DevSecOps is the philosophy of developing applications and infrastructure securely from ideation to deployment. It requires consideration of security risks at all stages of the development lifecycle. While DevOps teams have historically focused on automating the building, testing, and deployment of their applications, DevSecOps includes automating security practices to allow teams to increase security without losing velocity.

To build, deploy, and test your application, your CI/CD pipelines access every resource in your technology stack. These resources include analytics keys, code signing credentials, secure secrets, proprietary code, and data. It is imperative that you secure your CI/CD pipeline so that you never expose protected information to unwanted parties. Without a deliberate effort to protect and secure your pipeline, any one of these resources is a potential security vulnerability.

Recently, we defined three important categories of security best practices for CI/CD. They include securing your pipeline configuration, securing code and Git history analysis, and enforcing security policy. CircleCI orbs allow you to easily add integrations to tools and services to address these categories in your pipeline with just a few lines of code. Orbs are reusable, shareable, open source packages of CircleCI config that enable the immediate integration of these services. With orbs, you get an out-of-the-box solution for securing your pipeline.

Secure your CI/CD pipeline with these orbs:

Alcide
Detect vulnerabilities and misconfiguration drifts early on in development when you run Kubernetes clusters.

Anchore
Add Anchore image scanning to any CircleCI workflow.

Aqua Security
Remediate vulnerabilities within your pipeline and enforce regulatory compliance with granular container-level controls and reporting.

AWS Parameter Store
Manage and load environment secrets from the AWS Parameter Store.

Contrast Security
Add vulnerability discovery for both custom code and open source libraries to your CircleCI execution environment.

CryptoMove
Consolidate management of versioning and sharing by storing your encrypted keys and secrets on CryptoMove.

Fortanix
Store and manage secrets, API keys, and other sensitive data with a secure, distributed key management service.

Fossa
Integrate OSS compliance and vulnerability checks into your CI/CD workflow.

GCP Bin Authorization
Configure Google’s Binary Authorization service to sign and certify container images for deployment.

NeuVector
Scan container images for vulnerabilities with NeuVector during the build and secure Kubernetes container deployments at run-time.

Probely
Integrate Probely into your CI/CD pipeline to continuously scan your web app for security vulnerabilities.

Snyk
Find, fix, and monitor vulnerabilities in your app’s open source dependencies and container images.

Stackhawk
Find, triage, and fix application security bugs with dynamic application security testing.

Twistlock
Integrate Twistlock vulnerability and compliance issue scans into your CircleCI workflows.

WhiteSource
Scan your products for known open source vulnerabilities and receive actionable suggestions for fixes.

What our partners are saying:

“As container adoption continues to accelerate, enterprises require a solution that allows them to automate security comprehensively throughout the application lifecycle. We are very excited to work with CircleCI to continue to bridge the gap between development and security teams and help them build and run applications securely without forfeiting speed or performance,” said Upesh Patel, VP of Business Development, Aqua Security.

“A complete lifecycle vulnerability management solution is critical to NeuVector customers. With the NeuVector CircleCI orb, developers and DevOps teams can build automated security into their CI/CD pipeline by triggering container image scanning during the build process managed by CircleCI. This enables NeuVector customers to enforce security policies during the build, ship, and run phases,” said Gary Duan, co-founder and CTO at NeuVector.

“At CryptoMove, we want to make it easy for developers and teams to get their data in-and-out of our product, moving target defense. With CircleCI, and the help of their development team, we have built our orb to allow developers to seamlessly read sensitive information as environment variables from our moving target defense in their CircleCI builds and deploys,” said Nicholas Schook, solutions engineer, CryptoMove.

What you can do

Is there something else that you would like to do to secure your pipeline that isn’t available from an orb? Orbs are open source, so adding functionality to an existing orb is just a matter of getting your PR approved and merged. Check out all of the available orbs in the orbs registry. Do you have a use case that you feel stands apart from the current set of security-focused orbs? You can author one yourself and contribute it to the community. We’ve even published best practices for creating automated build, test, and deploy pipelines for orbs (part 1 and part 2) to help you along your way.

To secure your pipeline, let your team take advantage of third-party services and eliminate the need for in-house development. With orbs, your team only needs to know how to use those services, not how to integrate or manage them.