Software-supply-chain-security-java

This repo contains articles, videos, and resources on software supply chain security that I came across during my research. Below, you can first see the architecture of the project to be implemented and access the detailed technology stack through the links.

🔗 GitHub Links

Proje Adı	Açıklama	GitHub Linki
Awesome software supply chain security	A compilation of resources in the software supply chain security domain, with emphasis on open source	Github
ssc-reading-list	ssc-reading-list	GitHub
Proje 3	Açıklama 3	GitHub Proje 3
Proje 4	Açıklama 4	GitHub Proje 4

🎥 Videos

Başlık	Yükleyen	Yayın Tarihi	İzlenme Sayısı
Securing the Supply Chain for Your Java Applications By Thomas Vitale	Devoxx	06.10.2023	500+
Signing And Verifying Container Images With Sigstore Cosign And Kyverno	DevOps Toolkit	10.10.2022	5000+
Video 3	Kanal 3	03.01.2023	2000+
Video 4	Kanal 4	04.01.2023	300+

📝 Article

Başlık	Yazar	Yayın Tarihi	Değerlendirme
Supply Chain Security	aqua	None	⭐⭐⭐⭐⭐
How to create SBOMs in Java with Maven and Gradle	snyk	28.11.2022	⭐⭐⭐⭐
SBOM Quick Start	Sonatype	None	⭐⭐⭐⭐
Sign and Verify Container Images with Cosign, and Kyverno: A Complete Guide	Seifeddine Rajhi	.09.2023	⭐⭐⭐⭐⭐

👤 LinkedIn Profiles to Follow

Name	Title	Profile Link
Batuhan Apaydın	Senior Platform Engineer	LinkedIn Profile
Furkan Türkal	Platform Engineer	LinkedIn Profile
Dan Lorenc	Ceo	LinkedIn Profile
Saim Safder	DevOps Tech Lead	LinkedIn Profile

Dependency Track

Installed with docker-compose.yaml

Sonarqube

docker pull sonarqube:communition
docker run -d --name sonarqube -p 9000:9000 -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -e SONAR_JAVA_OPTS="-Xmx4g -Xms512m -XX:+HeapDumpOnOutOfMemoryError" sonarqube:community

We can use below command for project SCA

You must install sonar-scanner your local desktop

How to create a token => My Account=> Security=> Generate Tokens
mvn clean package sonar:sonar -Dsonar.projecKey=secure-devOps -Dsonar.host.url=http://localhost:9000 -Dsonar.login=sqa_8d5781d430cef6f2ba2c08e691ef6b01bd0c8f28 -Dsonar.exclusions=**/*.java this login token will be changing because of this sonarqube does not persistent

Buildpacks

We will creating a image with buildpacks Buildpacks

Jıb-Maven-Plugin

How to use jib with our java project
mvn clean install -P create-image-openjdk => max size
mvn clean install -P create-image-openjdk-slim
mvn clean install -P create-image-openjdk-jre => min size

After this step we will be working on killercoda

Trivy

How to install trivy
trivy image dogandemir51/secure:0.0.1
trivy image --format json --output trivy-scanning.json dogandemir51/secure:0.0.1

Name		Name	Last commit message	Last commit date
Latest commit History 65 Commits
.mvn/wrapper		.mvn/wrapper
securechart		securechart
src		src
.gitignore		.gitignore
README.md		README.md
SBOM.md		SBOM.md
azure-pipelines.yml		azure-pipelines.yml
com.securedevops_secure-0.0.1-cyclonedx-sbom.json		com.securedevops_secure-0.0.1-cyclonedx-sbom.json
com.securedevops_secure-0.0.1.spdx.json		com.securedevops_secure-0.0.1.spdx.json
docker-compose.yml		docker-compose.yml
mvnw		mvnw
mvnw.cmd		mvnw.cmd
pom.xml		pom.xml
trivy-scanning.json		trivy-scanning.json

emirhandogandemir/software-supply-chain-security-java

Folders and files

Latest commit

History

Repository files navigation

Software-supply-chain-security-java

Dependency Track

Sonarqube

Buildpacks

Jıb-Maven-Plugin

Trivy

Helm

Kyverno

Cosign

About

Topics

Resources

Stars

Watchers

Forks

Languages