{"id":49494795,"url":"https://github.com/laugiov/security-by-design","last_synced_at":"2026-05-01T08:33:57.929Z","repository":{"id":329745808,"uuid":"1119642358","full_name":"laugiov/security-by-design","owner":"laugiov","description":"Security by Design reference: JWT/mTLS auth, RBAC, DevSecOps pipeline (SAST/DAST/SBOM/Cosign), Kubernetes hardening. Production-grade patterns.","archived":false,"fork":false,"pushed_at":"2026-01-28T12:51:16.000Z","size":1705,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-01-29T05:04:13.866Z","etag":null,"topics":["api-security","cosign","devsecops","fastapi","gitlab-ci","helm","jwt-authentication","kubernetes","microservices","mtls","owasp","platform-security","python","rbac","sast-dast","sbom","security-by-design","slsa","supply-chain-security","threat-modeling"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/laugiov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-19T15:50:59.000Z","updated_at":"2026-01-28T12:49:52.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/laugiov/security-by-design","commit_stats":null,"previous_names":["laugiov/security-by-design"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/laugiov/security-by-design","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/laugiov%2Fsecurity-by-design","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/laugiov%2Fsecurity-by-design/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/laugiov%2Fsecurity-by-design/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/laugiov%2Fsecurity-by-design/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/laugiov","download_url":"https://codeload.github.com/laugiov/security-by-design/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/laugiov%2Fsecurity-by-design/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32490813,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-security","cosign","devsecops","fastapi","gitlab-ci","helm","jwt-authentication","kubernetes","microservices","mtls","owasp","platform-security","python","rbac","sast-dast","sbom","security-by-design","slsa","supply-chain-security","threat-modeling"],"created_at":"2026-05-01T08:33:57.858Z","updated_at":"2026-05-01T08:33:57.923Z","avatar_url":"https://github.com/laugiov.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SkyLink: Security by Design Reference Implementation\n\n\u003e A **microservices** platform demonstrating **Security by Design** principles for connected aviation telemetry systems.\n\nThis project started as a way to consolidate security patterns I've used across different organizations. Instead of writing another \"how to secure your API\" article, I wanted a working codebase where every control can be tested and verified. The aviation telemetry scenario is fictional, but the security implementation is production-grade.\n\n## TL;DR\n\n**What this proves:** End-to-end Security Engineering, from threat model to signed container in production-ready Kubernetes, with full observability and audit trail.\n\n**Evaluate in 15 minutes:**\n1. **Threat Model** → [docs/THREAT_MODEL.md](docs/THREAT_MODEL.md) (STRIDE, 30+ threats, mitigations)\n2. **CI/CD Pipeline** → [.github/workflows/ci.yml](.github/workflows/ci.yml) (SAST → DAST → SBOM → Cosign)\n3. **K8s Policies** → [kubernetes/skylink/templates/networkpolicy.yaml](kubernetes/skylink/templates/networkpolicy.yaml) (zero-trust)\n\n**Verify controls work** (after `make up`):\n- RBAC denial → `curl -H \"Authorization: Bearer $TOKEN\" /admin/` → 403 + audit event\n- Idempotency → same event twice → 201 then 200\n- Rate limit → 61 requests/min → 429 + `rate_limit_exceeded_total` increments\n\n**Hiring relevance:** Security Engineering Lead · Platform Security · DevSecOps Director\n\n---\n\n[![CI](https://github.com/laugiov/security-by-design/actions/workflows/ci.yml/badge.svg)](https://github.com/laugiov/security-by-design/actions/workflows/ci.yml)\n[![Tests](https://img.shields.io/badge/Tests-478%20passed-success?logo=pytest\u0026logoColor=white)](https://github.com/laugiov/security-by-design/actions/workflows/ci.yml)\n[![Coverage](https://codecov.io/gh/laugiov/security-by-design/branch/main/graph/badge.svg)](https://codecov.io/gh/laugiov/security-by-design)\n[![Python](https://img.shields.io/badge/Python-3.12-3776AB?logo=python\u0026logoColor=white)](#technology-stack)\n[![FastAPI](https://img.shields.io/badge/FastAPI-0.120-009688?logo=fastapi\u0026logoColor=white)](#technology-stack)\n[![License](https://img.shields.io/badge/License-MIT-green)](#license)\n[![Security](https://img.shields.io/badge/Security-SAST%20|%20SCA%20|%20DAST-blueviolet)](#cicd-security-pipeline)\n[![OWASP](https://img.shields.io/badge/OWASP-Headers%20Compliant-orange?logo=owasp\u0026logoColor=white)](#4-owasp-security-headers)\n[![Docker](https://img.shields.io/badge/Docker-Rootless-2496ED?logo=docker\u0026logoColor=white)](#quick-start)\n[![Kubernetes](https://img.shields.io/badge/Kubernetes-Helm%20Ready-326CE5?logo=kubernetes\u0026logoColor=white)](#kubernetes-deployment)\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)\n\n---\n\n## Security Highlights\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003ctd width=\"50%\"\u003e\n\n**Authentication \u0026 Authorization**\n- JWT RS256 + mTLS mutual authentication\n- Cross-validation (Certificate CN = JWT subject)\n- RBAC with 5 roles, 7 permissions\n- Per-identity rate limiting (60 req/min)\n\n\u003c/td\u003e\n\u003ctd width=\"50%\"\u003e\n\n**DevSecOps Pipeline**\n- SAST (Bandit) + SCA (pip-audit, Trivy)\n- DAST (OWASP ZAP baseline)\n- SBOM generation (CycloneDX)\n- Image signing (Sigstore Cosign)\n\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\n\n**Privacy \u0026 Data Protection**\n- PII minimization (GPS rounding ~11m)\n- AES-256-GCM token encryption\n- Structured logging without sensitive data\n- Audit trail for compliance\n\n\u003c/td\u003e\n\u003ctd\u003e\n\n**Kubernetes Production-Ready**\n- Helm chart with Pod Security Restricted\n- NetworkPolicies (zero-trust)\n- External Secrets Operator support\n- HPA, PDB, ServiceMonitor\n\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n---\n\n## Why This Project?\n\nI built this to show how Security by Design actually works in practice. Not just documentation, but working code with real security controls you can run and test.\n\n**Who is this for?**\n\n| Audience | Value |\n|----------|-------|\n| **Security Engineers** | Reference architecture for threat modeling and security controls |\n| **Architects** | Template for secure microservices design |\n| **DevOps/Platform Teams** | Secure CI/CD pipeline with SAST, SCA, DAST, SBOM, and image signing |\n\n**What makes it different?**\n\n- It runs. Docker Compose + Kubernetes Helm chart, not just diagrams\n- Security controls have tests. 478 of them, including OWASP Top 10 scenarios\n- Covers the full lifecycle: threat model through signed container\n\n---\n\n## The SkyLink Scenario\n\n**SkyLink** simulates a **connected aircraft telemetry platform** where:\n\n- **Aircraft** send real-time telemetry data (GPS position, speed, altitude)\n- **Crew members** access weather forecasts and contact information\n- **Ground systems** receive and process telemetry for flight monitoring\n\nThis aviation context justifies strict security requirements:\n\n| Requirement | Justification |\n|-------------|---------------|\n| **Strong Authentication** | Only authorized aircraft can transmit data |\n| **Role-Based Access Control** | 5 roles with least-privilege permissions |\n| **Data Integrity** | Telemetry must be tamper-proof (idempotency, checksums) |\n| **Privacy Protection** | GPS coordinates rounded, PII minimized in logs |\n| **Audit Trail** | All security events logged for compliance |\n| **High Availability** | Rate limiting prevents DoS, circuit breakers for resilience |\n\n\u003e **Note**: This is a fictional scenario for educational purposes. The security controls demonstrated are applicable to any API-based microservices architecture.\n\n---\n\n## Overview\n\n**SkyLink** is a demonstration platform for connected aircraft services, built with security as a foundational principle. This project showcases practical Security by Design implementations:\n\n- **Multi-layer authentication** (JWT RS256 + mTLS)\n- **Role-Based Access Control** (5 roles, 7 permissions, principle of least privilege)\n- **Defense in depth** (rate limiting, payload limits, strict validation)\n- **Privacy by Design** (PII minimization, structured logging without sensitive data)\n- **Secure CI/CD pipeline** (SAST, SCA, DAST, SBOM, image signing)\n\n### Architecture\n\n```\n                              Internet\n                                 │\n┌────────────────────────────────┴────────────────────────────────┐\n│                      API GATEWAY (:8000)                        │\n│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────┐   │\n│  │ Security     │  │ Rate         │  │ JWT RS256            │   │\n│  │ Headers      │  │ Limiting     │  │ Authentication       │   │\n│  │ (OWASP)      │  │ (slowapi)    │  │ + mTLS Validation    │   │\n│  └──────────────┘  └──────────────┘  └──────────────────────┘   │\n│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────┐   │\n│  │ Payload      │  │ Structured   │  │ Prometheus           │   │\n│  │ Limit (64KB) │  │ JSON Logging │  │ Metrics              │   │\n│  └──────────────┘  └──────────────┘  └──────────────────────┘   │\n└─────────────┬──────────────┬──────────────┬─────────────────────┘\n              │              │              │\n              ▼              ▼              ▼\n    ┌─────────────┐  ┌─────────────┐  ┌─────────────┐\n    │ TELEMETRY   │  │ WEATHER     │  │ CONTACTS    │\n    │ :8001       │  │ :8002       │  │ :8003       │\n    │             │  │             │  │             │\n    │ • Idempotent│  │ • Demo mode │  │ • OAuth 2.0 │\n    │ • GPS round │  │ • Fixtures  │  │ • PostgreSQL│\n    │ • 201/200/  │  │             │  │ • Encrypted │\n    │   409       │  │             │  │   tokens    │\n    └─────────────┘  └─────────────┘  └──────┬──────┘\n                                             │\n                                             ▼\n                                     ┌─────────────┐\n                                     │ PostgreSQL  │\n                                     │ :5432       │\n                                     └─────────────┘\n```\n\n---\n\n## Security by Design Features\n\n### 1. Multi-Layer Authentication \u0026 Authorization\n\n| Layer | Mechanism | Implementation |\n|-------|-----------|----------------|\n| **Transport** | mTLS (Mutual TLS) | X.509 client certificates, CA validation |\n| **Application** | JWT RS256 | 2048-bit RSA keys, 15-min expiry, audience validation |\n| **Cross-Validation** | CN ↔ JWT sub | Certificate CN must match JWT subject |\n| **Authorization** | RBAC | 5 roles, 7 permissions, principle of least privilege |\n\n**Implementation**: [skylink/auth.py](skylink/auth.py), [skylink/mtls.py](skylink/mtls.py), [skylink/rbac.py](skylink/rbac.py)\n\n### 2. Defense in Depth\n\n| Control | Description | Implementation |\n|---------|-------------|----------------|\n| **Rate Limiting** | Per-identity throttling | 60 req/min per aircraft_id ([skylink/rate_limit.py](skylink/rate_limit.py)) |\n| **Payload Limits** | DoS protection | 64 KB max request size |\n| **Input Validation** | Strict schema enforcement | Pydantic `extra=\"forbid\"`, OpenAPI `additionalProperties: false` |\n| **Idempotency** | Replay attack mitigation | Unique `(aircraft_id, event_id)` constraint |\n\n**Implementation**: [skylink/middlewares.py](skylink/middlewares.py)\n\n### 3. PII Minimization (Privacy by Design)\n\n| Data | Protection | Details |\n|------|------------|---------|\n| GPS Coordinates | Rounding | 4 decimals (~11m accuracy) |\n| Logs | Sanitization | No PII, only `trace_id` for correlation |\n| OAuth Tokens | Encryption | AES-GCM encryption at rest |\n\n### 4. OWASP Security Headers\n\nAll responses include security headers (see [skylink/middlewares.py](skylink/middlewares.py)):\n\n```http\nX-Content-Type-Options: nosniff\nX-Frame-Options: DENY\nCache-Control: no-store, no-cache, must-revalidate, max-age=0\nCross-Origin-Opener-Policy: same-origin\nCross-Origin-Embedder-Policy: require-corp\nReferrer-Policy: no-referrer\nPermissions-Policy: geolocation=(), microphone=(), camera=()\n```\n\n### 5. Observability \u0026 Monitoring\n\n| Feature | Description | Documentation |\n|---------|-------------|---------------|\n| **Structured JSON Logging** | W3C trace correlation (`X-Trace-Id`) | [middlewares.py](skylink/middlewares.py) |\n| **Prometheus Metrics** | Counters, histograms, gauges | `/metrics` endpoint |\n| **Grafana Dashboards** | Pre-configured security dashboard | [MONITORING.md](docs/MONITORING.md) |\n| **Audit Logging** | Security-relevant event tracking | [AUDIT_LOGGING.md](docs/AUDIT_LOGGING.md) |\n| **Alert Rules** | 14 security alerts (auth, rate limit, errors) | [security.yml](monitoring/prometheus/alerts/security.yml) |\n\n```bash\n# Start monitoring stack\ndocker compose --profile monitoring up -d\n\n# Access dashboards\n# Grafana: http://localhost:3000 (admin/admin)\n# Prometheus: http://localhost:9090\n```\n\n### 6. Key Management\n\nSecure cryptographic key management with rotation scripts:\n\n| Key Type | Algorithm | Rotation Script |\n|----------|-----------|-----------------|\n| JWT Signing | RS256 (2048-bit) | `scripts/rotate_jwt_keys.sh` |\n| Token Encryption | AES-256-GCM | `scripts/rotate_encryption_key.sh` |\n| mTLS Certificates | X.509 | `scripts/renew_certificates.sh` |\n\nSee [KEY_MANAGEMENT.md](docs/KEY_MANAGEMENT.md) for rotation procedures and compliance.\n\n---\n\n## CI/CD Security Pipeline\n\nCI/CD pipeline with security gates at every stage:\n- **GitHub Actions**: [.github/workflows/ci.yml](.github/workflows/ci.yml) — See [setup guide](docs/GITHUB_CI_SETUP.md)\n- **GitLab CI**: [.gitlab-ci.yml](.gitlab-ci.yml) — See [setup guide](docs/GITLAB_CI_SETUP.md)\n\n**Pipeline Results \u0026 Reports:**\n| Platform | Status | Coverage | Details |\n|----------|--------|----------|---------|\n| GitHub Actions | [![CI](https://github.com/laugiov/security-by-design/actions/workflows/ci.yml/badge.svg)](https://github.com/laugiov/security-by-design/actions/workflows/ci.yml) | [![Coverage](https://codecov.io/gh/laugiov/security-by-design/branch/main/graph/badge.svg)](https://codecov.io/gh/laugiov/security-by-design) | [View Runs](https://github.com/laugiov/security-by-design/actions) |\n\n```\n┌───────┐   ┌───────┐   ┌───────┐   ┌───────┐   ┌───────┐   ┌───────────────┐   ┌───────┐\n│ LINT  │──▶│ TEST  │──▶│ BUILD │──▶│ SCAN  │──▶│ SBOM  │──▶│ SECURITY-SCAN │──▶│ SIGN  │\n└───────┘   └───────┘   └───────┘   └───────┘   └───────┘   └───────────────┘   └───────┘\n```\n\n### Security Tools\n\n| Tool | Purpose | Stage |\n|------|---------|-------|\n| **Ruff** | Python linting | lint |\n| **Black** | Code formatting | lint |\n| **Bandit** | SAST (security linting) | lint |\n| **pytest** | Unit tests (478 tests, 81% coverage) | test |\n| **Trivy** | Container vulnerability scanning | scan |\n| **pip-audit** | Python dependency SCA | scan |\n| **Gitleaks** | Secret detection | scan |\n| **OpenAPI Generator** | OpenAPI spec validation | scan |\n| **CycloneDX** | SBOM generation | sbom |\n| **OWASP ZAP** | DAST baseline scan | security-scan |\n| **Cosign** | Image signing \u0026 SBOM attestation | sign |\n\n### Supply Chain Security\n\nImages are signed using [Sigstore Cosign](https://github.com/sigstore/cosign) with **keyless signing** (OIDC) and SBOM attestation:\n\n```bash\n# Verify image signature (keyless)\ncosign verify \\\n  --certificate-identity-regexp=\"https://github.com/laugiov/security-by-design\" \\\n  --certificate-oidc-issuer=\"https://token.actions.githubusercontent.com\" \\\n  ghcr.io/laugiov/security-by-design:latest\n\n# Verify SBOM attestation\ncosign verify-attestation \\\n  --certificate-identity-regexp=\"https://github.com/laugiov/security-by-design\" \\\n  --certificate-oidc-issuer=\"https://token.actions.githubusercontent.com\" \\\n  --type cyclonedx \\\n  ghcr.io/laugiov/security-by-design:latest\n```\n\n---\n\n## Kubernetes Deployment\n\nProduction-ready Helm chart with security best practices:\n\n```bash\n# Deploy to Kubernetes\nhelm install skylink ./kubernetes/skylink \\\n  --namespace skylink --create-namespace \\\n  -f kubernetes/skylink/values-prod.yaml\n```\n\n| Security Feature | Implementation |\n|------------------|----------------|\n| **Pod Security** | Restricted profile (non-root, read-only fs, drop ALL capabilities) |\n| **Network Policies** | Zero-trust default deny, explicit allow rules |\n| **Secrets** | External Secrets Operator integration |\n| **Availability** | HPA (auto-scaling), PDB (disruption budget) |\n| **Observability** | ServiceMonitor for Prometheus Operator |\n\nSee [docs/KUBERNETES.md](docs/KUBERNETES.md) for complete deployment guide.\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n- Docker \u0026 Docker Compose\n- OpenSSL (for key generation)\n- curl, jq (optional, for testing)\n\n### 1. Clone \u0026 Configure\n\n```bash\ngit clone \u003crepo-url\u003e skylink\ncd skylink\n\n# Copy environment template\ncp .env.example .env\n\n# Generate RSA keys for JWT signing\nopenssl genrsa -out /tmp/private.pem 2048\nopenssl rsa -in /tmp/private.pem -pubout -out /tmp/public.pem\n\n# Add keys to .env\necho \"PRIVATE_KEY_PEM=\\\"$(cat /tmp/private.pem)\\\"\" \u003e\u003e .env\necho \"PUBLIC_KEY_PEM=\\\"$(cat /tmp/public.pem)\\\"\" \u003e\u003e .env\n```\n\n### 2. Start the Stack\n\n```bash\nmake build \u0026\u0026 make up\n\n# Verify health\nmake health\n```\n\n### 3. Test Authentication\n\n```bash\n# Get a JWT token\nAIRCRAFT_ID=$(uuidgen)\nTOKEN=$(curl -s -X POST http://localhost:8000/auth/token \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\\\"aircraft_id\\\": \\\"$AIRCRAFT_ID\\\"}\" | jq -r '.access_token')\n\necho \"Token: ${TOKEN:0:50}...\"\n```\n\n### 4. Send Telemetry (Idempotency Demo)\n\n```bash\nEVENT_ID=$(uuidgen)\n\n# First request: 201 Created\ncurl -s -X POST http://localhost:8000/telemetry/ingest \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \"{\n    \\\"aircraft_id\\\": \\\"$AIRCRAFT_ID\\\",\n    \\\"event_id\\\": \\\"$EVENT_ID\\\",\n    \\\"ts\\\": \\\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\\\",\n    \\\"metrics\\\": {\\\"speed\\\": 450.5, \\\"gps\\\": {\\\"lat\\\": 48.8566, \\\"lon\\\": 2.3522}}\n  }\"\n# Response: {\"status\": \"created\", \"event_id\": \"...\"}\n\n# Same request again: 200 OK (idempotent duplicate)\n# Same event_id with different data: 409 Conflict\n```\n\n---\n\n## API Endpoints\n\n| Method | Endpoint | Description | Auth |\n|--------|----------|-------------|------|\n| `GET` | `/health` | Health check | No |\n| `GET` | `/metrics` | Prometheus metrics | No |\n| `POST` | `/auth/token` | Obtain JWT token | No |\n| `POST` | `/telemetry/ingest` | Ingest telemetry data | JWT + RBAC (telemetry:write) |\n| `GET` | `/weather/current` | Current weather | JWT + RBAC (weather:read) |\n| `GET` | `/contacts/` | List contacts | JWT + RBAC (contacts:read) |\n\n### HTTP Status Codes\n\n| Code | Meaning |\n|------|---------|\n| `200` | Success / Idempotent duplicate |\n| `201` | Created |\n| `400` | Validation error |\n| `401` | Unauthorized (missing/invalid JWT) |\n| `403` | Forbidden (mTLS CN ≠ JWT sub, or RBAC permission denied) |\n| `409` | Conflict (idempotency violation) |\n| `413` | Payload too large |\n| `429` | Rate limit exceeded |\n\n---\n\n## Project Structure\n\n```\nskylink/\n├── openapi/                 # OpenAPI specifications (Contract-First)\n├── skylink/                 # API Gateway (port 8000)\n│   ├── main.py              # FastAPI application\n│   ├── auth.py              # JWT RS256 authentication\n│   ├── mtls.py              # mTLS configuration\n│   ├── middlewares.py       # Security headers, logging, payload limit\n│   ├── rate_limit.py        # Rate limiting (slowapi)\n│   ├── rbac.py              # Role-Based Access Control\n│   ├── rbac_roles.py        # Role and permission definitions\n│   ├── config.py            # Configuration management\n│   └── routers/             # API endpoints\n├── telemetry/               # Telemetry service (port 8001)\n├── weather/                 # Weather service (port 8002)\n├── contacts/                # Contacts service (port 8003)\n├── scripts/                 # PKI \u0026 utility scripts\n├── tests/                   # Test suite\n├── kubernetes/              # Kubernetes Helm chart\n│   └── skylink/             # Helm chart with security policies\n├── docs/                    # Documentation\n│   ├── DEMO.md              # Demo guide\n│   ├── KUBERNETES.md        # Kubernetes deployment guide\n│   ├── TECHNICAL_DOCUMENTATION.md  # Technical documentation\n│   ├── GITHUB_CI_SETUP.md   # GitHub Actions setup guide\n│   └── GITLAB_CI_SETUP.md   # GitLab CI/CD setup guide\n├── Dockerfile.*             # Multi-stage Dockerfiles (non-root user)\n├── docker-compose.yml       # Orchestration\n├── .gitlab-ci.yml           # GitLab CI/CD pipeline\n└── .github/workflows/ci.yml # GitHub Actions pipeline\n```\n\n---\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [docs/THREAT_MODEL.md](docs/THREAT_MODEL.md) | STRIDE-based threat analysis and risk assessment |\n| [docs/SECURITY_ARCHITECTURE.md](docs/SECURITY_ARCHITECTURE.md) | Data flow diagrams, trust boundaries, security controls |\n| [docs/MONITORING.md](docs/MONITORING.md) | Security monitoring with Prometheus and Grafana |\n| [docs/KEY_MANAGEMENT.md](docs/KEY_MANAGEMENT.md) | Cryptographic key management, rotation procedures, compliance |\n| [docs/AUDIT_LOGGING.md](docs/AUDIT_LOGGING.md) | Audit event logging, security event tracking, compliance |\n| [docs/AUTHORIZATION.md](docs/AUTHORIZATION.md) | Role-Based Access Control (RBAC), permissions, role matrix |\n| [docs/KUBERNETES.md](docs/KUBERNETES.md) | Kubernetes deployment with Helm, security policies, operations |\n| [docs/DEMO.md](docs/DEMO.md) | Step-by-step demonstration walkthrough |\n| [docs/TECHNICAL_DOCUMENTATION.md](docs/TECHNICAL_DOCUMENTATION.md) | Complete technical documentation (architecture, security, RRA) |\n| [docs/GITHUB_CI_SETUP.md](docs/GITHUB_CI_SETUP.md) | GitHub Actions CI/CD setup guide (secrets, variables, workflow) |\n| [docs/GITLAB_CI_SETUP.md](docs/GITLAB_CI_SETUP.md) | GitLab CI/CD setup guide (variables, registry, pipeline) |\n\n---\n\n## Technology Stack\n\n| Component | Technology | Version |\n|-----------|------------|---------|\n| Language | Python | 3.12 |\n| Framework | FastAPI | ^0.120 |\n| ASGI Server | Uvicorn | ^0.27 |\n| Authentication | PyJWT | ^2.8 |\n| Validation | Pydantic | ^2.10 |\n| Rate Limiting | slowapi | ^0.1.9 |\n| Metrics | prometheus-fastapi-instrumentator | ^7.0 |\n| Database | PostgreSQL | 16 |\n| ORM | SQLAlchemy | ^2.0 |\n| Containers | Docker | 24+ |\n\n---\n\n## Testing\n\n```bash\n# Run all tests\nmake test\n\n# Or with poetry\npoetry run pytest\n```\n\n**478 tests** with **81% coverage** — covering authentication, RBAC authorization, rate limiting, input validation, idempotency, OWASP Top 10 security tests, security headers, error handling, and service integration.\n\n---\n\n## Security Controls Implemented\n\n- [x] **Threat Modeling** — STRIDE analysis in [docs/THREAT_MODEL.md](docs/THREAT_MODEL.md)\n- [x] **Strict Input Validation** — Pydantic `extra=\"forbid\"`, reject unknown fields\n- [x] **JWT RS256 Authentication** — Short TTL (15 min), audience validation\n- [x] **RBAC Authorization** — 5 roles, 7 permissions, least privilege principle\n- [x] **mTLS Cross-Validation** — Certificate CN must match JWT subject\n- [x] **Rate Limiting** — Per-identity throttling with Prometheus counter\n- [x] **OWASP Top 10 Security Tests** — 97 tests covering injection, XSS, access control, etc.\n- [x] **Security Headers** — OWASP recommended set\n- [x] **Structured Logging** — JSON format, no PII, trace_id correlation\n- [x] **SAST** — Bandit security linting\n- [x] **SCA** — pip-audit dependency scanning\n- [x] **Container Scanning** — Trivy (fail on HIGH/CRITICAL)\n- [x] **Secret Detection** — Gitleaks\n- [x] **DAST** — OWASP ZAP baseline scan\n- [x] **SBOM Generation** — CycloneDX format\n- [x] **Image Signing** — Cosign with SBOM attestation\n- [x] **Non-root Containers** — User `skylink:1000`\n- [x] **Secrets Management** — Environment variables, never in code\n- [x] **Kubernetes Security** — Pod Security Restricted, NetworkPolicies, External Secrets\n\n---\n\n## Security Maturity\n\n| Category | Status | Evidence |\n|----------|--------|----------|\n| **Threat Modeling** | ✅ | [THREAT_MODEL.md](docs/THREAT_MODEL.md) — STRIDE, 30+ threats |\n| **Security Architecture** | ✅ | [SECURITY_ARCHITECTURE.md](docs/SECURITY_ARCHITECTURE.md) — DFD, trust boundaries |\n| **Authentication** | ✅ | `test_auth*.py`, `test_mtls*.py` — 45+ tests |\n| **Authorization** | ✅ | [AUTHORIZATION.md](docs/AUTHORIZATION.md) — 5 roles, 7 permissions |\n| **Monitoring \u0026 Alerting** | ✅ | [MONITORING.md](docs/MONITORING.md) — 14 alert rules |\n| **Audit Logging** | ✅ | [AUDIT_LOGGING.md](docs/AUDIT_LOGGING.md) — 20 event types |\n| **Key Management** | ✅ | [KEY_MANAGEMENT.md](docs/KEY_MANAGEMENT.md) — rotation scripts |\n| **Supply Chain Security** | ✅ | CI pipeline — SBOM, Cosign, Trivy |\n| **Kubernetes Security** | ✅ | [KUBERNETES.md](docs/KUBERNETES.md) — Pod Security Restricted |\n\n---\n\n## Standards Alignment\n\n| Control | OWASP ASVS | NIST SSDF | SLSA | Zero Trust |\n|---------|------------|-----------|------|------------|\n| Threat Modeling (STRIDE) | V1.1 | PO.1 | — | — |\n| JWT RS256 + mTLS | V3.5, V9.1 | PS.1 | — | Identity verification |\n| RBAC (least privilege) | V4.1 | PS.1 | — | Explicit access |\n| Input validation | V5.1 | PW.5 | — | Never trust input |\n| SAST/DAST/SCA | V14.2 | PW.7, PW.8 | L1 | — |\n| SBOM + signing | V14.2 | PS.3 | L2 | — |\n| Container hardening | V14.1 | PO.5 | — | Assume breach |\n| NetworkPolicies | — | PO.5 | — | Micro-segmentation |\n| Audit logging | V7.1 | PW.9 | — | Continuous monitoring |\n\n---\n\n## Portability\n\nThe aviation scenario is just a context. The patterns work for any API-based system:\n\n| Domain | Relevant Controls |\n|--------|-------------------|\n| **SaaS / API Platform** | JWT auth, RBAC, rate limiting, audit trail |\n| **Fintech / Regulated** | Threat model, key rotation, encryption, compliance logging |\n| **Multi-tenant** | NetworkPolicies for isolation, per-identity rate limiting |\n\n---\n\n## Learning Path\n\nNew to this project? Follow this recommended learning path:\n\n```\n1. UNDERSTAND THE RISKS\n   └── Read docs/THREAT_MODEL.md\n       └── STRIDE analysis, threat scenarios\n\n2. EXPLORE THE ARCHITECTURE\n   └── Read docs/SECURITY_ARCHITECTURE.md\n       └── Data flow diagrams, trust boundaries\n\n3. HANDS-ON DEMO\n   └── Follow docs/DEMO.md step by step\n       └── JWT auth, rate limiting, idempotency\n\n4. DEEP DIVE INTO CODE\n   └── Explore skylink/ source code\n       └── Security comments explain each control\n\n5. REVIEW OPERATIONAL SECURITY\n   └── docs/MONITORING.md → Prometheus/Grafana\n   └── docs/AUDIT_LOGGING.md → Security events\n   └── docs/KEY_MANAGEMENT.md → Key rotation\n```\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n## Author\n\n**Laurent Giovannoni**, 20+ years scaling SaaS platforms as CTO/VP Engineering\n\nThis reflects how I approach security in practice: CI/CD gates that don't block developers, RBAC that scales, observable systems that auditors can actually verify. I've done this work across multiple organizations. The patterns here come from real production experience, not just theory.\n\n\u003e **Security issues?** See [SECURITY.md](SECURITY.md). Please use GitHub Security Advisories, not LinkedIn.\n\n## License\n\nMIT License. See [LICENSE](LICENSE) for details.\n\n---\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flaugiov%2Fsecurity-by-design","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flaugiov%2Fsecurity-by-design","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flaugiov%2Fsecurity-by-design/lists"}