{"id":50477350,"url":"https://github.com/stormsinbrewing/savvy-devsecops","last_synced_at":"2026-06-01T14:05:01.522Z","repository":{"id":199477522,"uuid":"702960958","full_name":"stormsinbrewing/savvy-devsecops","owner":"stormsinbrewing","description":" GitHub native DevSecOps CI/CD best practices include automated security testing, code analysis, and policy enforcement using GitHub Actions, coupled with secure IaC and container security measures. This entails managing secrets, enforcing access control, and implementing incident response and monitoring, all while fostering continuous learning.","archived":false,"fork":false,"pushed_at":"2026-05-28T19:31:06.000Z","size":583,"stargazers_count":4,"open_issues_count":27,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-28T21:17:09.731Z","etag":null,"topics":["aws","build","codeql","dependab","devops","devsecops","docker","github","github-actions","kubernetes","nodejs","renovate","sast","security"],"latest_commit_sha":null,"homepage":"https://stars.github.com/profiles/nishkarshraj/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stormsinbrewing.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-10-10T10:35:41.000Z","updated_at":"2025-09-18T15:53:43.000Z","dependencies_parsed_at":"2024-02-29T16:34:54.763Z","dependency_job_id":"4abf5f14-2296-4d35-9728-09eb9da0060b","html_url":"https://github.com/stormsinbrewing/savvy-devsecops","commit_stats":null,"previous_names":["nishkarshraj/savvy-devsecops","stormsinbrewing/savvy-devsecops"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/stormsinbrewing/savvy-devsecops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormsinbrewing%2Fsavvy-devsecops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormsinbrewing%2Fsavvy-devsecops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormsinbrewing%2Fsavvy-devsecops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormsinbrewing%2Fsavvy-devsecops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stormsinbrewing","download_url":"https://codeload.github.com/stormsinbrewing/savvy-devsecops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stormsinbrewing%2Fsavvy-devsecops/sbom","scorecard":{"id":403825,"data":{"date":"2024-02-23T07:13:33Z","repo":{"name":"github.com/stormsinbrewing/savvy-devsecops","commit":"088fdc7a217533c42ae9f18ac37db582fefa7622"},"scorecard":{"version":"v4.13.1","commit":"49c0eed3a423f00c872b5c3c9f1bbca9e8aae799"},"score":7.8,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'force pushes' disabled on branch 'main'","Info: 'allow deletion' disabled on branch 'main'","Info: 'last push approval' enabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Warn: number of required reviewers is only 1 on branch 'main'","Info: stale review dismissal enabled on branch 'main'","Info: settings apply to administrators on branch 'main'","Info: codeowner review is required on branch 'main'","Warn: codeowners branch protection is being ignored - but no codeowners file found in repo"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"15 out of 15 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: in_progress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":5,"reason":"found 13 unreviewed changesets out of 26 -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"4 different organizations found -- score normalized to 10","details":["Info: contributors work for DevOpsatUPES,OpenGenus,statusneo,stormsinbrewing"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: tool 'RenovateBot' is used: renovate.json:1","Info: tool 'Dependabot' is used: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)","Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)","Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Info: FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#license"}},{"name":"Maintained","score":2,"reason":"3 commit(s) out of 30 and 0 issue activity out of 1 found in the last 90 days -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/stormsinbrewing/savvy-devsecops/actions/runs/8015757019: .github/workflows/super-devsecops.yml:162"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  17 out of  17 GitHub-owned GitHubAction dependencies pinned","Info:  12 out of  12 third-party GitHubAction dependencies pinned","Info:   2 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Warn: 13 commits out of 17 are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":8,"reason":"4 out of 4 artifacts are signed or have provenance","details":["Warn: release artifact 1.2.4 does not have provenance: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/125358889","Info: signed release artifact: savvy-devsecops-1.2.4.tar.gz.asc: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/assets/130966071","Warn: release artifact 1.2.3 does not have provenance: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/125188989","Info: signed release artifact: savvy-devsecops-1.2.3.tar.gz.asc: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/assets/130964483","Warn: release artifact 1.1.2 does not have provenance: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/124546758","Info: signed release artifact: savvy-devsecops-1.1.2.tar.gz.asc: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/assets/130964673","Warn: release artifact 1.1.1 does not have provenance: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/124545654","Info: signed release artifact: savvy-devsecops-1.1.1.tar.gz.asc: https://api.github.com/repos/stormsinbrewing/savvy-devsecops/releases/assets/130964708"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-npm.yml:8","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-npm.yml:14","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/release-npm.yml:15: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/super-devsecops.yml:10","Info: jobLevel 'actions' permission set to 'read': .github/workflows/super-devsecops.yml:84","Info: jobLevel 'contents' permission set to 'read': .github/workflows/super-devsecops.yml:85","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/super-devsecops.yml:112","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/super-devsecops.yml:165: Verify which permissions are needed and consider whether you can reduce them. (High effort)","Info: jobLevel 'contents' permission set to 'read': .github/workflows/super-devsecops.yml:17","Info: jobLevel 'actions' permission set to 'read': .github/workflows/super-devsecops.yml:19"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr","Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T20:42:39.185Z","repository_id":199477522,"created_at":"2025-08-18T20:42:39.186Z","updated_at":"2025-08-18T20:42:39.186Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33778047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","build","codeql","dependab","devops","devsecops","docker","github","github-actions","kubernetes","nodejs","renovate","sast","security"],"created_at":"2026-06-01T14:05:00.450Z","updated_at":"2026-06-01T14:05:01.513Z","avatar_url":"https://github.com/stormsinbrewing.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/stormsinbrewing/savvy-devsecops/badge)](https://securityscorecards.dev/viewer/?uri=github.com/stormsinbrewing/savvy-devsecops) [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7960/badge)](https://bestpractices.coreinfrastructure.org/projects/7960)\n\nSecurity Best Practices are listed [here](docs/checklist.md)\n\n### Best Practices for GitHub Native DevSecOps Pipeline\n\nImplementing DevSecOps best practices for CI/CD (Continuous Integration/Continuous Delivery) in GitHub involves integrating security practices throughout the software development lifecycle. This ensures that security is not treated as an afterthought but is an integral part of the development process. Here's a description of GitHub native DevSecOps CI/CD best practices:\n\n**1. Infrastructure as Code (IaC) Security:** Utilize GitHub's infrastructure as code capabilities to enforce security measures in the deployment pipeline. Use tools like Terraform or GitHub Actions to ensure that infrastructure deployments are secure and adhere to best practices.\n\n**2. Automated Security Testing:** Integrate automated security testing into the CI/CD pipeline. Use tools like SonarQube, Snyk, or GitHub-native security tools to scan for vulnerabilities, malware, or code flaws as part of the build process.\n\n**3. Code Analysis and Review:** Encourage secure coding practices through code analysis and review. Leverage GitHub's code scanning and pull request review features to identify and fix security vulnerabilities early in the development process.\n\n**4. Policy Enforcement with GitHub Actions:** Enforce security policies using GitHub Actions to automate checks for compliance, code quality, and vulnerability scanning. Use pre-configured workflows to ensure that all code changes meet the organization's security standards.\n\n**5. Container Security:** Implement container scanning tools like Docker Security Scanning or GitHub container scanning to detect vulnerabilities within the container images before deployment. Make sure that only secure and approved container images are used in the CI/CD pipeline.\n\n**6. Secret Management:** Manage secrets securely by utilizing GitHub's native secret management solutions. Encourage the use of environment variables and GitHub Secrets to store sensitive information securely, reducing the risk of exposure during the CI/CD process.\n\n**7. Access Control and Permissions:** Enforce access control and permissions for repositories and CI/CD pipelines to ensure that only authorized personnel have access to sensitive information and critical deployment processes. Implement GitHub's access management features to define roles and permissions for different stakeholders.\n\n**8. Incident Response and Monitoring:** Implement monitoring and logging solutions within the CI/CD pipeline to track and analyze security incidents in real-time. Use tools like GitHub Security Advisories and Security Insights to stay informed about security vulnerabilities and take prompt action when necessary.\n\n**9. Continuous Learning and Improvement:** Foster a culture of continuous learning and improvement by regularly updating security measures, conducting security awareness training, and staying informed about the latest security threats and best practices. Encourage developers to stay updated with the latest security guidelines and tools.\n\nBy following these GitHub native DevSecOps CI/CD best practices, organizations can build a robust and secure development pipeline, ensuring that security is integrated seamlessly throughout the software development lifecycle.\n\n### SBOM with Syft\n\n```\n$ syft dir:. -o spdx-json=spdx.source.json # Source SBOM\n$ syft docker:savvy -o spdx-json=spdx.docker.json # Local Docker Image SBOM\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstormsinbrewing%2Fsavvy-devsecops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstormsinbrewing%2Fsavvy-devsecops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstormsinbrewing%2Fsavvy-devsecops/lists"}