Skip to main content

Top 10 DevOps Tools

著者:
wordpress-sync/blog-design_Securing-modern-software-supply-chain

2021年3月21日

0 分で読めます

Every modern software development process requires a CI/CD pipeline in order to ship features and fix bugs quickly. By integrating development and operations, DevOps practices place automation at its core. To facilitate these practices, tooling is required, and the number of available tools is constantly growing.

These tools can be used to take care of recurring tasks, including:

  • Scanning code for bugs and security vulnerabilities

  • Running tests

  • Building and packaging deployment artifacts

  • Deploying to the infrastructure

Staying on top of these new releases isn’t easy, especially considering your job is really about improving your application, not searching for and integrating DevOps tools.

DevOps is about company culture as much as it is about tools. It must be part of the fundamental way of thinking about software development and operations. Teams need to invest time into building and improving automation rather than waste time attempting to solve deployment tasks manually. Since manual tasks are always prone to human error, this can lead to bugs and security issues.

Top 10 DevOps tools

But even people with the right mindset can’t perform if they don’t have tools to empower them, which is why we focus on tools in this article. Here’s a look at 10 DevOps tools that enable fast and efficient software development in complex projects involving multiple teams and developers.

  1. Snyk

  2. AWS CodeStar

  3. Docker

  4. Podman

  5. Prometheus & Grafana

  6. GitHub Actions

  7. Selenium

  8. Sentry

  9. Slack

  10. Gitlab

1. Snyk

A pioneer in the DevSecOps space, Snyk is a managed cloud-native security platform that scans for security vulnerabilities. It helps keep your entire architecture, from top to bottom, safe from malicious intruders by assisting with:

  • Security problems in your code

  • Open-source dependencies and third-party software

  • Infrastructure misconfiguration

  • Vulnerable Container images

Snyk is free for open-source projects, runs with your CI/CD pipeline of choice, and prioritizes the problems it finds.

Security is a major concern in every software project. If it’s not addressed early on, it can become a major roadblock to your release cycles. When everything is done and your security advisor suddenly shows up and tells you your encryption isn’t up to their standards, this could result in having to postpone your deployment for days, even weeks till you get it fixed.

Snyk allows you to scan your code and monitor your infrastructure automatically so you can focus on iterating fast and building features. This DevOps security testing tool alerts you early on in your pipeline about potential issues so you can fix them right away, without a need to rewrite your code when everything is already implemented.

2. AWS CodeStar

CodeStar is AWS’ main DevOps service. Essentially the AWS alternative to Jenkins, it integrates with other AWS “Code” services (e.g., CodeCommit and CodeBuild); a managed code repository service and CodePipeline; and a managed DevOps CI/CD pipeline service.

CodeStar also integrates with AWS CodeGuru, a machine learning code analysis tool that scans code repositories and evaluates them against security best practices used in popular open-source and Amazon repositories.

While using AWS, it is essential to add a security level on top. Snyk’s AWS Vulnerability Scanning enhances the security of your AWS infrastructure by scanning code and monitoring your services.

3. Docker

Docker is a DevOps deployment tool that consists of a container image format and a container execution environment. It allows you to package your code into files referred to as Docker images that can be executed like virtual machines on different hosts. You might call it the “package format” of the cloud. Docker allows you to test all your code and dependencies locally and deploy them remotely without the need for a programming language. If you choose Docker to deploy your applications, you should follow these Docker security best practices.

While Docker images aren’t inherently secure, Docker Content Trust allows you to verify the source of images via digital signatures. Images are uploaded to a registry run by a third party. Users of your image then download it from this registry server. Docker Content Trust ensures the image wasn’t tampered with during that transfer. There has also been a shift in the software supply chain, away from the assumption that closed-source code is more secure than open-source. Highly popular open-source code offers greater visibility, allowing for faster remediation of security vulnerabilities than with closed-source code.

Snyk’s Docker security scan enables you to upgrade and use alternative images securely. It allows you to encapsulate your application, thus preventing it from accessing resources on unauthorized host machines. Many images even come with security best practices baked right in.

4. Podman

This light-weight alternative to Docker was created by RedHat. Podman runs without an extra daemon process and doesn’t require you to run your containers as root. In addition, it uses the same CLI commands as Docker, allowing it to be used as a drop-in replacement.

Docker uses a client/server model to start containers, which runs containers using different UIDs. Podman, on the other hand, uses the fork/exec model to start containers. This ensures the UIDs in your Linux audit logs are accurate and can be checked later in case something goes wrong.

Docker’s open-source community was in dire need of an alternative container runtime for local development. Podman has filled this gap. With multiple runtimes from different vendors, there’s also certain to be more innovation in that space in the future.

5. Prometheus & Grafana

Prometheus is a DevOps monitoring tool for Kubernetes clusters maintained by the Cloud Native Computing Foundation. Grafana is a tool that allows you to visualize the monitoring data Prometheus collects. Both are open source, can be deployed on your own infrastructure, and are highly customizable.

6. GitHub Actions

Microsoft’s GitHub is the most popular managed Git repository hosting service. It integrates with numerous tools and services in the wild. Many new features have been added recently, among them GitHub Actions, which allows it to execute tasks in response to events on repositories like pushes or pull requests.

GitHub Codespaces even allows you to start a browser-based IDE for a GitHub hosted repository and begin coding right away.

Learn more about GitHub security best practices, starting with the classic mistake of people adding their passwords into their GitHub repositories!

CI/CD パイプラインにセキュリティを組み込む

Snyk は、お使いの CI/CD パイプラインで実行でき、最も優先度の高い脆弱性の修正に役立ちます。

7. Selenium

Selenium is an open-source test runner for UI tests. It allows you to automate clickstreams on your UI, allowing you to simulate actual user actions in your system. This is especially useful for keeping regression to already fixed bugs in check.

Selenium integrates with all major browsers and with CI/CD tools. It allows you to record clickstreams through your application with a browser plugin and modify the recorded scripts to make them more resilient to future changes in your UI.

8. Sentry

Sentry is a managed monitoring service for frontend and mobile applications. It can be integrated with just a few lines of code and keeps you up to date on the bugs your customers face when using your app. There’s even a new beta feature for monitoring video games.

9. Slack

Slack is a managed chat tool that has essentially become an industry standard. It provides APIs for customization and bots, meaning it can integrate with many different CI/CD tools used in DevOps.

This enables constant monitoring so that if problems do arise in your systems, you can address them as quickly as possible.

10. GitLab

GitLab, which started as an open-source alternative to GitHub, is a very popular DevOps solution. It manages Git repositories, issues, and CI/CD pipelines all in one place.

In 2019, GitLab even began integrating DevSecOps features into its application, including:

  • Static application security testing (SAST)

  • Dynamic application security testing (DAST)

  • Container scanning

  • Dependency scanning

These features are partially available in their free subscription plan.

GitLab can be hosted on your own servers and comes with a managed offering if you don’t want to operate your own servers.

Summary

The software world is flooded with DevOps tools, with many also offering features to make them DevSecOps ready. These include both open-source tools that are ready to be hosted on your own infrastructure as well as managed services enabling you to outsource the heavy lifting. There are multiple alternative tools for every step in your CI/CD pipeline and even the pipeline itself. Which tool is right for you will also depend on your IT strategy.While the tools discussed in this article are more general in purpose, there are of course more specific DevSecOps tools available for open-source projects in Node.js DevOps, for example.

wordpress-sync/blog-design_Securing-modern-software-supply-chain