This topic describes the end-to-end security features of Apsara Devops. These features cover operational security, code security, CI/CD process security, artifact security, and runtime security.
Operational security
Apsara Devops helps your organization maintain a secure production environment. It provides fine-grained access control and audit trail capabilities to protect your data assets:
Multi-level fine-grained access control: Allows you to clearly manage and control permissions through multi-role permission levels.
Permission revocation for departing users: Automatically revokes the permissions of employees who leave the company when a DingTalk enterprise account is connected.
Audit log: Records high-risk behaviors in logs to support auditing and traceability.
IP whitelist: Restricts access to data assets, such as code and artifacts, to only the IP addresses on the whitelist.
Security watermark: This feature adds a visitor watermark to the source code viewing page to enhance code security, traceability, and accountability.
Code security
Apsara Devops Codeup helps protect your organization's code assets. It provides features such as code scanning, repository encryption, and backup and recovery.
Code scanning
Apsara Devops Codeup supports code scanning rules for multiple languages. These rules cover development quality standards, source code security, and vulnerability scanning for dependency packages. They comply with standards such as CWE, OWASP, SANS, and CERT. The following table describes the rules.
Applicable language | Ruleset name | Rule description |
Java | Java development guidelines | The development guidelines are based on the Alibaba Java Coding Guidelines. These are the standards that Alibaba's internal Java engineers follow. The guidelines cover programming, unit testing, exception logs, MySQL, project engineering, and security. They are the result of the collective experience of nearly 10,000 elite Java engineers at Alibaba and have been tested and refined through extensive real-world use. |
Java security scan | Based on the SpotBugs static analysis tool, the platform provides a set of rules to detect common issues in code. These rules help developers improve code quality and reduce potential security risks. | |
Source code vulnerability scan | In software development, most security vulnerabilities are caused by developer error. Although coding tools can have unexpected issues, improper coding is the main problem. Companies try to reduce risk with systematic secure coding training, but the results are limited. For this reason, Apsara Devops uses the professional security product Sourcebrella Pinpoint to provide a comprehensive source code vulnerability scanning service. It covers the following areas:
| |
Dependency package vulnerability scan | Modern enterprises widely use open source components. However, open source component providers may neglect some security tests due to their own circumstances. This makes these components easy targets for cyberattacks. To ensure security, take the following measures:
Dependency package vulnerability scanning is based on a rich security vulnerability database. It can efficiently identify direct and indirect vulnerability risks in your code and recommend fixed versions to eliminate these risks. | |
Code patch recommendation | Apsara Devops uses popular bug detection methods from industry and academia. It analyzes and avoids their limitations. Using a self-developed algorithm, it more accurately and efficiently identifies code bugs and provides optimization solutions. This algorithm has been accepted by the International Conference on Software Engineering (ICSE). In addition, the Apsara Devops code patch recommendation service is used in automatic scanning for merge requests. It provides developers with bug fixes based on an intelligent algorithm trained on best practice samples. | |
JavaScript | JavaScript development guidelines (Vue/React) | This ESLint configuration is based on the Alibaba Frontend Coding Guidelines. It is mainly used for JavaScript development guidelines. It covers coding style, language features, comments, and naming checks to ensure code consistency and maintainability. |
TypeScript | TypeScript development guidelines (Vue/React) | This ESLint configuration is based on the Alibaba Frontend Coding Guidelines. It is mainly used for TypeScript development guidelines. It covers coding style, language features, comments, and naming checks to ensure code consistency and maintainability. |
Golang | Golang development guidelines | Supports scanning for issues based on Go code guidelines. It covers code style, code simplification, unstructured paragraphs, and unused functions, variables, and types. |
Golang security scan | Based on the gosec static analysis tool, it scans and identifies potential security vulnerabilities and issues in Go code. It provides real-time feedback and suggestions to help developers identify and resolve related issues before the code is published. | |
Python | Python development guidelines | Analyzes errors in Python code. It identifies code that does not meet code style standards or has potential issues and provides refactoring suggestions. |
Python security scan | Based on the Bandit scanning tool, it helps developers identify and fix secure coding issues in Python code. | |
Python encoding scan | Based on the PyCodeStyle scanning tool, it helps developers identify and fix style issues in Python code. | |
Node.js | Node.js security scan | Based on ESLint rules, it detects common potential security risks in Node.js applications. |
C/C++ | C/C++ security scan | The C/C++ security scan ruleset is a security scanning feature based on CppLint. CppLint scans code according to Google's programming style guide. It checks each line of code for compliance with Google's coding style rules. It also quickly identifies security issues in the code and provides excellent code security guideline suggestions to help developers improve code quality and security. |
C/C++ basic ruleset | The C/C++ basic ruleset provides a unique code analysis feature to detect errors without requiring compilation information. The checks performed include detecting undefined behavior or other errors, reviewing code style, and evaluating performance factors. | |
Lua | Lua general scan | Based on the LuaCheck scanning tool, it helps developers identify and fix syntax, coding style, and security issues in Lua code. |
Scala | Scala coding style scan | Based on the ScalaStyle tool, it performs Scala coding style scans to help developers optimize Scala coding style issues during the development process. |
Kotlin | Kotlin basic ruleset | Based on the Detekt scanning tool, it helps developers identify and fix coding issues during Kotlin development. This improves code quality and reduces potential code vulnerabilities. |
Android | Android basic ruleset | Based on the Android Lint scanning tool, it helps developers identify and fix coding guideline and security issues that occur during development. This improves code quality and reduces potential code vulnerabilities. |
Language-independent | Sensitive information scan | Detects API keys and other sensitive credentials in your code to effectively prevent accidental commits and leaks of sensitive information. |
For more information about code scanning, see Code scanning.
Based on these scanning capabilities, you can automatically trigger scans during code commits and code reviews. You can also set mandatory quality gates to control the security and quality of code that is merged into core branches. In addition, you can extend merge requests to integrate with your organization's proprietary security scanning tools or third-party scanning services. This lets you use external scan results as a quality gate for code merging to meet custom scanning requirements.
Repository encryption
Apsara Devops Codeup provides a repository encryption feature to ensure the security and compliance of your stored code. When you upload data, Codeup encrypts it before storage. When you download the data, it is automatically decrypted and returned in a readable format. Codeup supports two encryption methods: Alibaba Cloud Key Management Service (KMS) and Apsara Devops self-managed key encryption. For more information, see Repository encryption.
Code backup
Apsara Devops Codeup provides a code backup feature. This feature lets you periodically synchronize code data to a secure and controllable storage space. This ensures that repositories hosted on Codeup can be backed up, traced, and recovered. You can back up your code to your own OSS bucket. Codeup supports both full and incremental backup methods. It also includes an automatic archiving feature for historical backups to help you save on storage costs. For more information, see Code backup.
CI/CD process security
Apsara Devops Flow ensures the security of code and artifacts during the build stage by integrating various tools. These tools perform unit testing, coverage collection, code guideline scanning, security scanning, and image scanning for various languages. Flow also supports custom development steps, which allow organizations to integrate their proprietary security tools or platforms, such as SonarQube.
Built-in test and scan capabilities
Test/Scan type | Overview | Details |
Unit test | Provides unit testing capabilities for various technology stacks, such as Maven, Gradle, Python, Node.js, and Go. | For more information, see Steps checklist. |
Coverage collection | Provides capabilities such as Jacoco coverage collection, Cobertura coverage collection, and Python coverage collection. | For more information, see Steps checklist. |
Code scanning | Provides code guideline scanning or security scanning capabilities for various technology stacks, such as Java, Node.js, Python, PHP, C++, and Go. | The following provides a detailed description of the scanning tools and rules:
Supports both full and incremental scan modes. It lets you specify or exclude directories for scanning and supports specifying scan rulesets. It also provides quality gates. |
SonarQube scan | SonarQube scan | The Apsara Devops platform lets you use your own SonarQube scan jobs to check code for security and quality. You can also set quality gates to ensure the code meets predefined security standards. |
Image scan | Trivy image scan | Trivy is a tool based on static analysis technology. It can perform deep scans on various types of images, such as Docker and OCI, to help you find security vulnerabilities. |
Integration with custom security tools or platforms
In addition to the built-in code testing and scanning tools in Apsara Devops Flow pipelines, you can use the Flow-CLI step development tool. This tool lets you customize the integration of additional testing and scanning tools or platforms to meet broader security testing requirements. For more information, see Develop a SonarQube scan step with a quality gate.
Artifact security
Download dependencies from trusted sources
During the software development process, avoid referencing packages from untrusted sources. To ensure download security, use the trusted images and software artifact sources provided by the Alibaba Cloud Mirror.
In addition, Apsara Devops Packages lets you create private artifact repositories for your organization. It supports various repository types, such as generic artifacts, Maven, npm, NuGet, and PyPI. It also provides tenant isolation, access control, and high-availability storage to completely protect your organization's artifacts. For more information, see Artifact repositories.
Built-in Trivy image scanning
Apsara Devops Flow pipelines include a built-in Trivy image scanning tool that provides a dedicated Trivy scan step. Using Trivy static analysis technology, you can perform deep scans on various image types, such as Docker and OCI, to find security vulnerabilities.
ACR image scan integration
Apsara Devops Flow pipelines are integrated with the image scanning feature of Alibaba Cloud Container Registry (ACR). This feature automatically scans images before and after they are pushed to a repository. The scan detects potential security vulnerabilities, license issues, and malware. This ensures that only images that pass the scan can be used in subsequent deployments. A typical scenario occurs in the staging phase. After an image is built, it is pushed to ACR, which automatically triggers an image scan. If the scan passes, the image is automatically deployed to the staging environment. For more information, see Integrate ACR image scanning for security and compliance checks and ACR image security.
Runtime security
During the application runtime phase, Apsara Devops integrates with Alibaba Cloud Security Center. This integration provides runtime threat detection and blocking capabilities to ensure that every application pod runs securely. Security Center is built on cloud-native deployment capabilities and provides an automated security process that includes data collection, detection, analysis, response, and disposal. It also supports unified security management. The system uses multi-log correlation and contextual analysis to detect and defend against common risks in real time. These risks include command execution, code execution, SQL injection, and data breaches, which cover various business vulnerability intrusion scenarios. In addition, Security Center combines K8s logs and cloud platform operation logs for behavior auditing and Fraud Detection. This helps prevent risks such as container escape, AccessKey leaks, and unauthorized access. For more information, see What is Security Center?.