{"id":24396167,"url":"https://github.com/cloudon-one/secureops","last_synced_at":"2025-10-13T01:35:12.487Z","repository":{"id":272155795,"uuid":"915600195","full_name":"cloudon-one/secureops","owner":"cloudon-one","description":"A turnkey CI/CD pipeline that integrates pre-commit checks, security scanning, and infrastructure validation—ensuring your code is compliant and production-ready before it hits the main branch.","archived":false,"fork":false,"pushed_at":"2025-01-12T14:42:57.000Z","size":130,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-01-19T21:25:13.332Z","etag":null,"topics":["devsecops-pipeline","docker","github-actions"],"latest_commit_sha":null,"homepage":"https://cloudon.work","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudon-one.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-12T09:55:25.000Z","updated_at":"2025-01-12T14:43:00.000Z","dependencies_parsed_at":"2025-01-12T15:46:35.499Z","dependency_job_id":null,"html_url":"https://github.com/cloudon-one/secureops","commit_stats":null,"previous_names":["cloudon-one/secureops"],"tags_count":0,"template":true,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fsecureops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fsecureops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fsecureops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fsecureops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudon-one","download_url":"https://codeload.github.com/cloudon-one/secureops/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243335465,"owners_count":20274904,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops-pipeline","docker","github-actions"],"created_at":"2025-01-19T21:25:25.474Z","updated_at":"2025-10-13T01:35:07.438Z","avatar_url":"https://github.com/cloudon-one.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Infrastructure Checks Pipeline\n\nThis repository implements a comprehensive infrastructure validation pipeline using GitHub Actions. The pipeline performs various security, cost, and quality checks on infrastructure code, particularly focusing on Terraform configurations.\n\n## Pipeline Overview\n\n```mermaid\nflowchart TB\n    subgraph \"Pre-Commit Phase\"\n        PC[Pre-commit Hooks]\n        GT[GitGuardian Secrets Check]\n        TM[Threat Modeling]\n        PC --\u003e GT\n        PC --\u003e TM\n    end\n\n    subgraph \"Infrastructure Validation\"\n        TF[Terraform Validation]\n        TS[TFSec Analysis]\n        TL[TFLint Checks]\n        IC[Infracost Analysis]\n        TF --\u003e TS\n        TF --\u003e TL\n        TF --\u003e IC\n    end\n\n    subgraph \"Security Scanning\"\n        SAST[Static Analysis]\n        DAST[Dynamic Analysis]\n        DEP[Dependency Scanning]\n        SC[Supply Chain Security]\n        SAST --\u003e DEP\n        DAST --\u003e DEP\n        DEP --\u003e SC\n    end\n\n    subgraph \"Container \u0026 K8s Security\"\n        CS[Container Scanning]\n        KS[Kubernetes Security]\n        PS[Policy Scanning]\n        CS --\u003e KS\n        KS --\u003e PS\n    end\n\n    subgraph \"Cloud Security\"\n        AWS[AWS Security]\n        GCP[GCP Security]\n        MC[Multi-Cloud Controls]\n        AWS --\u003e MC\n        GCP --\u003e MC\n    end\n\n    PC --\u003e TF\n    GT --\u003e SAST\n    TF --\u003e CS\n    CS --\u003e AWS\n    KS --\u003e MC\n    \n    style Pre-Commit fill:#d0e1f9\n    style Infrastructure fill:#e3f2fd\n    style Security fill:#ffebee\n    style Container fill:#f3e5f5\n    style Cloud fill:#e8f5e9\n```\n\nThe pipeline runs automatically on:\n- Pull requests that modify infrastructure files (`.tf`, `.tfvars`, `.hcl`, `Dockerfile`)\n- Push events to main/master branch with changes to infrastructure files\n- Changes to GitHub workflow files or pre-commit configuration\n\n## Security Scanning\n\n### GitGuardian Security Scan\n- Performs deep security scanning of the entire git history\n- Detects secrets, credentials, and sensitive information\n- Requires `GITGUARDIAN_API_KEY` secret to be configured\n\n### TFSec Analysis\n- Scans Terraform code for security issues and best practice violations\n- Generates JSON output with detailed findings\n- Runs in soft-fail mode to avoid blocking pipelines\n- Includes statistics about the scan results\n\n## Cost Management\n\n### Infracost Integration\nThe pipeline includes comprehensive cost management through Infracost:\n\n#### Pull Request Checks\n- Generates cost estimates for infrastructure changes\n- Compares costs between base and PR branches\n- Posts detailed cost difference comments on PRs\n- Requires `INFRACOST_API_KEY` secret\n\n#### Main Branch Updates\n- Tracks cost changes on the main/master branch\n- Updates Infracost Cloud with latest cost data\n- Continues even if policy checks fail\n\n#### PR Status Tracking\n- Updates PR status in Infracost when PRs are merged or closed\n- Maintains accurate cost history\n\n## Infrastructure Validation\n\n### Docker-based Validation Suite\nThe pipeline runs a comprehensive suite of checks in a Docker container:\n\n1. **Pre-commit Hooks**\n   - Runs all configured pre-commit checks\n   - Ensures code quality and formatting standards\n\n2. **TFLint**\n   - Lints Terraform files in all directories\n   - Validates against Terraform best practices\n\n3. **Terraform Operations**\n   - Runs `terraform init` with backend disabled\n   - Validates Terraform configurations\n   - Checks for required_providers blocks in all Terraform files\n\n## Required Secrets\n\nThe following secrets must be configured in your GitHub repository:\n- `GITGUARDIAN_API_KEY`: For security scanning\n- `INFRACOST_API_KEY`: For cost estimation and tracking\n\n## Pipeline Features\n\n- **Concurrency Control**: Automatically cancels redundant runs\n- **Caching**: Uses GitHub Actions cache for Docker builds\n- **Comprehensive Validation**: Checks both security and functionality\n- **Cost Awareness**: Maintains visibility of infrastructure costs\n- **Pull Request Integration**: Provides feedback directly on PRs\n\n## Prerequisites\n\n- Terraform files must include `required_providers` blocks\n- Docker must be available in the GitHub Actions environment\n- Appropriate secrets must be configured\n- Pre-commit configuration must be present in `.pre-commit-config.yaml`\n\n## Error Handling\n\n- TFSec runs in soft-fail mode to provide warnings without blocking\n- Main branch Infracost updates continue even with policy failures\n- Infrastructure validation fails if any required_providers blocks are missing\n- Clear error messages are provided for failed checks\n\n## Usage\n\nThe pipeline runs automatically based on the configured triggers. No manual intervention is required unless errors are detected.\n\n1. Make your infrastructure changes\n2. Create a pull request\n3. Review the automated checks:\n   - Security scan results\n   - Cost impact analysis\n   - Infrastructure validation outcomes\n4. Address any issues identified by the pipeline\n5. Merge when all checks pass\n\n## Contributing\n\nWhen contributing to this repository, ensure your changes:\n- Include appropriate Terraform provider configurations\n- Follow security best practices\n- Consider cost implications\n- Pass all pipeline checks\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fsecureops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudon-one%2Fsecureops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fsecureops/lists"}