, enhancing the security, efficiency, and reliability of your clusters.
Polaris works by performing a series of policy checks on Kubernetes manifests. It evaluates configurations such as resource limits, container privileges, and image security. Specifically, Polaris can be integrated into your Continuous Integration (CI) pipeline to enforce these policies during the build and deployment phases, catching potential misconfigurations early.
# Installation for macOS
brew tap FairwindsOps/tap
brew install FairwindsOps/tap/polaris
# usage
polaris audit --audit-path ./manifests/ --format=pretty
Yes, free tooling can be utilized to manage security workflows for restricted budgets
As demonstrated, you can improve security with free tooling by Implementing security measures such as detecting hard-coded secrets, generating SBOMs, checking for vulnerabilities, enforcing best practices, and applying organizational policies. Utilizing these tools and implementing security processes into your workflows can significantly boost the security of your CI/CD pipeline.
However, everything has a cost… even free tooling.
Managing tasks with separate tools can quickly become a labor-intensive and time-consuming process, often requiring multiple integrations, custom scripts, and continuous maintenance across various platforms.
This fragmented approach slows development and increases the risk of gaps in your security coverage.
Implement security process and keep in budget with runtime security platform
Instead of juggling individual solutions, a unified runtime security platform like Kodem Security can dramatically simplify the process. Kodem integrates these critical security measures into one streamlined solution, reducing the complexity and overhead typically associated with multiple tools.
Our suite of tooling covers every part of your stack— source code scanning, containers, APIs, and more—while helping your teams prioritize and remediate real risks in real-time. With advanced features like Attack Chain Analysis, Adversarial Risk Prioritization, dynamic SBOMs, Kodem ensures your security teams focus on what attackers will actually exploit.
Kodem helps ensure consistent enforcement of security policies while allowing your team to focus on building and delivering applications without interruptions. Remember, security is an ongoing process—regularly reviewing and updating your approach is crucial to staying ahead of emerging threats. With Kodem, you can manage this process more efficiently and effectively.
Blog written by
Shay El Gold
Shay has over nine years of experience in cloud-native architectures and Kubernetes implementations. Specializing in AWS and GCP, he architects scalable infrastructure using Terraform and GitOps methodologies. His expertise focuses on DevSecOps implementation and secure Kubernetes deployments, driving technical excellence through leadership and team enablement.
More blogs
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.