Skip to content

Chebis26/devsecops-pipeline

BranchesTags

Repository files navigation

Enterprise DevSecOps Pipeline

GitHub Actions Terraform Security License

A production-grade DevSecOps pipeline that integrates security at every stage of the software delivery lifecycle. Implements shift-left security with automated SAST, DAST, container scanning, secrets detection, infrastructure scanning, and policy-as-code enforcement.

Executive Summary

Security as an afterthought costs 30x more to fix in production than at development time. This pipeline integrates security gates throughout the CI/CD process, providing fast feedback to developers while enforcing hard compliance gates before production deployment.

Pipeline Architecture

┌────────────────────────────────────────────────────────────────────────┐
│                        Developer Pushes Code                           │
└──────────────────────────────┬─────────────────────────────────────────┘
                               │
          ┌────────────────────▼─────────────────────┐
          │              PR / Commit Gates            │
          │                                          │
          │  ① Secret Scanning (Gitleaks + TruffleHog)│
          │  ② SAST (Semgrep + CodeQL)               │
          │  ③ Dependency Audit (Safety + OWASP)     │
          │  ④ IaC Scan (tfsec + Checkov)            │
          │  ⑤ License Compliance                    │
          └────────────────────┬─────────────────────┘
                               │ All gates pass
          ┌────────────────────▼─────────────────────┐
          │              Build & Package              │
          │                                          │
          │  ⑥ Docker Build (multi-stage, rootless)  │
          │  ⑦ Container Scan (Trivy + Grype)        │
          │  ⑧ SBOM Generation (Syft)                │
          │  ⑨ Image Signing (cosign)                │
          │  ⑩ Push to ECR (signed + verified)       │
          └────────────────────┬─────────────────────┘
                               │
          ┌────────────────────▼─────────────────────┐
          │           Deploy to Staging               │
          │                                          │
          │  ⑪ Terraform Plan + OPA policy check     │
          │  ⑫ Terraform Apply                       │
          │  ⑬ DAST (OWASP ZAP API scan)             │
          │  ⑭ Integration Tests                     │
          └────────────────────┬─────────────────────┘
                               │ Manual approval gate
          ┌────────────────────▼─────────────────────┐
          │         Production Deployment             │
          │                                          │
          │  ⑮ Verify image signature                │
          │  ⑯ Blue/Green deploy via CodeDeploy      │
          │  ⑰ Smoke tests + canary validation       │
          │  ⑱ CloudWatch alarms armed               │
          └──────────────────────────────────────────┘

Security Controls by Stage

Stage Tool Gate Type Blocks Deploy?
Commit Gitleaks Secrets scan Yes
Commit Semgrep SAST Yes (critical)
Commit Safety CVE audit Yes (critical)
Commit tfsec IaC scan Yes
Build Trivy Container CVE Yes (critical/high)
Build Syft SBOM No (artifact)
Build cosign Image signing Yes (prod)
Staging OWASP ZAP DAST Yes (high)
Staging OPA Policy-as-code Yes
Prod cosign verify Signature check Yes

Repository Structure

devsecops-pipeline/
├── .github/workflows/
│   ├── pr-security-gates.yml    # PR checks: secrets, SAST, deps
│   ├── build-and-scan.yml       # Container build, scan, sign, push
│   ├── deploy-staging.yml       # IaC + DAST in staging
│   ├── deploy-prod.yml          # Production blue/green deploy
│   └── scheduled-scans.yml      # Nightly full dependency audit
├── terraform/
│   ├── modules/ecr/             # ECR with scan-on-push, immutable tags
│   └── modules/codepipeline/    # AWS CodePipeline alternative
├── docker/
│   └── app/Dockerfile           # Hardened multi-stage Dockerfile
├── policies/
│   ├── opa/                     # Open Policy Agent rules
│   └── checkov/                 # Custom Checkov policies
├── scripts/
│   ├── python/sbom_report.py    # SBOM vulnerability reporter
│   └── bash/scan_image.sh       # Local pre-push container scan
└── tests/
    ├── integration/             # API integration tests
    └── security/                # Security regression tests

Quick Start

Run Security Checks Locally

# Install pre-commit hooks
pip install pre-commit
pre-commit install

# Run all checks manually
pre-commit run --all-files

# Scan a container image
./scripts/bash/scan_image.sh myapp:latest

# Check IaC
tfsec terraform/
checkov -d terraform/

Pipeline Secrets Required

Secret Purpose
AWS_ROLE_ARN OIDC role for AWS access
ECR_REGISTRY ECR registry URL
COSIGN_PRIVATE_KEY Image signing key
COSIGN_PASSWORD Key passphrase
SLACK_WEBHOOK_URL Deploy notifications

Policy-as-Code

OPA policies enforce:

  • No latest image tags in production
  • All images must have a verified cosign signature
  • Terraform resources must have required tags
  • No public S3 buckets or security groups open to 0.0.0.0/0
  • ECR images must have no critical CVEs

SBOM & Supply Chain Security

Every build generates a Software Bill of Materials (SBOM) in CycloneDX format, signed with cosign, and stored in ECR alongside the image. This enables:

  • CVE tracking against specific deployed versions
  • License compliance auditing
  • Supply chain attestation

License

MIT License — see LICENSE

About

Enterprise DevSecOps pipeline: GitHub Actions, Terraform, container security scanning, SAST/DAST, policy-as-code, and automated compliance validation

Topics

terraform devsecops sast container-security sbom policy-as-code github-actions trivy cosign shift-left-security

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages