This repo contains articles, videos, and resources on software supply chain security that I came across during my research. Below, you can first see the architecture of the project to be implemented and access the detailed technology stack through the links.
🔗 GitHub Links
| Proje Adı | Açıklama | GitHub Linki |
|---|---|---|
| Awesome software supply chain security | A compilation of resources in the software supply chain security domain, with emphasis on open source | Github |
| ssc-reading-list | ssc-reading-list | GitHub |
| Proje 3 | Açıklama 3 | GitHub Proje 3 |
| Proje 4 | Açıklama 4 | GitHub Proje 4 |
🎥 Videos
| Başlık | Yükleyen | Yayın Tarihi | İzlenme Sayısı |
|---|---|---|---|
| Securing the Supply Chain for Your Java Applications By Thomas Vitale | Devoxx | 06.10.2023 | 500+ |
| Signing And Verifying Container Images With Sigstore Cosign And Kyverno | DevOps Toolkit | 10.10.2022 | 5000+ |
| Video 3 | Kanal 3 | 03.01.2023 | 2000+ |
| Video 4 | Kanal 4 | 04.01.2023 | 300+ |
📝 Article
| Başlık | Yazar | Yayın Tarihi | Değerlendirme |
|---|---|---|---|
| Supply Chain Security | aqua | None | ⭐⭐⭐⭐⭐ |
| How to create SBOMs in Java with Maven and Gradle | snyk | 28.11.2022 | ⭐⭐⭐⭐ |
| SBOM Quick Start | Sonatype | None | ⭐⭐⭐⭐ |
| Sign and Verify Container Images with Cosign, and Kyverno: A Complete Guide | Seifeddine Rajhi | .09.2023 | ⭐⭐⭐⭐⭐ |
👤 LinkedIn Profiles to Follow
| Name | Title | Profile Link |
|---|---|---|
| Batuhan Apaydın | Senior Platform Engineer | LinkedIn Profile |
| Furkan Türkal | Platform Engineer | LinkedIn Profile |
| Dan Lorenc | Ceo | LinkedIn Profile |
| Saim Safder | DevOps Tech Lead | LinkedIn Profile |
Installed with docker-compose.yaml
docker pull sonarqube:communitiondocker run -d --name sonarqube -p 9000:9000 -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -e SONAR_JAVA_OPTS="-Xmx4g -Xms512m -XX:+HeapDumpOnOutOfMemoryError" sonarqube:community
We can use below command for project SCA
You must install sonar-scanner your local desktop
-
How to create a token => My Account=> Security=> Generate Tokens
-
mvn clean package sonar:sonar -Dsonar.projecKey=secure-devOps -Dsonar.host.url=http://localhost:9000 -Dsonar.login=sqa_8d5781d430cef6f2ba2c08e691ef6b01bd0c8f28 -Dsonar.exclusions=**/*.javathis login token will be changing because of this sonarqube does not persistent
We will creating a image with buildpacks Buildpacks
- How to use jib with our java project
mvn clean install -P create-image-openjdk=> max sizemvn clean install -P create-image-openjdk-slimmvn clean install -P create-image-openjdk-jre=> min size
- How to install trivy
trivy image dogandemir51/secure:0.0.1trivy image --format json --output trivy-scanning.json dogandemir51/secure:0.0.1
- helm
helm create securechart- You must change values.yaml for your application
helm install secure ./securechart
- Installation
cosign generate-key-paircosign sign --key cosign.key dogandemir51/secure:0.0.1cosign verify --key cosign.pub dogandemir51/secure:0.0.1
