Secure Pipeline Workshop
Welcome to the "Secure Pipeline" workshop! This hands-on workshop teaches you how to build a comprehensive security-focused CI/CD pipeline with multiple layers of security scanning and best practices.
β± Estimated time: 2β3 hours self-paced (~20 min per module).
[!NOTE] Platform-agnostic principles: This workshop runs on GitHub Actions for hands-on convenience, but the tools (Semgrep, Trivy, Checkov, Prowlerβ¦) and patterns (shift-left, scan-then-gate, multi-layer pipeline) are universal. To run this on GitLab CI, Jenkins, CircleCI, etc., you'd translate the orchestration glue (workflow files, secrets, triggers) but keep everything else.
π Repository Structure
βββ .github/workflows/ # GitHub Actions workflows
βββ code/ # Sample vulnerable application
βββ infra/ # Terraform infrastructure
βββ workshop/ # Workshop modules and documentationπ Workshop Modules
π¦βπ₯ New here? Start with the workshop introduction for context on shift-left, CI/CD/CS, prerequisites, and how the workshop works.
1. π‘οΈ Pipeline Security Scan
Detect insecure GitHub Actions patterns: unpinned actions, excessive permissions, untrusted authors.
2. π¬ Code Security Scan
Find vulnerabilities in your application code (SAST) and in its dependencies (SCA).
3. π Secrets Scan
Detect and prevent exposure of credentials and sensitive information.
4. π³ Container Security Scan
Scan Docker images for vulnerabilities and misconfigurations.
5. ποΈ Infrastructure as Code (IaC) Security Scan
Analyze Terraform and other IaC definitions for security issues before they are deployed.
6. βοΈ Runtime Infrastructure Scan (live cloud)
Scan a live AWS account for misconfigurations and drift that static IaC scans can't catch.
7. π€ AI Security Review (optional)
Leverage AI to perform comprehensive, context-aware security reviews of pull requests.
π€ Contributing
This workshop is designed to be continuously improved. Feel free to:
- Report issues or suggest improvements
- Add new security scenarios
- Contribute additional tool integrations
- Share your workshop experience
π License
This workshop is provided under the MIT License for educational purposes.
Ready to build the perfect secure pipeline? Start here! π