If you are not already generating an SBOM as part of your DevOps Pipeline, DeployHub’s supply chain defense catalog integrates with Syft to get the job done.
Platform Use cases
Transform CI/CD Pipelines to Include DevSecOp Tools
Evolve Your CI/CD Pipelines to include Security Tooling
Let DeployHub Add Security to Your DevOps Process
DeployHub integrates seamlessly with CI/CD pipelines, from Jenkins to GitHub, to ensure security throughout development and deployment. Automated security checks at each stage help identify vulnerabilities at the point they are introduced, enabling timely and low-cost remediation. With DeployHub you can easily fortify your pipelines to implement continuous security.
Automate SBOM Generation
SBOM automation must be included as part of your CI/CD workflow to gather the forensics of your software supply chain, including open source. The information derived from an SBOM is a critical first step in understanding your software security profile. This is why SBOM consumption is essential. The SBOM exposes the open-source packages with attributes that are consumable and delivered to end users. But generating an SBOM alone does not provide you insights. The data must be consumed with SBOM management. To act upon the SBOM data, you need a collection and historical tracking method. This collection and historical tracking should be continuous, auditing every update to every version and the impact of those changes.
The steps for adding SBOM generation to your workflow are fairly straightforward with DeployHub with minimal updates to your pipeline workflow files. DeployHub uses the Ortelius Open-source CLI interface to support your DevOps process.
Using the Ortelius Command Line Interface
DeployHub integrates into your CI/CD process using the Ortelius Open-Source Command Line (CLI). The Ortelius CLI gathers supply chain data based on a single pipeline workflow at the build and deploy steps. The build step gathers Swagger, SBOM, Readme, licenses, Git data, Docker image, and other build output. The deploy step records when a release occurs, what was sent, and where the objects were sent to.
The Ortelius CLI is maintained by the Ortelius Open Source Community under the governance of the Linux Foundation’s Continuous Delivery Foundation.
For the most up-to-date information on the Ortelius CLI, visit the Ortelius GitHub Repository. You will find a complete list of parameters for collecting SBOMs and other security tools and results.
Explore DeployHub Integrations
DeployHub can associate SonarQube Project Status, Bugs, Code Smells, and Violations metrics to your Component Version. Associating these metrics enables compliance scoring for Application Versions since the metrics are rolled up from the Component Versions to the Application Version.
DeployHub can associate Veracode Security Scan with your component version. Associating these metrics enables compliance scoring for Application Versions since the metrics are rolled up from the Component Versions to the Application Version.
DeployHub’s software supply chain defense catalog can consume CycloneDX formatted SBOMs. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub.
DeployHub’s software supply chain management catalog can consume any SPDX formatted SBOM. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub.
DeployHub uses OSV.Dev to continuously monitor the vulnerabilities of your Components and Applications within your software supply chain. DeployHub scans for new vulnerabilities every 30 minutes.
DeployHub integrates into your CI/CD process using the Ortelius Open-Source Command Line (CLI). The Ortelius CLI gathers supply chain data based on a single pipeline workflow at the build and deploy steps. The build step gathers Swagger, SBOM, Readme, licenses, Git data, Docker image, and other build output. The deploy step records when a release occurs, what was sent, and where the objects were sent to.
The Ortelius Open Source Community maintains the Ortelius CLI under the governance of the Linux Foundation’s Continuous Delivery Foundation.
You can configure DeployHub to call out to a Git Repo to pull deployable artifacts (binaries, scripts, etc.) as part of your deployment. The process will check out your deployable artifacts based on commit, branch or tag specified.
Helm can be called to replace the DeployHub default processing engine for performing container deployments. When DeployHub executes the release process, it will call the Helm Chart you have defined as your Custom Action at the Component level. Our microservice catalog includes the version of the Helm chart as part of its overall configuration data. In addition, DeployHub’s software supply chain defense catalog can track Key Value pairs and generate override files for each environment to which you are deploying, making updates to configurations quick and easy.
Add your API Swagger documentation to your supply chain to clarify component use and details.
DeployHub integrates with Jira, Bugzilla, and GitHub issues to track your change request at three levels: Component (microservice), Application, and Release (collection of Applications). You define Jira, Bugzilla, or GitHub through an object called a ‘data source.’ Once defined, you can pull change requests from your issue system and assign them at any level for tracking. When change requests are managed this way, a continuous feedback loop shows when the issue was opened and when the customer received the fix.
If you are developing your Applications using SaleForce, this integration will allow you to support SalesForce deployments. By creating this Custom Action, you can replace the DeployHub standard deployment processing engine and instead use a process designed specific to Salesforce including the mapping of DeployHub Environments to different SalesForce regions such as testing, pre-production, and production, where the class and package files can be deployed.
A software supply chain management catalog would be incomplete without managing the important database parts, particularly for poly databases. You can publish your database updates to the catalog, tracking and versioning your data changes. DeployHub has a unique type of Component for database updates, allowing you to manage your database with roll-forward and rollback processing. Check out the ‘version jumping’ DB Demo.
DeployHub’s continuous security intelligence allows you to send notifications using Notifiers via HipChat Groups, Topics, or Room features. Notifications are defined to Components and Applications and inform the recipient(s) of the Component or Applications deployment’s success or failure.
Slack can be integrated with DeployHub using Notifiers. Notifiers can be called to report on the success or failure of a deployment.
DeployHub integrates with CircleCI to support microservices continuous configuration management and continuous deployments built into your CircleCI pipeline. In particular, DeployHub integrates with CircleCI to enrich the CI/CD pipeline around microservices, tracking which applications need to be retested due to a common microservice update.
Critical to the process is the ability to perform versioning and tracking microservices across clusters and teams and map them to ‘logical’ Applications. DeployHub’s CircleCI Orb includes the ability to perform automated version and dependency management of microservices tracking application and microservice relationships, their versions, and their deployment metadata.
DeployHub allows you to use LDAP or Active Directory to manage your User logins. The integration creates an LDAP Data Source to access an LDAP database and use the information stored to gain access to DeployHub. It also populates the Users General tab with Real Name and Email, which it gets from the LDAP database. When you define a User, you associate the LDAP authentication method. At login, DeployHub checks the User’s authentication method to determine if LDAP or Active Directory should be used.
Make Your Security Intelligence Actionable
Put Your SBOM Data to Work. Signup for DeployHub Team, the free SaaS software supply chain security platform. DeployHub Team is based on the Ortelius Open-Source project incubating at the Continuous Delivery Foundation.
Explore DeployHub
Platform Use Cases
Bridge your dev, security and ops teams through shared insights.
Discover and de-risk your open-source usage organization-wide.
Aggregate SBOMs and instantly comply with executive order 14028.
Continuously monitor security across your entire application portfolio.
Assess impact of a vulnerability’s blast radius.
Transform devops pipelines with devsecops tool integration.
