DevSecOps Open Source Orchestration Tool

by Abdullah Bin Zubair

On Saturday 24th of July 2021 members of the DevSecOps team here at RiverSafe made the first community release of ‘Project Eze’. Eze is a DevSecOps Open Source tool designed to streamline the use of code security tools in DevOps pipelines.

We spoke to the team at RiverSafe involved in the project to get their insight into the project.

Anthony McKale, who wrote most of the code for the project said “we kept running into this recurrent problem, with teams individually configuring security tooling for different languages and environments from scratch. That always leads to high labour costs and ultimately poor consistency between the different teams.

“It felt something to be automated via some common test runner like you would for unit testing. You’d set some ground rules then it would scan the repo at hand, detecting code to be scanned, run tools, then present report results. Such a tool would take away all the pain of setting up and running security testing consistently across all the repos written in different languages in our company.

“As always, these things tend to grow legs, you end up implementing more than you originally planned, and here we are with Eze.”

Oseloka Obiora, CTO at RiverSafe commented “we are always happy to see our teams innovate in order to improve DevSecOps efficiency.  Releasing a tool like this for the community is something we’ve had in our minds for a while.

“We’re hoping it will gain some traction and that the community will help extend the capabilities of Eze. There are so many ways to make it even more useful.  The team here are really passionate about improving the developer experience of security tools so I suspect they’ll also be adding more to this project over the coming months as well.”

Access the Project

Eze provides a common command line input and output interface to a range of security tools and languages. It helps DevOps teams add code security capabilities to their pipeline. Eze currently supports Static Application Security Testing (SAST), SBOM (Software Bill of Materials) and Secret Scanning tools. Eze helps developers implement a shift left mentality for security testing.

The GitHub repository for Project Eze CLI is available here.

The source code for an example plugin can be found here.

By Abdullah Bin Zubair