Skip to content
/ software-supply-chain-security-java Public

This repo contains the technology stack and its usage for software supply chain security of a Java application

7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

emirhandogandemir/software-supply-chain-security-java

BranchesTags

Repository files navigation

Software-supply-chain-security-java

This repo contains articles, videos, and resources on software supply chain security that I came across during my research. Below, you can first see the architecture of the project to be implemented and access the detailed technology stack through the links.

🔗 GitHub Links

Proje Adı Açıklama GitHub Linki
Awesome software supply chain security A compilation of resources in the software supply chain security domain, with emphasis on open source Github
ssc-reading-list ssc-reading-list GitHub
Proje 3 Açıklama 3 GitHub Proje 3
Proje 4 Açıklama 4 GitHub Proje 4

🎥 Videos

Başlık Yükleyen Yayın Tarihi İzlenme Sayısı
Securing the Supply Chain for Your Java Applications By Thomas Vitale Devoxx 06.10.2023 500+
Signing And Verifying Container Images With Sigstore Cosign And Kyverno DevOps Toolkit 10.10.2022 5000+
Video 3 Kanal 3 03.01.2023 2000+
Video 4 Kanal 4 04.01.2023 300+

📝 Article

Başlık Yazar Yayın Tarihi Değerlendirme
Supply Chain Security aqua None ⭐⭐⭐⭐⭐
How to create SBOMs in Java with Maven and Gradle snyk 28.11.2022 ⭐⭐⭐⭐
SBOM Quick Start Sonatype None ⭐⭐⭐⭐
Sign and Verify Container Images with Cosign, and Kyverno: A Complete Guide Seifeddine Rajhi .09.2023 ⭐⭐⭐⭐⭐

👤 LinkedIn Profiles to Follow

Name Title Profile Link
Batuhan Apaydın Senior Platform Engineer LinkedIn Profile
Furkan Türkal Platform Engineer LinkedIn Profile
Dan Lorenc Ceo LinkedIn Profile
Saim Safder DevOps Tech Lead LinkedIn Profile

Dependency Track

Installed with docker-compose.yaml

image

image

image

Sonarqube

  • docker pull sonarqube:communition
  • docker run -d --name sonarqube -p 9000:9000 -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -e SONAR_JAVA_OPTS="-Xmx4g -Xms512m -XX:+HeapDumpOnOutOfMemoryError" sonarqube:community

We can use below command for project SCA

  • You must install sonar-scanner your local desktop

image

  • How to create a token => My Account=> Security=> Generate Tokens

  • mvn clean package sonar:sonar -Dsonar.projecKey=secure-devOps -Dsonar.host.url=http://localhost:9000 -Dsonar.login=sqa_8d5781d430cef6f2ba2c08e691ef6b01bd0c8f28 -Dsonar.exclusions=**/*.java this login token will be changing because of this sonarqube does not persistent

image

image

image

Buildpacks

We will creating a image with buildpacks Buildpacks

Jıb-Maven-Plugin

  • How to use jib with our java project
  • mvn clean install -P create-image-openjdk => max size
  • mvn clean install -P create-image-openjdk-slim
  • mvn clean install -P create-image-openjdk-jre => min size
  • image

After this step we will be working on killercoda

Trivy

  • How to install trivy
  • trivy image dogandemir51/secure:0.0.1
  • trivy image --format json --output trivy-scanning.json dogandemir51/secure:0.0.1

Helm

  • helm
  • helm create securechart
  • You must change values.yaml for your application
  • helm install secure ./securechart

Kyverno

Cosign

  • Installation
  • cosign generate-key-pair
  • cosign sign --key cosign.key dogandemir51/secure:0.0.1
  • cosign verify --key cosign.pub dogandemir51/secure:0.0.1

image

image

About

This repo contains the technology stack and its usage for software supply chain security of a Java application

Topics

helm sonarqube image-scanning jib-maven-plugin sbom dependency-scanning trivy supply-chain-security kyverno cosign

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages