https://github.com/cloudon-one/secureops
A turnkey CI/CD pipeline that integrates pre-commit checks, security scanning, and infrastructure validation—ensuring your code is compliant and production-ready before it hits the main branch.
https://github.com/cloudon-one/secureops
devsecops-pipeline docker github-actions
Last synced: 9 months ago
JSON representation
A turnkey CI/CD pipeline that integrates pre-commit checks, security scanning, and infrastructure validation—ensuring your code is compliant and production-ready before it hits the main branch.
- Host: GitHub
- URL: https://github.com/cloudon-one/secureops
- Owner: cloudon-one
- License: mit
- Created: 2025-01-12T09:55:25.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-01-12T14:42:57.000Z (over 1 year ago)
- Last Synced: 2025-01-19T21:25:13.332Z (over 1 year ago)
- Topics: devsecops-pipeline, docker, github-actions
- Language: Dockerfile
- Homepage: https://cloudon.work
- Size: 127 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Infrastructure Checks Pipeline
This repository implements a comprehensive infrastructure validation pipeline using GitHub Actions. The pipeline performs various security, cost, and quality checks on infrastructure code, particularly focusing on Terraform configurations.
## Pipeline Overview
```mermaid
flowchart TB
subgraph "Pre-Commit Phase"
PC[Pre-commit Hooks]
GT[GitGuardian Secrets Check]
TM[Threat Modeling]
PC --> GT
PC --> TM
end
subgraph "Infrastructure Validation"
TF[Terraform Validation]
TS[TFSec Analysis]
TL[TFLint Checks]
IC[Infracost Analysis]
TF --> TS
TF --> TL
TF --> IC
end
subgraph "Security Scanning"
SAST[Static Analysis]
DAST[Dynamic Analysis]
DEP[Dependency Scanning]
SC[Supply Chain Security]
SAST --> DEP
DAST --> DEP
DEP --> SC
end
subgraph "Container & K8s Security"
CS[Container Scanning]
KS[Kubernetes Security]
PS[Policy Scanning]
CS --> KS
KS --> PS
end
subgraph "Cloud Security"
AWS[AWS Security]
GCP[GCP Security]
MC[Multi-Cloud Controls]
AWS --> MC
GCP --> MC
end
PC --> TF
GT --> SAST
TF --> CS
CS --> AWS
KS --> MC
style Pre-Commit fill:#d0e1f9
style Infrastructure fill:#e3f2fd
style Security fill:#ffebee
style Container fill:#f3e5f5
style Cloud fill:#e8f5e9
```
The pipeline runs automatically on:
- Pull requests that modify infrastructure files (`.tf`, `.tfvars`, `.hcl`, `Dockerfile`)
- Push events to main/master branch with changes to infrastructure files
- Changes to GitHub workflow files or pre-commit configuration
## Security Scanning
### GitGuardian Security Scan
- Performs deep security scanning of the entire git history
- Detects secrets, credentials, and sensitive information
- Requires `GITGUARDIAN_API_KEY` secret to be configured
### TFSec Analysis
- Scans Terraform code for security issues and best practice violations
- Generates JSON output with detailed findings
- Runs in soft-fail mode to avoid blocking pipelines
- Includes statistics about the scan results
## Cost Management
### Infracost Integration
The pipeline includes comprehensive cost management through Infracost:
#### Pull Request Checks
- Generates cost estimates for infrastructure changes
- Compares costs between base and PR branches
- Posts detailed cost difference comments on PRs
- Requires `INFRACOST_API_KEY` secret
#### Main Branch Updates
- Tracks cost changes on the main/master branch
- Updates Infracost Cloud with latest cost data
- Continues even if policy checks fail
#### PR Status Tracking
- Updates PR status in Infracost when PRs are merged or closed
- Maintains accurate cost history
## Infrastructure Validation
### Docker-based Validation Suite
The pipeline runs a comprehensive suite of checks in a Docker container:
1. **Pre-commit Hooks**
- Runs all configured pre-commit checks
- Ensures code quality and formatting standards
2. **TFLint**
- Lints Terraform files in all directories
- Validates against Terraform best practices
3. **Terraform Operations**
- Runs `terraform init` with backend disabled
- Validates Terraform configurations
- Checks for required_providers blocks in all Terraform files
## Required Secrets
The following secrets must be configured in your GitHub repository:
- `GITGUARDIAN_API_KEY`: For security scanning
- `INFRACOST_API_KEY`: For cost estimation and tracking
## Pipeline Features
- **Concurrency Control**: Automatically cancels redundant runs
- **Caching**: Uses GitHub Actions cache for Docker builds
- **Comprehensive Validation**: Checks both security and functionality
- **Cost Awareness**: Maintains visibility of infrastructure costs
- **Pull Request Integration**: Provides feedback directly on PRs
## Prerequisites
- Terraform files must include `required_providers` blocks
- Docker must be available in the GitHub Actions environment
- Appropriate secrets must be configured
- Pre-commit configuration must be present in `.pre-commit-config.yaml`
## Error Handling
- TFSec runs in soft-fail mode to provide warnings without blocking
- Main branch Infracost updates continue even with policy failures
- Infrastructure validation fails if any required_providers blocks are missing
- Clear error messages are provided for failed checks
## Usage
The pipeline runs automatically based on the configured triggers. No manual intervention is required unless errors are detected.
1. Make your infrastructure changes
2. Create a pull request
3. Review the automated checks:
- Security scan results
- Cost impact analysis
- Infrastructure validation outcomes
4. Address any issues identified by the pipeline
5. Merge when all checks pass
## Contributing
When contributing to this repository, ensure your changes:
- Include appropriate Terraform provider configurations
- Follow security best practices
- Consider cost implications
- Pass all pipeline checks