If you are not already generating an SBOM as part of your DevSecOps Pipeline integration, DeployHub Pro’s integration with Syft can transform your DevOps pipeline to a DevSecOps platform.
Platform Use Cases
DevSecOps Pipeline Integration Using Your Current CI/CD Solution
Integrate security tooling into Your DevOps Pipeline with DeployHub.
DevSecOps Pipeline Integration Tool
DeployHub Pro integrates seamlessly with CI/CD pipelines and tools, from Jenkins to Helm, to ensure the implementation of security tooling from build thru deployment. Real-time security checks at each stage help identify vulnerabilities at the point they are introduced, enabling timely and low-cost remediation. With DeployHub Pro you can easily fortify your pipelines to implement Continuous Vulnerability Management and deliver a hardened DevSecOps platform.
DeployHub Pro collects both security and DevOps data in order to track where vulnerabilities are running. This information is gathered from the CI/CD pipeline for every Component version release.
The platform uses the Ortelius Open-source CLI interface to support your DevSecOps Pipeline Integration.
Key Concept
DevSecOps pipelines are automated workflows that integrate with security practices throughout the software development lifecycle.
DevOps Dashboard and Insights.
DeployHub Pro DevSecOps Pipeline Integrations
Enhance your DevOps process with DeployHub Pro’s DevSecOps Pipeline integration. Associate SonarQube Project Status, Bugs, Code Smells, and Violations metrics to your Component Version. Associating these metrics enables compliance scoring for Application Versions since the metrics are rolled up from the Component Versions to the Application Version.
DeployHub Pro can associate Veracode Security Scan with your component version. Associating these metrics enables compliance scoring for Application Versions since the metrics are rolled up from the Component Versions to the Application Version.
DeployHub Pro’s Continuous Vulnerability Management can consume CycloneDX formatted SBOMs. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub Pro.
DeployHub Pro’s Continuous Vulnerability Management can consume any SPDX formatted SBOM. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub Pro.
DeployHub Pro uses OSV.Dev to continuously monitor the vulnerabilities of your Components and Applications within your software supply chain. DeployHub Pro scans for new vulnerabilities every 10 minutes turning your DevOps pipeline into a DevSecOps platform that generates continuous vulnerability detection.
DeployHub Pro integrates into your CI/CD process using the Ortelius Open-Source Command Line (CLI). The Ortelius CLI gathers supply chain data based on a single pipeline workflow at the build and deploy steps. The build step gathers Swagger, SBOM, Readme, licenses, Git data, Docker image, and other build output. The deploy step records when a release occurs, what was sent, and where the objects were sent to.
The Ortelius Open Source Community maintains the Ortelius CLI under the governance of the Linux Foundation’s Continuous Delivery Foundation.
You can configure DeployHub Pro to call out to a Git Repo to pull deployable artifacts (binaries, scripts, etc.) as part of your deployment. The process will check out your deployable artifacts based on commit, branch or tag specified.
DeployHub Pro integrates with Helm using the CI/CD Command Line Interface (CLI). For every Component Version, the CLI gathers and stores the Chart, Chart Name Space, Repo and version.
For Component Versions managed by DeployHub Pro, OpenSSF Scorecard data will be populated with the metrics found when available. This information is then aggregated to the ‘logical’ Application showing an overall OpenSSF score.
When DeployHub Pro is integrated into your CI/CD pipeline, it can capture metrics for DORA reporting. The two DORA metrics that DeployHub Pro captures are Deployment Frequency and Lead Time for Changes.
DeployHub Pro collects Dora Metrics on Application Versions reporting the Application Dora metrics in decoupled architectures.
Add your API Swagger documentation to your DeployHub Pro evidence store to clarify component usage and details.
DeployHub Pro integrates with Jira, Bugzilla, and GitHub issues to track your change request at three levels: Component (microservice), Application, and Release (collection of Applications). You define Jira, Bugzilla, or GitHub through an object called a ‘data source.’ Once defined, you can pull change requests from your issue system and assign them at any level for tracking. When change requests are managed this way, a continuous feedback loop shows when the issue was opened and when the customer received the fix.
If you are developing your Applications using SaleForce, this integration will allow you to support SalesForce deployments. By creating this Custom Action, you can replace the DeployHub Pro standard deployment processing engine and instead use a process designed specific to Salesforce including the mapping of DeployHub Pro Environments to different SalesForce regions such as testing, pre-production, and production, where the class and package files can be deployed.
DeployHub Pro’s Continuous Vulnerability Management allows you to send notifications using Notifiers via HipChat Groups, Topics, or Room features. Notifications are defined to Components and Applications and inform the recipient(s) of the Component or Applications deployment’s success or failure.
Slack can be integrated with DeployHub Pro using Notifiers. Notifiers can be called to report on the success or failure of a deployment.
DeployHub Pro allows you to use LDAP or Active Directory to manage your User logins. The integration creates an LDAP Data Source to access an LDAP database and use the information stored to gain access to DeployHub. It also populates the Users General tab with Real Name and Email, which it gets from the LDAP database. When you define a User, you associate the LDAP authentication method. At login, DeployHub Pro checks the User’s authentication method to determine if LDAP or Active Directory should be used.
Whitepaper Download
Application Security Tooling and CI/CD Explored
Learn how to evolve your DevOps Pipeline to a DevSecOps Pipeline with open-source tooling.
Take A Tour
See Continuous Vulnerability Management In Action
Explore Ortelius open-source. Sign up for Ortelius SaaS and experience vulnerability management in action with a quick, hands-on overview. DeployHub Pro is based on Ortelius OS. Ortelius is incubating at the Continuous Delivery Foundation.