Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

CDP 35948519: Utilize a Secure DevOps environment supporting code scanning services #28

New Issue
Open
opened 2026-04-16 08:16:52 +02:00 by Hartmut · 3 comments
Hartmut commented 2026-04-16 08:16:52 +02:00
Owner
Copy Link
Copy Source

CDP Control ID: 35948519
Category: Secure Application Development
Frequency: Quarterly
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Secure Application Development Requirement: Applications that are being developed in a DevOps environment and a CI/CD (Continuous Integration/Continuous Deployment) pipeline is in place, must be developed in a Secure DevOps environment ensuring continuous scanning throughout the application's development life cycle, allowing developers to identify critical security risks prior to going live. The app development process should include execution of scans as part of the application build remediating all Critical and High findings prior to releasing to customers. Where findings are not remediated, appropriate client sign off must be obtained. Additionally, if the application is a web application, processes/collects regulated personal data, processes >1M records of client data, and/or serves as a credential/password reset system, the application must undergo an application security assessment (ASA) prior to go live to ensure compliance with Accenture application security standards and industry best practices for securing applications. Additional ASAs must be performed if there are any significant changes to the application or with each major release. Attachment(s) Required: Vulnerability and/or application security assessment results Guidance: Secure DevOps - A DevOps environment supporting code scanning services, covering Static analysis (SAST), Dynamic analysis (DAST) and Software Composition Analysis (SCA). All critical/high vulnerabilities should be remediated prior to software release. Tools and services provided by the security team would be chargeable Visit the https://in.accenture.com/protectingaccenture/client-data-protection/cdp-insiders/jobaids/ for job aids.

**CDP Control ID:** `35948519` **Category:** Secure Application Development **Frequency:** Quarterly **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Secure Application Development Requirement: Applications that are being developed in a DevOps environment and a CI/CD (Continuous Integration/Continuous Deployment) pipeline is in place, must be developed in a Secure DevOps environment ensuring continuous scanning throughout the application's development life cycle, allowing developers to identify critical security risks prior to going live. The app development process should include execution of scans as part of the application build remediating all Critical and High findings prior to releasing to customers. Where findings are not remediated, appropriate client sign off must be obtained. Additionally, if the application is a web application, processes/collects regulated personal data, processes >1M records of client data, and/or serves as a credential/password reset system, the application must undergo an application security assessment (ASA) prior to go live to ensure compliance with Accenture application security standards and industry best practices for securing applications. Additional ASAs must be performed if there are any significant changes to the application or with each major release. Attachment(s) Required: Vulnerability and/or application security assessment results Guidance: Secure DevOps - A DevOps environment supporting code scanning services, covering Static analysis (SAST), Dynamic analysis (DAST) and Software Composition Analysis (SCA). All critical/high vulnerabilities should be remediated prior to software release. Tools and services provided by the security team would be chargeable Visit the https://in.accenture.com/protectingaccenture/client-data-protection/cdp-insiders/jobaids/ for job aids.
Hartmut added the cdpsecurity labels 2026-04-16 08:16:52 +02:00
Hartmut commented 2026-04-16 08:32:38 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Action Plan — 35948519 Secure DevOps / CI/CD Scanning

Scope: CI/CD-Pipeline mit Secure-DevOps Practices + continuous scanning (SAST/DAST/SCA).

Aktueller Stand:

  • docs/acn-security-compliance-status.md 3.2.2.7.01 PARTIAL — Dependabot + pnpm audit in CI; kein SAST/DAST Tool
  • Gitea Actions für Unit/E2E/Lint/Typecheck/Dependency Audit (aktuell alle green auf 0ef9add)

Referenz: Intelligent Application Security Platform

Todos (HOCH-Prio laut Compliance-Status offene Items #3):

  • SAST-Tool einführen: Semgrep (open-source) oder SonarQube Community in CI integrieren
    • Job .github/workflows/sast.yml → Fail on Critical/High
  • SCA: Bereits via Dependabot + pnpm audit --audit-level=high (konfigurieren als CI-Gate)
  • DAST: OWASP ZAP baseline scan gegen Staging-Env (wöchentlich)
  • Policy: Scan-Findings werden in Issues getrackt, Critical blocken Deploy
  • Evidence: CI-Konfig + Sample-Scan-Report

Quarterly Control — Scans müssen vierteljährlich Ergebnisse produzieren.

Dateien:

  • .github/workflows/ — neue SAST/DAST Workflows
### CapaKraken Action Plan — 35948519 Secure DevOps / CI/CD Scanning **Scope:** CI/CD-Pipeline mit Secure-DevOps Practices + continuous scanning (SAST/DAST/SCA). **Aktueller Stand:** - `docs/acn-security-compliance-status.md` 3.2.2.7.01 **PARTIAL** — Dependabot + `pnpm audit` in CI; **kein SAST/DAST Tool** - Gitea Actions für Unit/E2E/Lint/Typecheck/Dependency Audit (aktuell alle green auf `0ef9add`) **Referenz:** [Intelligent Application Security Platform](https://in.accenture.com/protectingaccenture/client-data-protection/cdp-insiders/jobaids/) **Todos (HOCH-Prio laut Compliance-Status offene Items #3):** - [ ] **SAST-Tool einführen:** Semgrep (open-source) oder SonarQube Community in CI integrieren - Job `.github/workflows/sast.yml` → Fail on Critical/High - [ ] **SCA:** Bereits via Dependabot + `pnpm audit --audit-level=high` (konfigurieren als CI-Gate) - [ ] **DAST:** OWASP ZAP baseline scan gegen Staging-Env (wöchentlich) - [ ] Policy: Scan-Findings werden in Issues getrackt, Critical blocken Deploy - [ ] Evidence: CI-Konfig + Sample-Scan-Report **Quarterly Control** — Scans müssen vierteljährlich Ergebnisse produzieren. **Dateien:** - `.github/workflows/` — neue SAST/DAST Workflows
Hartmut commented 2026-04-16 10:02:29 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: DevSecOps Standard
Status: 🟡 PARTIAL / TODO — konkrete Schritte unten

Zusammenfassung

CI/CD-Pipeline auf Gitea Actions mit Dependabot + pnpm audit. SAST/DAST-Tools fehlen (Compliance-Doc TODO, Priorität HOCH).

Aktuelle Evidenz

Offene Aufgaben

  • SAST-Tool einbinden (SonarQube-Community, Semgrep-CLI oder CodeQL-Action).
  • DAST-Tool einbinden (OWASP ZAP Baseline-Scan gegen Preview-Deployment).
  • Secret-Scanning aktivieren (Gitlooper, gitleaks).
  • Branch Protection Rules für main (PR-Review + Status-Checks pflicht).
  • Aufwand laut Compliance-Doc: 2–3 Tage, Priorität HOCH.

Ticket bleibt offen bis alle Aufgaben abgehakt sind.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `DevSecOps Standard` **Status:** 🟡 **PARTIAL / TODO** — konkrete Schritte unten ### Zusammenfassung CI/CD-Pipeline auf Gitea Actions mit Dependabot + `pnpm audit`. **SAST/DAST-Tools fehlen** (Compliance-Doc **TODO, Priorität HOCH**). ### Aktuelle Evidenz - CI Pipeline — [`.github/workflows/ci.yml`](../blob/main/.github/workflows/ci.yml) - Nightly Security Audit — [`.github/workflows/nightly-security.yml`](../blob/main/.github/workflows/nightly-security.yml) - CODEOWNERS + Dependency-Audit-Step — Commit `9c537b0` - Compliance-Doc: DevSecOps Standard = **TEILWEISE**, EAPPS 3.2.2.7.01 = **PARTIAL** ### Offene Aufgaben - [ ] **SAST-Tool einbinden** (SonarQube-Community, Semgrep-CLI oder CodeQL-Action). - [ ] **DAST-Tool einbinden** (OWASP ZAP Baseline-Scan gegen Preview-Deployment). - [ ] Secret-Scanning aktivieren (Gitlooper, gitleaks). - [ ] Branch Protection Rules für `main` (PR-Review + Status-Checks pflicht). - [ ] Aufwand laut Compliance-Doc: 2–3 Tage, Priorität HOCH. --- *Ticket bleibt offen bis alle Aufgaben abgehakt sind.*
Hartmut commented 2026-04-16 10:20:07 +02:00
Author
Owner
Copy Link
Copy Source

Action Plan

CDP-Requirement: CI/CD-Pipeline muss SAST + DAST + SCA durchführen, Critical/High blocken.

Status — Coverage-Matrix

Scan-Typ Tool Status
SCA (Software Composition Analysis) pnpm audit --audit-level=high Nightly + auf jedem PR (.github/workflows/nightly-security.yml, Cron 17 2 * * *)
SCA-Updates Dependabot Konfiguriert (.github/dependabot.yml)
SAST (Static Analysis) 🔴 FEHLT
DAST (Dynamic Analysis) 🔴 FEHLT
Secret-Scanning Gitea built-in + pre-commit? 🟡 Nicht explizit konfiguriert

TODO 1 — SAST (hohe Prio)

Empfehlung: CodeQL oder Semgrep in CI ergänzen.

  • Semgrep (leichter, self-hostable): docker run --rm -v $PWD:/src returntocorp/semgrep semgrep --config=p/typescript --config=p/react --config=p/nodejs --error
  • Neues Workflow-File .github/workflows/sast.yml mit Semgrep-Scan auf PR + main, Fail-on-High/Critical.
  • Gate: Teil von ci.yml needs-Chain, bevor Release-Images pusht.

TODO 2 — DAST (mittlere Prio)

Empfehlung: OWASP ZAP Baseline-Scan gegen die Fresh-Linux Docker Deploy-Instanz.

  • Nach erfolgreichem docker-deploy-test-Job → zaproxy/action-baseline@v0.14.0 gegen http://localhost:3100
  • Fail-on-High für neue Findings, aber Warn für bestehende.

TODO 3 — ASA (Application Security Assessment)

Regulated/Personal-Data-Scope prüfen:

  • CapaKraken verarbeitet interne Accenture-Ressourcen-Daten (Mitarbeiter-Namen, Urlaub, Skills).
  • Per CDP-Text: ASA erforderlich, wenn "regulated personal data" ODER ">1M records". CapaKraken → wahrscheinlich nein (interne, nicht-regulierte Daten, Scope klein).
  • Entscheidung mit Account-InfoSec-Lead formalisieren.

TODO 4 — Secret-Scanning

Zusätzlich zu Gitea-Default: gitleaks pre-commit-Hook aktivieren (.pre-commit-config.yaml oder Husky).

Frequency: Quarterly — aktuelle Findings durchgehen.

## Action Plan **CDP-Requirement:** CI/CD-Pipeline muss SAST + DAST + SCA durchführen, Critical/High blocken. ### Status — Coverage-Matrix | Scan-Typ | Tool | Status | |----------|------|--------| | **SCA** (Software Composition Analysis) | `pnpm audit --audit-level=high` | ✅ Nightly + auf jedem PR (`.github/workflows/nightly-security.yml`, Cron `17 2 * * *`) | | **SCA-Updates** | Dependabot | ✅ Konfiguriert (`.github/dependabot.yml`) | | **SAST** (Static Analysis) | — | 🔴 **FEHLT** | | **DAST** (Dynamic Analysis) | — | 🔴 **FEHLT** | | **Secret-Scanning** | Gitea built-in + pre-commit? | 🟡 Nicht explizit konfiguriert | ### TODO 1 — SAST (hohe Prio) **Empfehlung:** CodeQL oder Semgrep in CI ergänzen. - **Semgrep** (leichter, self-hostable): `docker run --rm -v $PWD:/src returntocorp/semgrep semgrep --config=p/typescript --config=p/react --config=p/nodejs --error` - **Neues Workflow-File** `.github/workflows/sast.yml` mit Semgrep-Scan auf PR + main, Fail-on-High/Critical. - **Gate:** Teil von `ci.yml` needs-Chain, bevor Release-Images pusht. ### TODO 2 — DAST (mittlere Prio) **Empfehlung:** OWASP ZAP Baseline-Scan gegen die `Fresh-Linux Docker Deploy`-Instanz. - Nach erfolgreichem `docker-deploy-test`-Job → `zaproxy/action-baseline@v0.14.0` gegen `http://localhost:3100` - Fail-on-High für neue Findings, aber Warn für bestehende. ### TODO 3 — ASA (Application Security Assessment) Regulated/Personal-Data-Scope prüfen: - CapaKraken verarbeitet **interne Accenture-Ressourcen-Daten** (Mitarbeiter-Namen, Urlaub, Skills). - Per CDP-Text: ASA erforderlich, wenn "regulated personal data" ODER ">1M records". CapaKraken → **wahrscheinlich nein** (interne, nicht-regulierte Daten, Scope klein). - **Entscheidung mit Account-InfoSec-Lead formalisieren.** ### TODO 4 — Secret-Scanning Zusätzlich zu Gitea-Default: `gitleaks` pre-commit-Hook aktivieren (`.pre-commit-config.yaml` oder Husky). **Frequency:** Quarterly — aktuelle Findings durchgehen.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label cdp security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#28
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?