開発エンジニアが取り組む DevSecOps ～ GitHub Enterprise × Azure での実践～

Transcript

1. ։ൃΤϯδχΞ͕औΓ૊Ή DevSecOps ～ GitHub Enterprise × Azure Ͱͷ࣮ફ ～ ࣍ظϑϩϯτγεςϜ։ൃ෦
   ౉ล
   Ұ޺

   
   0DUP/JIPO
   'PSN
   

2. 2 WHO!? ౉ลҰ޺ JCOMגࣜձࣾ ࣍ظϑϩϯτγεςϜ։ൃ෦ WebΞϓϦέʔγϣϯͷ։ൃ DevOps؀ڥͷߏஙɾӡ༻ Ϋϥ΢υΠϯϑϥͷߏஙɾӡ༻ Microsoft Azure,

   Developer Technologies (Azure Infrastructure as Code, Web Development) @kaz_29

3. 3 ԿΛ͍ͯ͠Δ෦ॺ͔ʁ

4. 4 DevOpsߏ੒֓ཁ DevSecOpsͷલʹ DevSecOpsͷऔ૊Έ • ίʔυͷ݈શੑνΣοΫʢSonarQubeʣ • ύοέʔδߋ৽ΛࣗಈԽʢDependabotʣ • ίϯςφ੬ऑੑΛҰݩ؅ཧʢTrivy

   + Advanced Securityʣ औ૊ΈதͷMCP׆༻ʹ͍ͭͯ ·ͱΊ Agenda

5. %FW0QTߏ੒֓ཁ

6. 6 %FW0QTͷߏ੒֓ཁ APIs FrontApps Push PR Exec Action CI CD/IaC

   ղੳ݁Ռ Provision Deploy Advanced Security Container Scan ঢ়ଶΛ؅ཧ PR Dependabot Trivy Bicep phpcs/phpcbf eslint Vitest PHPUnit phpstan Docker Git ubuntu VSCode

7. DevSecOps

8. 8 %FW4FD0QT ͔ͬ͠Γͨ͠DevOpsͷ࣮ݱ͕DevSecOpsͷલఏ DevɹOps Sec

9. 9 • Πϯϑϥੜ੒ɾઃఆͷࣗಈԽ(IaC) • ίʔυʹམͱ͢͜ͱͰɺΠϯϑϥΛιϑτ΢ΣΞ։ൃͱಉ͡ख๏Ͱ؅ཧͰ͖Δ • όʔδϣϯ؅ཧ • શͯͷϦιʔε(ιʔείʔυɺIaCͷίʔυɺDBͷϚΠάϨʔγϣϯͳͲ) •

   ςετͷࣗಈԽ • UnitTest, Functional Test, (E2E Test) • ϏϧυɾσϓϩΠͷࣗಈԽ • ϏϧυϓϩηεΛશͯࣗಈԽɺϫϯϘλϯͰ୭Ͱ΋࣮ߦͰ͖ΔΑ͏ʹɺ࣮ߦ݁ՌΛશһͰڞ༗ • ϦΞϧλΠϜʹ৘ใڞ༗ • શһ͕ࢀՃ͍ͯ͠ΔνϟοτͰશͯΛڞ༗ɺγεςϜʹى͖͍ͯΔ͜ͱΛ௨஌ɺίϛϡχέʔγϣϯίετͷ࡟ݮ %FW0QTʹඞཁͳཁૉ

10. 10 %FW0QTͷߏ੒֓ཁ $*
    
    13࡞੒࣌ʹ6OJU5FTUͳͲΛࣗಈ࣮ߦ ί ϯ ς φ ͷ Ϗ ϧ

    υ ί σ ϯ ά ε λ Π ϧ ν Ϋ phpstan ʹ Α Δ ੩ త ղ ੳ UnitTest ɾ Functional Test ͷ ࣮ ߦ SonarQube ʹ Α Δ ੩ త ղ ੳ ࣮ ߦ ݁ Ռ Λ Teams ʹ ௨ ஌ SonaeQube Badge Λ PR ί ϝ ϯ τ ʹ ౤ ߘ ίʔυͷ৴པੑɾอकੑ޲ ্ͷࢪࡦ
    w ݕ஌಺༰ͷྫ
    w ܕͷෆҰகͷݕ஌
    w ଘࡏ͠ͳ͍Ϋϥε΍ϝ ιουͷݺͼग़͠
    w ഑ྻΩʔ΍ϓϩύςΟͷ ະఆٛΞΫηε
    w ౸ୡෆೳͳίʔυ 4"45ʢ੩తΞϓϦέʔγϣϯη ΩϡϦςΟςετʣ
    w ݕ஌಺༰
    w όά΍ηΩϡϦςΟͷ੬ऑੑ
    w ίʔυͷॏෳɺෳࡶੑɺίʔ σΟϯάن໿ҧ൓
    w ςετΧόϨοδͷଌఆ
    w ٕज़తෛ࠴ͷఆྔԽ
    

11. 11 %FW0QTͷߏ੒֓ཁ σϓϩΠͷࣗಈԽ ί υ ͷ ν Ϋ Ξ ΢

    τ ί ϯ ς φ Ϩ δ ε τ Ϧ ʹ ϩ ά Π ϯ λ ά ໊ Λ औ ಘ ί ϯ ς φ Λ build & push λ ά ໊ ͔ Β Ϧ Ϗ δ ϯ ໊ Λ ࡞ ੒ Azure ϩ ά Π ϯ ࣮ ߦ த ͷ Ϧ Ϗ δ ϯ Λ औ ಘ ৽ ͠ ͍ Ϧ Ϗ δ ϯ Λ σ ϓ ϩ Π (traf c: 0%) Azure ϩ ά Π ϯ ৽ چ ͷ Ϧ Ϗ δ ϯ ͷ traf c Λ ೖ ସ ͑ Azure ϩ ά Π ϯ چ Ϧ Ϗ δ ϯ Λ ࡟ আ Build Deploy Flip Deactivate ঝೝ ঝೝ ϦϦʔελάΛ࡞੒ Ұ୴͜͜Ͱఀࢭ

12. 12 %FW0QTͷߏ੒֓ཁ *B$
    
    ֤؀ڥͷϓϩϏδϣχϯάΛࣗಈԽ IaC ί υ ͷ จ ๏ ν

    Ϋ STG ֤ ؀ ڥ ͱ ͷ ࠩ ෼ Λ औ ಘ ࠩ ෼ Λ PR ί ϝ ϯ τ ʹ ౤ ߘ IaC ί υ ͷ จ ๏ ν Ϋ ϓ ϩ Ϗ δ χ ϯ ά ࣮ ߦ PR࡞੒ ঝೝ UAT PROD Bicepίʔυͱ ࠩ෼Λൺֱ ໰୊͕ͳ͚Ε͹ Ϛʔδ ϨϏϡʔ ϦϦʔε ߏ੒มߋ Ұ୴͜͜Ͱఀࢭ

13. SonarQube

14. 14 %FW0QTͷߏ੒֓ཁ ࠶ܝ APIs FrontApps Push PR Exec Action CI

    ղੳ݁Ռ Provision Deploy Advanced Security Container Scan ঢ়ଶΛ؅ཧ PR Dependabot Trivy Bicep phpcs/phpcbf eslint Vitest PHPUnit phpstan Docker Git ubuntu VSCode CD/IaC

15. 15 4POBS2VCF

16. 16 SAST Static Application Security Testingɿ੩తΞϓϦέʔγϣϯηΩϡϦςΟςετ Azure্ʹߏங Community EditionΛࣗલͰӡ༻ Azure

    Container Apps - ϏδωελΠϜҎ֎͸0εέʔϧͰίετ0) Azure Database for PostgreSQL Azure Storage(Files) PHP/TypescriptͳͲશͯͷϦϙδτϦͰར༻ 4POBS2VCF ߏ੒

17. 17 Quality Gate • ΧόϨοδ80%Ҏ্ • ݱঢ়ଞ͸΄΅σϑΥϧτɺӶҙௐ੔ΛਐΊ͍ͯΔ ӡ༻্ͷͪΐͬͱͨ͠޻෉ • PRίϝϯτʹBadgeΛࣗಈ౤ߘ

    • εϓϦϯτऴ൫ʹఆظνΣοΫɾରԠ 4POBS2VCF

18. Dependabot

19. 19 %FW0QTͷߏ੒֓ཁ ࠶ܝ APIs FrontApps Push PR Exec Action CI

    ղੳ݁Ռ Provision Deploy Advanced Security Container Scan ঢ়ଶΛ؅ཧ PR Dependabot Trivy Bicep phpcs/phpcbf eslint Vitest PHPUnit phpstan Docker Git ubuntu VSCode CD/IaC

20. 20 GitHubۘ੡ͷϥΠϒϥϦɾύοέʔδͷґଘؔ܎ࣗಈ؅ཧπʔϧ ಛ௃ • όʔδϣϯΞοϓΛݕ஌ • ੬ऑੑΛݕ஌ => ରԠ͢ΔPRΛࣗಈੜ੒(ޓ׵ੑͷϨϕϧ΍ChangeLogΛίϝϯτ಺ʹهࡌ) •

    CIͱ૊Έ߹ΘͤΔ͜ͱͰΞοϓσʔτͷखؒΛܰݮ %FQFOEBCPU

21. 21 ઃఆ PHP(composer) / TS(npm)྆ํར༻ ि࣍ͰνΣοΫΛ࣮ߦ(݄༵ே) Security Update / Version

    Update྆ํ༗ޮ Grouped update(ಛʹTSͰ͸ඞਢ) ӡ༻ auto-merge͸ະ࢖༻ɻcompatibilityΛݟͯखಈ൑அ ࣗಈςετ͕௨Ε͹ɺΧδϡΞϧʹϚʔδ PR͕ཷ·Δ໰୊ εϓϦϯτຖʹ୲౰ཱͯΔͳͲνʔϜຖʹ޻෉͍ͯ͠Δ %FQFOEBCPU

22. Trivy + Advanced Security

23. 23 %FW0QTͷߏ੒֓ཁ ࠶ܝ APIs FrontApps Push PR Exec Action CI

    ղੳ݁Ռ Provision Deploy Advanced Security Container Scan ঢ়ଶΛ؅ཧ PR Dependabot Trivy Bicep phpcs/phpcbf eslint Vitest PHPUnit phpstan Docker Git ubuntu VSCode CD/IaC

24. 24 OSSͷ੬ऑੑεΩϟφʔ ରԠൣғ͕޿͍ ίϯςφΠϝʔδ ϑΝΠϧγεςϜ ܰྔɾߴ଎ɾCI૊ΈࠐΈ͕؆୯ SARIFܗࣜͰग़ྗՄೳ → GitHub Advanced

    Security ͱ࿈ܞ 5SJWZ https://trivy.dev/

25. 25 5SJWZ
    
    "EWBODFE
    4FDVSJUZ https://trivy.dev/ ίϯςφ੬ऑੑͷҰݩ؅ཧ ֤ API Π ϝ δ

    ͷ ࠷ ৽ ൛ (latest) Λ औ ಘ Trivy Ͱ ੬ ऑ ੑ Λ ε Ω ϯ Advanced Security ʹ Upload ຖே࣮ߦ SARIF ܗ ࣜ Ͱ ग़ ྗ

26. 26 શϦϙδτϦͷ੬ऑੑΛҰݩ؅ཧ ॏେ౓(Critical/High/Medium/Low)Ͱ༏ઌ౓Λ൑அ ରԠঢ়گͷ௥੻͕Ͱ͖Δ (JU)VC
    "EWBODFE
    4FDVSJUZ https://trivy.dev/ 4FDVSJUZ
    λϒͰҰݩ؅ཧ

27. 27 Ξϥʔτ؅ཧͷϑϩʔ͕ະ੔උ • ࢓૊ΈԽͷݕ౼த… ରԠͷଐਓԽ • ରԠϑϩʔͷ੔උ PHPͷόʔδϣϯΞοϓͳͲɺ։ൃ×ӡ༻ͷ࿈ܞͷ೉͠͞ • ։ൃνʔϜɺӡ༻νʔϜͷ૬ޓཧղͷػձΛ࡞Δ

    • ࿈ܞڧԽ 5SJWZ
    
    "EWBODFE
    4FDVSJUZ https://trivy.dev/ ࠓޙͷ՝୊

28. ͓·͚

29. औ૊Έதͷ MCP׆༻ʹ͍ͭͯ

30. 30 "*ͱπʔϧΛͭͳ͙Φʔϓϯͳϓϩτίϧ
    w ೥݄
    "OUISPQJD
    ͕ެ։
    w ೥݄
    -JOVY
    'PVOEBUJPO
    ""*'
    ʹҠ؅
    (JU)VC
    ΋ެࣜ
    .$1
    αʔόʔΛެ։ .$1
    

    .PEFM
    $POUFYU
    1SPUPDPM MCP αʔόʔɾπʔϧ Model Context Protocol ֤छAPIͳͲ …

31. 31 ՝୊
    w %FW0QTϝτϦΫεΛՄࢹԽ͍ͨ͠ʢ'PVS
    ,FZTͱ͔ʣ
    w Ͱ΋ɺμογϡϘʔυ࡞Δͷ໘౗ʜ
    .$1ͳΒʜ
    w 6*Λ࡞Βͳ͍͍ͯ͘
    w

    --.͕ΠϯλʔϑΣʔεʹͳΔ
    w ࣗવݴޠͰ໰͍߹ΘͤͰ͖Δ https://github.com/kaz29/mcp-server-example https://kaz29.hatenablog.com/entry/2026/01/12/163450 ͳͥ.$1Λࢼ͍ͯ͠Δ͔

32. ·ͱΊ

33. 33 ✅ ઐ໳Ո͡Όͳͯ͘΋ɺDevSecOps͸Ͱ͖Δ GitHubͷػೳ + OSS Λ૊Έ߹ΘͤΔ ׬ᘳ͡Όͳ͍͍ͯ͘ɺͰ͖Δͱ͜Ζ͔Β ✅ DevOpsͷ౔୆͕େࣄ

    CI/CDɺςετࣗಈԽɺϝτϦΫε ͕͜͜ͳ͍ͱSecurity͸ࡌͤΒΕͳ͍ ✅ ՝୊΋͋Δɺܧଓతʹվળ ӡ༻ϑϩʔͷ੔උ νʔϜؒ࿈ܞͷڧԽ ✅ AIͷ׆༻΋ਐΊ͍ͯ͘ MCPͰϝτϦΫε෼ੳΛݕূத ·ͱΊ
34. None