{"id":35142173,"url":"https://github.com/kimookoii/devsecops-week8","last_synced_at":"2026-04-11T07:45:10.671Z","repository":{"id":327566512,"uuid":"1108980646","full_name":"kimookoii/devsecops-week8","owner":"kimookoii","description":"Repository untuk tugas DevSecOps Week8 — Infrastructure as Code (IaC) Security","archived":false,"fork":false,"pushed_at":"2025-12-04T11:01:01.000Z","size":8,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-11T07:44:59.600Z","etag":null,"topics":["ansible","ansible-lint","automation","ci-cd","cloud-security","devsecops","github-actions","iac","infrastructure-as-code","security","terraform","trivy"],"latest_commit_sha":null,"homepage":"https://kimookoii.github.io/dso8-infrastructure-as-code-security/","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kimookoii.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-03T07:15:14.000Z","updated_at":"2025-12-04T11:02:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kimookoii/devsecops-week8","commit_stats":null,"previous_names":["kimookoii/devsecops-week8"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kimookoii/devsecops-week8","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kimookoii%2Fdevsecops-week8","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kimookoii%2Fdevsecops-week8/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kimookoii%2Fdevsecops-week8/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kimookoii%2Fdevsecops-week8/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kimookoii","download_url":"https://codeload.github.com/kimookoii/devsecops-week8/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kimookoii%2Fdevsecops-week8/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31673067,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-10T17:19:37.612Z","status":"online","status_checked_at":"2026-04-11T02:00:05.776Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-lint","automation","ci-cd","cloud-security","devsecops","github-actions","iac","infrastructure-as-code","security","terraform","trivy"],"created_at":"2025-12-28T12:03:22.013Z","updated_at":"2026-04-11T07:45:10.666Z","avatar_url":"https://github.com/kimookoii.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DevSecOps Week 8\n\n## Infrastructure as Code (IaC) Security\n\n[![IaC Security Scan](https://github.com/kimookoii/devsecops-week8/actions/workflows/iac-security.yml/badge.svg)](https://github.com/kimookoii/devsecops-week8/actions/workflows/iac-security.yml)\n[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)\n[![Made for: DevSecOps Learning](https://img.shields.io/badge/DevSecOps-Learning-blue)]()\n\nRepository ini berisi praktik DevSecOps Minggu 8 yang berfokus pada keamanan Infrastructure as Code (IaC) menggunakan Terraform, Ansible, Trivy, dan ansible-lint. Seluruh proses disusun agar dapat dijalankan pada Windows tanpa WSL/VM menggunakan Docker dan GitHub Actions sebagai automation pipeline.\n\n---\n\n## 1. Tujuan Pembelajaran\n\nTujuan utama dari modul ini adalah memahami bagaimana misconfiguration pada IaC dapat dideteksi, diperbaiki, dan diautomasi melalui pipeline DevSecOps, meliputi:\n\n- Penerapan keamanan IaC pada Terraform dan Ansible\n- Pendeteksian misconfiguration menggunakan Trivy dan ansible-lint\n- Perbaikan konfigurasi yang tidak aman\n- Integrasi scanning automatic melalui GitHub Actions CI/CD\n- Pembuatan workflow DevSecOps yang terstandarisasi dan maintainable\n\n---\n\n## 2. Struktur Repository\n\n```\n\ndevsecops-week8/\n├── iac-terraform-sec/\n│ ├── main.tf\n│ ├── trivy-iac-output.txt\n│ ├── trivy-iac-output-secure.txt\n│\n├── ansible-sec/\n│ ├── playbook.yml\n│ ├── config.conf\n│ ├── lint-results/\n│\n└── .github/\n└── workflows/\n└── iac-security.yml\n\n````\n\n---\n\n## 3. Materi: Infrastructure as Code (IaC) Security\n\nInfrastructure as Code memungkinkan infrastruktur didefinisikan dalam bentuk deklaratif. Namun, konfigurasi yang salah (misconfiguration) berpotensi menyebabkan:\n\n- Infrastruktur terbuka atau publik tanpa sengaja\n- Konfigurasi keamanan tidak konsisten\n- Deployment berisiko dan rawan dieksploitasi\n\nOleh karena itu dilakukan:\n\n- Scanning IaC secara otomatis (Trivy untuk Terraform, ansible-lint untuk Ansible)\n- Validasi konfigurasi\n- Perbaikan berdasarkan rekomendasi DevSecOps\n\n---\n\n## 4. Praktik 1 — Terraform IaC Security\n\n### 4.1 Membuat File Terraform Insecure\n\n```hcl\nresource \"aws_s3_bucket\" \"example\" {\n bucket = \"my-insecure-bucket\"\n acl = \"public-read\"\n versioning {\n enabled = false\n }\n}\n````\n\n### 4.2 Scan dengan Trivy\n\nPerintah:\n\n```powershell\ndocker run --rm -v \"\u003cPATH\u003e/iac-terraform-sec:/scan\" \\\naquasec/trivy:latest config /scan/main.tf \\\n--format table --output /scan/trivy-iac-output.txt --timeout 30m\n```\n\n### 4.3 Perbaikan Misconfiguration\n\n```hcl\nresource \"aws_s3_bucket\" \"example\" {\n bucket = \"my-insecure-bucket\"\n acl = \"private\"\n versioning {\n enabled = true\n }\n}\n```\n\n### 4.4 Scan Ulang (Secure)\n\n```powershell\ndocker run --rm -v \"\u003cPATH\u003e/iac-terraform-sec:/scan\" \\\naquasec/trivy:latest config /scan/main.tf \\\n--format table --output /scan/trivy-iac-output-secure.txt --timeout 30m\n```\n\n---\n\n## 5. Praktik 2 — Ansible IaC Security\n\n### 5.1 Playbook Insecure\n\n```yaml\n- hosts: all\n become: yes\n tasks:\n - name: Install Apache\n apt:\n name: apache2\n state: present\n\n - name: Copy Insecure Config\n copy:\n src: config.conf\n dest: /etc/apache2/config.conf\n mode: 0777\n```\n\n### 5.2 Findings ansible-lint\n\nTemuan:\n\n* name[play]: Play tidak memiliki nama\n* yaml[truthy]: penggunaan yes tidak valid\n* fqcn[action-core]: modul apt dan copy harus menggunakan FQCN\n* mode 0777: file permission terlalu permisif\n* missing handlers\n\n### 5.3 Perbaikan Playbook\n\n```yaml\n- name: Playbook\n hosts: all\n become: true\n tasks:\n - name: Install Apache\n ansible.builtin.apt:\n name: apache2\n state: present\n\n - name: Copy Secure Config\n ansible.builtin.copy:\n src: config.conf\n dest: /etc/apache2/config.conf\n mode: 0644\n```\n\n### 5.4 Scan Ulang ansible-lint\n\n```powershell\ndocker run --rm -v \"${PWD}:/data\" -w /data cytopia/ansible-lint ansible-lint playbook.yml\n```\n\nHasil: Tidak ada temuan.\n\n---\n\n## 6. Integrasi GitHub Actions (CI/CD)\n\nWorkflow otomatis ditempatkan pada:\n\n```\n.github/workflows/iac-security.yml\n```\n\n### isi file workflow:\n\n```yaml\nname: IaC Security Scan\n\non:\n push:\n pull_request:\n\njobs:\n terraform-security:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout Repository\n uses: actions/checkout@v3\n\n - name: Install Trivy\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: config\n scan-ref: .\n\n - name: Terraform Validate\n run: terraform validate || true\n\n ansible-security:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout Repository\n uses: actions/checkout@v3\n\n - name: Install Ansible \u0026 ansible-lint\n run: |\n sudo apt update\n sudo apt install -y ansible\n pip install --upgrade pip\n pip install ansible-lint\n\n - name: Run ansible-lint\n run: ansible-lint .\n```\n\nPipeline ini berjalan otomatis setiap push dan pull request, memastikan konfigurasi IaC selalu tervalidasi.\n\n---\n\n## 7. Diagram Alur DevSecOps IaC\n\n```mermaid\nflowchart TD\n A[Developer Push Code] --\u003e B[GitHub Actions - IaC Security Scan]\n\n B --\u003e C{Trivy Scan Terraform}\n C --\u003e|Vulnerable| D[Fix Terraform Config]\n C --\u003e|Secure| E[Terraform Passed]\n\n B --\u003e F{ansible-lint Scan}\n F --\u003e|Found Issues| G[Perbaiki Playbook]\n F --\u003e|Clean| H[Ansible Passed]\n\n E --\u003e I[Merge Allowed]\n H --\u003e I\n```\n\n---\n\n## 8. Kesimpulan\n\nPraktik ini berhasil menunjukkan bagaimana proses keamanan IaC dapat diintegrasikan dalam pipeline DevSecOps secara otomatis. Dengan melakukan scanning menggunakan Trivy dan ansible-lint, misconfiguration dapat terdeteksi sejak dini. Setelah perbaikan dilakukan dan pipeline CI/CD berjalan mulus, seluruh konfigurasi dinyatakan aman dan mengikuti best practice DevSecOps. digunakan di GitHub. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkimookoii%2Fdevsecops-week8","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkimookoii%2Fdevsecops-week8","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkimookoii%2Fdevsecops-week8/lists"}