An open API service indexing awesome lists of open source software.

https://github.com/cloudon-one/secureops

A turnkey CI/CD pipeline that integrates pre-commit checks, security scanning, and infrastructure validation—ensuring your code is compliant and production-ready before it hits the main branch.
https://github.com/cloudon-one/secureops

devsecops-pipeline docker github-actions

Last synced: 9 months ago
JSON representation

A turnkey CI/CD pipeline that integrates pre-commit checks, security scanning, and infrastructure validation—ensuring your code is compliant and production-ready before it hits the main branch.

Awesome Lists containing this project

README

          

# Infrastructure Checks Pipeline

This repository implements a comprehensive infrastructure validation pipeline using GitHub Actions. The pipeline performs various security, cost, and quality checks on infrastructure code, particularly focusing on Terraform configurations.

## Pipeline Overview

```mermaid
flowchart TB
subgraph "Pre-Commit Phase"
PC[Pre-commit Hooks]
GT[GitGuardian Secrets Check]
TM[Threat Modeling]
PC --> GT
PC --> TM
end

subgraph "Infrastructure Validation"
TF[Terraform Validation]
TS[TFSec Analysis]
TL[TFLint Checks]
IC[Infracost Analysis]
TF --> TS
TF --> TL
TF --> IC
end

subgraph "Security Scanning"
SAST[Static Analysis]
DAST[Dynamic Analysis]
DEP[Dependency Scanning]
SC[Supply Chain Security]
SAST --> DEP
DAST --> DEP
DEP --> SC
end

subgraph "Container & K8s Security"
CS[Container Scanning]
KS[Kubernetes Security]
PS[Policy Scanning]
CS --> KS
KS --> PS
end

subgraph "Cloud Security"
AWS[AWS Security]
GCP[GCP Security]
MC[Multi-Cloud Controls]
AWS --> MC
GCP --> MC
end

PC --> TF
GT --> SAST
TF --> CS
CS --> AWS
KS --> MC

style Pre-Commit fill:#d0e1f9
style Infrastructure fill:#e3f2fd
style Security fill:#ffebee
style Container fill:#f3e5f5
style Cloud fill:#e8f5e9
```

The pipeline runs automatically on:
- Pull requests that modify infrastructure files (`.tf`, `.tfvars`, `.hcl`, `Dockerfile`)
- Push events to main/master branch with changes to infrastructure files
- Changes to GitHub workflow files or pre-commit configuration

## Security Scanning

### GitGuardian Security Scan
- Performs deep security scanning of the entire git history
- Detects secrets, credentials, and sensitive information
- Requires `GITGUARDIAN_API_KEY` secret to be configured

### TFSec Analysis
- Scans Terraform code for security issues and best practice violations
- Generates JSON output with detailed findings
- Runs in soft-fail mode to avoid blocking pipelines
- Includes statistics about the scan results

## Cost Management

### Infracost Integration
The pipeline includes comprehensive cost management through Infracost:

#### Pull Request Checks
- Generates cost estimates for infrastructure changes
- Compares costs between base and PR branches
- Posts detailed cost difference comments on PRs
- Requires `INFRACOST_API_KEY` secret

#### Main Branch Updates
- Tracks cost changes on the main/master branch
- Updates Infracost Cloud with latest cost data
- Continues even if policy checks fail

#### PR Status Tracking
- Updates PR status in Infracost when PRs are merged or closed
- Maintains accurate cost history

## Infrastructure Validation

### Docker-based Validation Suite
The pipeline runs a comprehensive suite of checks in a Docker container:

1. **Pre-commit Hooks**
- Runs all configured pre-commit checks
- Ensures code quality and formatting standards

2. **TFLint**
- Lints Terraform files in all directories
- Validates against Terraform best practices

3. **Terraform Operations**
- Runs `terraform init` with backend disabled
- Validates Terraform configurations
- Checks for required_providers blocks in all Terraform files

## Required Secrets

The following secrets must be configured in your GitHub repository:
- `GITGUARDIAN_API_KEY`: For security scanning
- `INFRACOST_API_KEY`: For cost estimation and tracking

## Pipeline Features

- **Concurrency Control**: Automatically cancels redundant runs
- **Caching**: Uses GitHub Actions cache for Docker builds
- **Comprehensive Validation**: Checks both security and functionality
- **Cost Awareness**: Maintains visibility of infrastructure costs
- **Pull Request Integration**: Provides feedback directly on PRs

## Prerequisites

- Terraform files must include `required_providers` blocks
- Docker must be available in the GitHub Actions environment
- Appropriate secrets must be configured
- Pre-commit configuration must be present in `.pre-commit-config.yaml`

## Error Handling

- TFSec runs in soft-fail mode to provide warnings without blocking
- Main branch Infracost updates continue even with policy failures
- Infrastructure validation fails if any required_providers blocks are missing
- Clear error messages are provided for failed checks

## Usage

The pipeline runs automatically based on the configured triggers. No manual intervention is required unless errors are detected.

1. Make your infrastructure changes
2. Create a pull request
3. Review the automated checks:
- Security scan results
- Cost impact analysis
- Infrastructure validation outcomes
4. Address any issues identified by the pipeline
5. Merge when all checks pass

## Contributing

When contributing to this repository, ensure your changes:
- Include appropriate Terraform provider configurations
- Follow security best practices
- Consider cost implications
- Pass all pipeline checks