CI/CD and SSDLC labs (TSM CyberSec) 2425
On this page you'll find the lab(s) for the TSM CyberSec course.
Organization
The labs is finally only one lab in which you build a CI/CD pipeline with the main focus on security add-ons. This will include:
- unit tests
- coverage tests
- SAST integration
- DAST integration
- data leakage prevention
- ... and much more
The lab will be performed in groups of two students.
Evaluation
The groups (pair) will be evaluated.
Any work is stored by the groups in their own Git repo. The professor controls only the main branch. Finally the main branche should contain:
- Code
- CI/CD pipeline
- Documentation / answers to the questions
The documentation contains the answers to all the questions asked. It is a rolling lab, which means, that additional questions will come each week. Use the question files (e.g. docs/question-part1.md) for your answers! (--> Overall duration of the lab approximately 5 weeks)
Grading
How is the lab graded?
- If you answer the questions correctly, you have the grade 5.0
- To get more than 5.0, you must for example :
- propose an original solution
- deepen one or more themes
- answer the optional questions of the labs (if there are any)
Submission
All your work must be terminated and commit to your group repo at latest 16.04.2025
Preparation
You must (in the pair) fork the Git Repo that contains an example Web-API application with a minimalistic CI/CD pipeline. This repo will build the starting point for all your upcoming lab tasks. These preparation steps will be done together in class
Tasks
- Fork this git repo here https://gitlab.forge.hefr.ch/devsecops/mse/mse-devsecops-2425
- Get some inspiration here how to fork a repo
- Give Maintainer access to your colleague in your group
- Give Developer access to the professor (@michael.maeder)
- Clone your newly created repo to your local machine and
cdinto the directory - Set the
upstreamto the main repo to get any updatesgit remote add upstream git@gitlab.forge.hefr.ch:devsecops/mse/mse-devsecops-2425.git
git pull upstream mainwill update your fork repo with the latest changes from the main repo
Lab environment setup
In the first part, the lab will be mainly a setup of the environment for everybody to ensure that you can work correctly. The basics will be shown directly in the course.
Currently the following directory structure exists:
- docs: place for you to put your documentation, explanations, answers, graphics, etc
- src: a minimalistic web application (written in Python 3.x) that can perform the following calculations:
- addition / subtraction
- multiplication
- division
- tests: test comes here (e.g. unit tests, coverage, ...)
Analysis of the application and the existing pipeline
You must understand the application, how it works, the basics of Flask (as web platform) and of course the automation processes (CI/CD) for testing, building, etc. the application.
Usage of the API
see README.md in the src directory
Basic pipeline
The provided basic pipeline description .gitlab-ci.yml is not optimized at all. It works in a shaky way and does the following tasks:
- run the unit tests (described in
src/tests) - checks the test coverage
- create a test and coverage report in HTML format, which is then accessible through your gitlab pages (e.g. https://mse-devsecops-2425-7a97d4.pages.forge.hefr.ch)
The questions
The questions for all the parts can be found in the questions-partX.md files file in the docs directory. You can write your answers directly into these files if you wish.