🕹 Challenges & Exploration

You as a student need to fill in these assignments and learning goals by yourself. At the start of each next chapter the lecturer will, together with class, review these in an overall sense but will not give the full, word-by-word, solution for you to simply sit back and download. So it is important that you have completed the work yourself before the review starts in class and you can correct where needed.

You are not allowed to use AI like ChatGPT or Bing Copilot on the exam, but you are here! Leverage these new tools to speed up and give structure to your notes and documents. For example, ask to put material in Markdown format!

📝 After completing these challenges, you should be able to:

• Define what is DevOps Culture and why it is important for a company.
• Summarize main aspects of DevOps Culture.
• List some positive outcomes of adopting a DevOps Culture.
• Describe some strategies for implementing a DevOps Culture.
• Explain the difference between the -slim and -alpine versions of the python base image and why they are useful for minimizing container size.
• Define what is SAST (Static Application Security Testing) and how it differs from DAST (Dynamic Application Security Testing).
• Compare and contrast SonarCloud and SonarQube as SAST tools for analyzing code quality and security.
• Define the SonarCloud issue categories: 🐞 Bugs, 🔓 Vulnerabilities, 🛡 Security Hotspots and ☢ Code Smells.
• Explain what a Quality Gate is and how it helps you monitor the quality and security of your code.

🏛 What is DevOps Culture?

We have look at DevOps from perspective of tools and the lifecycle, but another important aspect is a DevOps Culture in the company.

Watch 📺 this video and summarize the main aspects of DevOps Culture, what positive things they bring to the company and how one would implement a culture like that.

🐍 Putting Python in a Pipeline

You are tasked with creating a Dockerfile and a GitHub Action workflow pipeline for a FastAPI Python API that generates random numbers.

The developers have given you the following code to put into a main.py file:

from fastapi import FastAPI
from random import randint

app = FastAPI()

@app.get("/")
async def get_random_percentage():
    return {'percentage': randint(0, 100)}

And then given you the following dependencies in a requirements.txt file:

fastapi>=0.68.0,<0.69.0
pydantic>=1.8.0,<2.0.0
uvicorn>=0.15.0,<0.16.0

You can follow these steps as a lead:

1. Create a folder on your system to create the main.py and the requirements.txt files
2. Create a Dockerfile in the folder as well. Start from the python:3.10.0-alpine base image. Go to the python official Docker Hub image page and scroll down to Image Variants to learn more about the -slim and -alpine versions. You should be able to describe them.
3. Test your Dockerfile with a docker build and docker run command. Check the result at localhost:8000. For now you can name your image python-api-devops.
4. Create a new GitHub repository for your files.
5. Create a workflow.yml that:
   • Runs on each push
   • Has a job named test that uses flake8 to check the code quality of the main/py file. Usually flake8 is a tool installed using pip.
   • Has a job named delivery that builds the container and pushes it to your own Docker Hub account. Make sure this job only runs when the test job completes successfully.
6. Push your files to your repository. Don't forget your needed GitHub Secrets.
7. Edit the main.py code if the test job fails due to flake8 finding errors.

🧪 More testing options: SAST

In the examples we have used simple tools or Actions to check or test code. Now you will look into a more advanced tool that can be categorized as a SAST tool, called SonarCloud.

SonarCloud analysis of a Java project

Follow these steps:

1. Look up what SAST is. Then also look up what the alternative called DAST is.
2. Look up what SonarCloud and SonarQube is.
3. Sign up at SonarCloud here with your GitHub and use your own personal account as a SonarCloud Organisation if asked. As you can see private repositories are on a 14-day trail, but analyzing public repositories are free.
4. Go to your GitHub and set the website-test repository we used in the examples to public if it isn't already.
5. Analyze a new project on SonarCloud, select the website-test repository. Be sure to set the Clean as You Code when setting up a SonarCloud project to Previous version to have your code checked on every change and follow the CI way of working.
6. Check the result of the first analysis. Look up what these SonarCloud issue categories are: 🐞 Bugs, 🔓 Vulnerabilities, 🛡 Security Hotspots and ☢ Code Smells.
7. Make a change in the a file of the website-test repository and push it. You can use the web interface of GitHub to do this quickly.
8. Check your website-test project in SonarCloud again. There should be a new analysis.
9. Check the Rules tab on your SonarCloud page. Search the library of rules for Java rules on the topic of "else".
10. Check the Quality Gates tab on your SonarCloud page. Look up what a Quality Gate is.