https://adurrr.github.io/en/tags/security/Recent content in Security on AdurHugo -- gohugo.ioenMon, 16 Mar 2026 00:00:00 +0000https://adurrr.github.io/en/p/shift-left-security-integrating-trivy-and-semgrep-in-gitlab-ci/Mon, 16 Mar 2026 00:00:00 +0000https://adurrr.github.io/en/p/shift-left-security-integrating-trivy-and-semgrep-in-gitlab-ci/<h2 id="why-these-two-tools-and-not-others">Why these two tools and not others </h2><p>The security tooling landscape for pipelines is huge, and it is easy to end up with a pipeline that spends twenty minutes just on scans. After trying several combinations, I stick with Trivy and Semgrep for a simple reason: they cover two distinct attack surfaces with minimal friction.</p> <p>Semgrep analyzes your source code looking for dangerous patterns — SQL injections, insecure deserialization, hardcoded secrets. It does this fast and without needing to compile anything. Trivy, on the other hand, takes care of everything that is not your code: dependencies with known CVEs, outdated base images, problematic IaC configurations. Between the two you cover your own code and third-party code.</p> <p>Both are open-source, run without an external server, and produce JSON output that you can easily parse in CI. No licenses or third-party dashboards needed to get started.</p> <h2 id="pipeline-structure">Pipeline structure </h2><p>The idea is that security should not be an isolated stage at the end, but something that runs in parallel with the rest of your checks. Here is the general layout:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">TRIVY_SEVERITY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;HIGH,CRITICAL&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEMGREP_RULES</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;p/owasp-top-ten p/security-audit&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>security</code> stage runs at the same level as <code>test</code>. If any scan fails, the pipeline stops before building the image or deploying anything.</p> <h2 id="setting-up-semgrep">Setting up Semgrep </h2><h3 id="basic-job">Basic job </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">semgrep</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">semgrep/semgrep:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep ci --config &#34;$SEMGREP_RULES&#34; --json --output semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This runs Semgrep on every merge request and on every push to the main branch. Results are always saved as an artifact, even if the pipeline fails — you will want to review them later.</p> <h3 id="custom-rules">Custom rules </h3><p>Generic rulesets are fine to start with, but as soon as you have project-specific patterns you want to catch, you will need custom rules. Create a <code>.semgrep/</code> directory at the project root:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># .semgrep/no-env-secrets.yml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="kc">no</span>-<span class="l">os-environ-secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">patterns</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">pattern</span><span class="p">:</span><span class="w"> </span><span class="l">os.environ[$KEY]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">metavariable-regex</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">metavariable</span><span class="p">:</span><span class="w"> </span><span class="l">$KEY</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">regex</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.*(SECRET|PASSWORD|TOKEN|KEY).*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Direct access to secrets from environment variables. Use the secrets manager.&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">languages</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">python]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">WARNING</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Then reference it in the pipeline:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEMGREP_RULES</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;p/owasp-top-ten p/security-audit .semgrep/&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="handling-false-positives">Handling false positives </h3><p>There will be false positives. That is unavoidable. What matters is how you handle them. The worst reaction is to disable the entire rule or slap <code>allow_failure: true</code> on the job. Instead, use inline annotations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="c1"># nosemgrep: python.lang.security.audit.hardcoded-password</span> </span></span><span class="line"><span class="cl"><span class="n">TEST_PASSWORD</span> <span class="o">=</span> <span class="s2">&#34;dummy&#34;</span> <span class="c1"># test fixture, not used in production</span> </span></span></code></pre></td></tr></table> </div> </div><p>Every suppression should have a comment explaining why it is safe to ignore. No exceptions. If you cannot justify it, do not suppress it.</p> <p>For broader suppressions, use <code>.semgrepignore</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># Exclude test fixtures </span></span><span class="line"><span class="cl">tests/fixtures/ </span></span><span class="line"><span class="cl"># Exclude auto-generated code </span></span><span class="line"><span class="cl">*_generated.py </span></span></code></pre></td></tr></table> </div> </div><h2 id="setting-up-trivy">Setting up Trivy </h2><h3 id="dependency-scanning">Dependency scanning </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trivy-fs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy fs --severity &#34;$TRIVY_SEVERITY&#34; --exit-code 1 --format json --output trivy-fs.json .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy-fs.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Trivy examines the project&rsquo;s lockfiles (<code>package-lock.json</code>, <code>requirements.txt</code>, <code>go.sum</code>, etc.) and cross-references versions against vulnerability databases. The <code>--exit-code 1</code> flag makes the job fail if it finds anything HIGH or CRITICAL.</p> <h3 id="container-image-scanning">Container image scanning </h3><p>If you build Docker images, scan them before pushing to the registry:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trivy-image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">job</span><span class="p">:</span><span class="w"> </span><span class="l">build-image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy image --severity &#34;$TRIVY_SEVERITY&#34; --exit-code 1 --format json --output trivy-image.json &#34;$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy-image.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This job depends on the image build (via <code>needs</code>) and only runs on the main branch, not on every MR. Scanning images is slower than scanning the filesystem, so reserve that for what actually gets deployed.</p> <h3 id="iac-scanning">IaC scanning </h3><p>One often overlooked advantage of Trivy is that it also analyzes infrastructure configurations:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trivy-iac</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy config --severity &#34;$TRIVY_SEVERITY&#34; --exit-code 1 --format json --output trivy-iac.json .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy-iac.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">changes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/*.tf&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/Dockerfile&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/*.yml&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/*.yaml&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>It catches Dockerfiles running as root, Terraform files with overly open security groups, and Kubernetes configs without resource limits. The <code>changes</code> block ensures it only runs when relevant files are modified, avoiding unnecessary scans.</p> <h2 id="blocking-policies">Blocking policies </h2><p>Do not start blocking everything from day one. That breeds frustration, creative workarounds, and eventually someone puts <code>allow_failure: true</code> on every security job.</p> <p>Better to do it in phases:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Phase 1: Report only</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">semgrep</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Phase 2: Block critical only</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">semgrep</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep ci --config &#34;$SEMGREP_RULES&#34; --json --output semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> CRITICAL=$(jq &#39;[.results[] | select(.extra.severity == &#34;ERROR&#34;)] | length&#39; semgrep-results.json) </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$CRITICAL&#34; -gt 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Blocked: $CRITICAL critical findings&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Phase 3: Block high + critical</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># ... adjust the jq filter</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Same goes for Trivy. The <code>--severity</code> flag already lets you control which levels block the pipeline. Start with CRITICAL only, and once the team has adapted, add HIGH.</p> <h2 id="the-complete-pipeline">The complete pipeline </h2><p>Putting it all together:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">stages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">test</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">TRIVY_SEVERITY</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;HIGH,CRITICAL&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">SEMGREP_RULES</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;p/owasp-top-ten p/security-audit&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">semgrep</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">semgrep/semgrep:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep ci --config &#34;$SEMGREP_RULES&#34; --json --output semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> CRITICAL=$(jq &#39;[.results[] | select(.extra.severity == &#34;ERROR&#34;)] | length&#39; semgrep-results.json) </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Critical findings: $CRITICAL&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> if [ &#34;$CRITICAL&#34; -gt 0 ]; then </span></span></span><span class="line"><span class="cl"><span class="sd"> echo &#34;Pipeline blocked&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> exit 1 </span></span></span><span class="line"><span class="cl"><span class="sd"> fi</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep-results.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">trivy-fs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy fs --severity &#34;$TRIVY_SEVERITY&#34; --exit-code 1 --format json --output trivy-fs.json .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy-fs.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">trivy-config</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy config --severity &#34;$TRIVY_SEVERITY&#34; --exit-code 1 --format json --output trivy-iac.json .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy-iac.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">changes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/*.tf&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/Dockerfile&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;**/*.yml&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">trivy-image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">security</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aquasec/trivy:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">entrypoint</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">job</span><span class="p">:</span><span class="w"> </span><span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy image --severity &#34;$TRIVY_SEVERITY&#34; --exit-code 1 --format json --output trivy-image.json &#34;$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">artifacts</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">trivy-image.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">when</span><span class="p">:</span><span class="w"> </span><span class="l">always</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Semgrep and the Trivy scans run in parallel within the <code>security</code> stage. If any of them fails, the pipeline stops before building or deploying.</p> <h2 id="surfacing-results-in-merge-requests">Surfacing results in merge requests </h2><p>JSON reports are fine for auditing, but developers need feedback visible directly in the MR. GitLab supports native security reports if you use official templates, but with external tools you can parse the JSON and comment on the MR:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">comment-results</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stage</span><span class="p">:</span><span class="w"> </span><span class="l">.post</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">alpine:latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">apk add --no-cache curl jq</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> SEMGREP_COUNT=$(jq &#39;.results | length&#39; semgrep-results.json 2&gt;/dev/null || echo &#34;0&#34;) </span></span></span><span class="line"><span class="cl"><span class="sd"> TRIVY_COUNT=$(jq &#39;.Results[]?.Vulnerabilities // [] | length&#39; trivy-fs.json 2&gt;/dev/null || echo &#34;0&#34;) </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> BODY=&#34;### Security summary\n- Semgrep: ${SEMGREP_COUNT} findings\n- Trivy: ${TRIVY_COUNT} vulnerabilities&#34; </span></span></span><span class="line"><span class="cl"><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> curl --request POST \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --header &#34;PRIVATE-TOKEN: ${GITLAB_API_TOKEN}&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --header &#34;Content-Type: application/json&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --data &#34;{\&#34;body\&#34;: \&#34;$BODY\&#34;}&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> &#34;${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/notes&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">$CI_PIPELINE_SOURCE == &#34;merge_request_event&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_failure</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Not the most elegant solution, but it works. If you are on GitLab Ultimate you get integrated security reports. If not, this gives enough visibility.</p> <h2 id="cache-and-performance">Cache and performance </h2><p>Scans add time to the pipeline, and if that time is excessive the team will end up disabling them. A few things that help:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">trivy-fs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">variables</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">TRIVY_CACHE_DIR</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;.trivycache/&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">trivy-db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">.trivycache/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># ...rest of the job</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Caching Trivy&rsquo;s vulnerability database avoids downloading it on every run. It is roughly 40MB downloaded from GitHub, and on shared runners that download can take a while.</p> <p>For Semgrep, the binary itself is already fast, but if your repository is large, limit the paths:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">semgrep</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">script</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">semgrep ci --config &#34;$SEMGREP_RULES&#34; --include=&#34;src/&#34; --include=&#34;app/&#34; --json --output semgrep-results.json</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>No point scanning <code>node_modules/</code>, <code>vendor/</code>, or asset directories.</p> <h2 id="what-i-learned-running-this-in-practice">What I learned running this in practice </h2><p>I have been using this setup in production for a while now, and some things only become clear with actual use.</p> <p>Trivy flags a lot of CVEs in base images that have no fix available. If you do not filter with <code>--ignore-unfixed</code>, you will have constant noise. Better to add that flag and focus on what you can actually fix:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivy image --ignore-unfixed --severity HIGH,CRITICAL my-image:latest </span></span></code></pre></td></tr></table> </div> </div><p>With Semgrep, community rulesets are a good starting point, but the rules that deliver the most value are the ones you write yourself, tailored to your project&rsquo;s patterns. A single rule that catches unparameterized ORM queries is worth more than a hundred generic rules.</p> <p>And the most important thing: do not try to plug every hole at once. Start with scans in report-only mode, review what comes up, tune the rules, and only then start blocking. If you block everything on day one, someone will have put <code>allow_failure: true</code> on every job by day two.</p>https://adurrr.github.io/en/p/lessons-learned-in-devsecops/Mon, 20 Oct 2025 00:00:00 +0000https://adurrr.github.io/en/p/lessons-learned-in-devsecops/<p>DevSecOps gets thrown around in job descriptions and conference talks a lot. But behind the buzzword are real lessons that only come from doing the work. From building pipelines that break when you add security gates, to watching teams ignore the tools you spent months deploying, to finally finding what actually works.</p> <p>These are lessons we learned the hard way. They&rsquo;re opinionated, practical, shaped by experience.</p> <h2 id="security-is-everyones-responsibility">Security is everyone&rsquo;s responsibility </h2><p>Sounds like a break room poster, but it&rsquo;s the most important lesson here. If security is only the security team&rsquo;s job, you&rsquo;ve lost.</p> <p>Developers make security decisions every time they write code, whether they know it or not. How they validate input. How they handle secrets. How they configure network access. Every PR is a security event.</p> <p>What works: make security part of the normal development workflow, not a gate at the end. Developers learn when they get fast feedback on security issues in their PR. They resent finding out three weeks later from an auditor.</p> <p>We&rsquo;ve seen this repeatedly: teams that treat security as shared responsibility find fewer critical vulnerabilities in production. Teams that silo it find them in the news.</p> <h2 id="automate-everything-you-can">Automate everything you can </h2><p>Manual security processes do not scale. Period. If your security review is a human reading a checklist, it will be skipped under deadline pressure, inconsistently applied, and resented by everyone involved.</p> <p>Automate the things that can be automated:</p> <ul> <li><strong>Dependency scanning</strong> in every CI build (Dependabot, Snyk, Trivy)</li> <li><strong>Static analysis</strong> on every pull request (Semgrep, SonarQube)</li> <li><strong>Secret detection</strong> as a pre-commit hook and CI check (gitleaks, detect-secrets)</li> <li><strong>Container image scanning</strong> before deployment (Trivy, Grype)</li> <li><strong>Infrastructure as Code scanning</strong> (tfsec, Checkov, KICS)</li> <li><strong>Compliance as Code</strong> for runtime policy enforcement (OPA, Kyverno)</li> </ul> <p>The goal is not to catch everything automatically. The goal is to catch the easy stuff automatically so that human reviewers can focus on the hard stuff: business logic flaws, design-level security issues, threat modeling.</p> <h2 id="start-small">Start Small </h2><p>One of the biggest mistakes we have made is trying to secure everything at once. You roll out SAST, DAST, SCA, container scanning, IaC scanning, and runtime protection in one quarter. The result? Alert fatigue, developer rebellion, and a wall of unresolved findings that nobody looks at.</p> <p>Start with one tool, one pipeline, one team. Get it working well. Get developers comfortable with it. Resolve the false positives. Tune the rules. Then expand.</p> <p>A practical progression:</p> <ol> <li><strong>Month 1</strong>: Secret detection in pre-commit hooks and CI. This is uncontroversial and catches real issues.</li> <li><strong>Month 2</strong>: Dependency scanning with automated PR creation for updates. Developers see the value immediately.</li> <li><strong>Month 3</strong>: Container image scanning blocking deployments of critical/high vulnerabilities.</li> <li><strong>Month 4+</strong>: Static analysis, gradually expanding rule sets.</li> </ol> <p>Each step should be stable before moving to the next. Rushing creates noise, and noise teaches people to ignore alerts.</p> <h2 id="blameless-culture-matters">Blameless culture matters </h2><p>When a security incident happens because someone pushed a secret to a public repo, or because a vulnerability was not patched in time, the response matters more than the incident itself.</p> <p>If people get blamed, they hide things. They do not report near-misses. They cover up mistakes. And the next incident will be worse because nobody shared the lessons from the last one.</p> <p>Blameless postmortems are not about letting people off the hook. They are about understanding systemic failures. Why was it possible to push a secret? Why was there no scanning? Why was the patching process slow? Fix the system, not the person.</p> <p>We have found that teams with genuinely blameless cultures have significantly better security postures. People report suspicious things. They ask for help early. They flag risks before they become incidents.</p> <h2 id="tooling-is-not-enough-without-culture-change">Tooling is not enough without culture change </h2><p>We once deployed a comprehensive security scanning pipeline with beautiful dashboards, Slack notifications, Jira ticket creation, the works. Six months later, there were 3,000 unresolved findings and the Slack channel was muted by every developer.</p> <p>The tools were fine. The culture was not ready.</p> <p>Before you deploy tooling, invest in:</p> <ul> <li><strong>Training</strong>: Developers need to understand why the tool exists and how to act on its findings.</li> <li><strong>Ownership</strong>: Someone needs to own the backlog of findings and triage them. If nobody owns it, nobody does it.</li> <li><strong>SLAs</strong>: Define clear timelines for remediating findings by severity. Critical gets 48 hours. High gets a week. Medium gets a sprint. Low gets a quarter.</li> <li><strong>Feedback loops</strong>: When a tool produces a false positive, there must be an easy way to report it and get the rule tuned. Otherwise, developers learn to ignore everything.</li> </ul> <h2 id="invest-in-developer-experience-for-security-tools">Invest in developer experience for security tools </h2><p>If your security tool makes developers&rsquo; lives harder, they will find a way around it. This is not a character flaw. It is human nature and good engineering instinct: remove obstacles to shipping.</p> <p>The security tools that get adopted are the ones that:</p> <ul> <li><strong>Run fast</strong>: A SAST scan that takes 20 minutes will be bypassed. One that takes 30 seconds will be tolerated.</li> <li><strong>Integrate natively</strong>: Show results in the PR, not in a separate portal. Nobody wants to log into another dashboard.</li> <li><strong>Have low false positive rates</strong>: Every false positive erodes trust. Invest time in tuning.</li> <li><strong>Provide actionable guidance</strong>: &ldquo;SQL injection vulnerability on line 42&rdquo; is useless without &ldquo;here is how to fix it.&rdquo;</li> <li><strong>Fail gracefully</strong>: If the scanner is down, the pipeline should warn, not block. Availability of the development pipeline is non-negotiable.</li> </ul> <p>We think of it this way: if a developer has to change their workflow to accommodate a security tool, the tool has failed. The best security tooling is invisible.</p> <h2 id="monitoring-and-observability-are-non-negotiable">Monitoring and observability are non-negotiable </h2><p>You cannot secure what you cannot see. Security monitoring is not optional, and it is not something you bolt on after the fact.</p> <p>What this means in practice:</p> <ul> <li><strong>Centralized logging</strong>: All application, infrastructure, and security tool logs in one place. If you have to SSH into a box to read logs, you are already behind.</li> <li><strong>Audit trails</strong>: Who did what, when, and from where. Every deployment, every config change, every access request.</li> <li><strong>Alerting on anomalies</strong>: Not just &ldquo;is the service up?&rdquo; but &ldquo;is this access pattern normal?&rdquo; Unusual API call volumes, access from new locations, privilege escalations.</li> <li><strong>Runtime security</strong>: Tools like Falco for container runtime monitoring. Know when something unexpected happens in production.</li> </ul> <p>Monitoring is also how you prove to auditors and customers that your security controls are working. &ldquo;Trust us&rdquo; is not a compliance strategy.</p> <h2 id="open-source-is-your-ally">Open source is your ally </h2><p>Some of the best security tools available are open source. Trivy, Falco, OPA, Semgrep, gitleaks, cosign, KICS, Checkov. The ecosystem is rich and maturing fast.</p> <p>Benefits of open source security tooling:</p> <ul> <li><strong>Transparency</strong>: You can read the rules and understand exactly what is being checked.</li> <li><strong>Community</strong>: Thousands of contributors finding edge cases and adding detection rules.</li> <li><strong>No vendor lock-in</strong>: You can switch tools without renegotiating a contract.</li> <li><strong>Cost</strong>: Start for free, scale as needed.</li> </ul> <p>This does not mean commercial tools have no place. Some provide valuable aggregation, management, and support. But you can build a very solid security pipeline with open source tools alone, and we think every team should start there.</p> <h2 id="continuous-learning-is-essential">Continuous learning is essential </h2><p>The threat landscape changes constantly. The tools change. The best practices evolve. What was considered secure two years ago might have a CVE today.</p> <p>What we do to stay current:</p> <ul> <li><strong>Dedicate time for learning</strong>: At least a few hours per sprint for the team to read about new vulnerabilities, tools, and techniques. This is not a nice-to-have. It is a professional requirement.</li> <li><strong>Run internal CTFs and tabletop exercises</strong>: Nothing teaches security like trying to break things. Regular exercises keep skills sharp and reveal gaps in your defenses.</li> <li><strong>Participate in the community</strong>: Attend meetups, contribute to open source, read advisories. The security community is generous with knowledge. Take advantage of it.</li> <li><strong>Review and update</strong>: Quarterly reviews of your security tooling, policies, and incident response procedures. What worked last quarter may not work next quarter.</li> </ul> <h2 id="final-thoughts">Final Thoughts </h2><p>DevSecOps isn&rsquo;t a destination. There&rsquo;s no point where you say &ldquo;we&rsquo;re done, we&rsquo;re secure.&rdquo; It&rsquo;s a continuous practice of reducing risk, improving visibility, building a culture where security is as natural as writing tests.</p> <p>The most important lesson: perfect is the enemy of good. A basic security pipeline that developers actually use beats a comprehensive one they bypass. Start where you are, improve iteratively, never stop.</p>https://adurrr.github.io/en/p/supply-chain-security-sbom-and-sigstore/Mon, 10 Feb 2025 00:00:00 +0000https://adurrr.github.io/en/p/supply-chain-security-sbom-and-sigstore/<p>Supply chain attacks are no longer theoretical. The 2020 SolarWinds breach showed how one compromised build pipeline could hit thousands of organizations, including government agencies. Then Log4Shell in 2021 proved that a vulnerability deep in a transitive dependency could threaten every Java app overnight. The message was clear: we need visibility into what&rsquo;s in our software and stronger integrity guarantees.</p> <p>This guide covers the practical tools: SBOMs, Sigstore, and SLSA framework.</p> <h2 id="why-supply-chain-security-matters">Why Supply Chain Security Matters </h2><p>Traditional security focuses on your own code: static analysis, dependency scanning, penetration testing. Supply chain security extends that perimeter to everything your software depends on and every step in the process of building and delivering it.</p> <p>The attack surface includes:</p> <ul> <li><strong>Source code repositories</strong>: compromised developer accounts, malicious commits</li> <li><strong>Dependencies</strong>: typosquatting, dependency confusion, compromised upstream packages</li> <li><strong>Build systems</strong>: tampered CI/CD pipelines, injected build steps</li> <li><strong>Artifact registries</strong>: replaced binaries, unsigned packages</li> <li><strong>Deployment pipelines</strong>: modified manifests, man-in-the-middle attacks</li> </ul> <p>A single weak link in any of these stages can compromise the entire chain.</p> <h2 id="software-bill-of-materials-sbom">Software Bill of Materials (SBOM) </h2><p>An SBOM is a formal, machine-readable inventory of all components in a piece of software. Think of it as an ingredients list for your application. It includes direct dependencies, transitive dependencies, their versions, licenses, and relationships.</p> <h3 id="why-you-need-one">Why You Need One </h3><ul> <li><strong>Vulnerability response</strong>: When a new CVE drops (like Log4Shell), you can instantly check if any of your applications are affected.</li> <li><strong>License compliance</strong>: Know exactly what licenses you are shipping.</li> <li><strong>Regulatory requirements</strong>: The US Executive Order 14028 and the EU Cyber Resilience Act both push toward mandatory SBOMs.</li> <li><strong>Transparency</strong>: Customers and partners can verify what they are running.</li> </ul> <h3 id="sbom-formats">SBOM Formats </h3><p>Two main formats dominate:</p> <ul> <li><strong>SPDX</strong> (Software Package Data Exchange): An ISO standard (ISO/IEC 5962:2021), originally focused on license compliance, now comprehensive. Supports JSON, RDF, YAML, and tag-value formats.</li> <li><strong>CycloneDX</strong>: An OWASP project, designed from the ground up for security use cases. Supports JSON and XML. Lighter weight and more opinionated.</li> </ul> <p>Both are solid choices. CycloneDX tends to be easier to work with for security-focused workflows. SPDX has broader adoption in compliance-heavy industries.</p> <h3 id="generating-sboms-with-syft">Generating SBOMs with Syft </h3><p><a class="link" href="https://github.com/anchore/syft" target="_blank" rel="noopener" >Syft</a> from Anchore is one of the best tools for generating SBOMs. It supports container images, filesystems, and archives.</p> <p><strong>Install syft:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh <span class="p">|</span> sh -s -- -b /usr/local/bin </span></span></code></pre></td></tr></table> </div> </div><p><strong>Generate an SBOM from a container image:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># CycloneDX format (JSON)</span> </span></span><span class="line"><span class="cl">syft packages registry.example.com/myapp:v1.2.3 -o cyclonedx-json &gt; sbom.cdx.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SPDX format (JSON)</span> </span></span><span class="line"><span class="cl">syft packages registry.example.com/myapp:v1.2.3 -o spdx-json &gt; sbom.spdx.json </span></span></code></pre></td></tr></table> </div> </div><p><strong>Generate an SBOM from a local directory:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">syft packages dir:/path/to/project -o cyclonedx-json &gt; sbom.cdx.json </span></span></code></pre></td></tr></table> </div> </div><p>You can then scan the SBOM for vulnerabilities using <a class="link" href="https://github.com/anchore/grype" target="_blank" rel="noopener" >Grype</a>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype sbom:sbom.cdx.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-sigstore-ecosystem">The Sigstore Ecosystem </h2><p><a class="link" href="https://www.sigstore.dev/" target="_blank" rel="noopener" >Sigstore</a> is an open-source project that makes cryptographic signing and verification accessible. It eliminates the need to manage long-lived signing keys, which has historically been the main barrier to adoption of artifact signing.</p> <p>The ecosystem has three core components:</p> <ul> <li><strong>cosign</strong>: Signs and verifies container images and other OCI artifacts.</li> <li><strong>Fulcio</strong>: A certificate authority that issues short-lived certificates based on OIDC identity (your existing identity provider).</li> <li><strong>Rekor</strong>: A transparency log that creates an immutable, tamper-resistant record of signing events.</li> </ul> <h3 id="how-it-works">How It Works </h3><ol> <li>You authenticate with an OIDC provider (GitHub, Google, Microsoft, etc.).</li> <li>Fulcio issues a short-lived certificate tied to your identity.</li> <li>cosign uses that certificate to sign your artifact.</li> <li>The signing event is recorded in Rekor&rsquo;s transparency log.</li> <li>Anyone can verify the signature using the transparency log, without needing your public key.</li> </ol> <p>This is called &ldquo;keyless&rdquo; signing. No keys to rotate, no secrets to manage, no PKI infrastructure to maintain.</p> <h3 id="signing-container-images-with-cosign">Signing Container Images with Cosign </h3><p><strong>Install cosign:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Using Go</span> </span></span><span class="line"><span class="cl">go install github.com/sigstore/cosign/v2/cmd/cosign@latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Or download a release</span> </span></span><span class="line"><span class="cl">curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign </span></span><span class="line"><span class="cl">chmod +x /usr/local/bin/cosign </span></span></code></pre></td></tr></table> </div> </div><p><strong>Sign an image (keyless mode):</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cosign sign registry.example.com/myapp:v1.2.3 </span></span></code></pre></td></tr></table> </div> </div><p>This will open a browser for OIDC authentication. In CI, you can use workload identity (e.g., GitHub Actions OIDC token) for non-interactive signing.</p> <p><strong>Verify an image:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cosign verify registry.example.com/myapp:v1.2.3 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --certificate-identity<span class="o">=</span>user@example.com <span class="se">\ </span></span></span><span class="line"><span class="cl"> --certificate-oidc-issuer<span class="o">=</span>https://accounts.google.com </span></span></code></pre></td></tr></table> </div> </div><p><strong>Attach an SBOM to an image and sign it:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Attach the SBOM</span> </span></span><span class="line"><span class="cl">cosign attach sbom --sbom sbom.cdx.json registry.example.com/myapp:v1.2.3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Sign the SBOM attachment</span> </span></span><span class="line"><span class="cl">cosign sign --attachment sbom registry.example.com/myapp:v1.2.3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-slsa-framework">The SLSA Framework </h2><p><a class="link" href="https://slsa.dev/" target="_blank" rel="noopener" >SLSA</a> (Supply-chain Levels for Software Artifacts, pronounced &ldquo;salsa&rdquo;) is a framework that defines increasing levels of supply chain integrity guarantees.</p> <h3 id="slsa-levels">SLSA Levels </h3><ul> <li><strong>Level 0</strong>: No guarantees. This is where most projects start.</li> <li><strong>Level 1</strong>: The build process is documented and produces provenance (metadata about how an artifact was built).</li> <li><strong>Level 2</strong>: The build is hosted on a hosted build service that generates authenticated provenance.</li> <li><strong>Level 3</strong>: The build platform provides hardened builds with tamper-resistant provenance. The build environment is isolated and ephemeral.</li> </ul> <p>Each level builds on the previous one. The goal is not to jump to Level 3 immediately but to incrementally improve your posture.</p> <h3 id="slsa-provenance">SLSA Provenance </h3><p>Provenance answers the critical questions: Who built this? What source was used? What build process was followed? Was the build environment tamper-proof?</p> <p>SLSA provenance is a signed attestation in the <a class="link" href="https://in-toto.io/" target="_blank" rel="noopener" >in-toto</a> format that captures this information.</p> <h2 id="cicd-integration-github-actions-example">CI/CD Integration: GitHub Actions Example </h2><p>Here is a practical GitHub Actions workflow that builds an image, generates an SBOM, signs everything, and generates SLSA provenance:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build, Sign, and Attest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;v*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">permissions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="l">read</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">packages</span><span class="p">:</span><span class="w"> </span><span class="l">write</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">id-token</span><span class="p">:</span><span class="w"> </span><span class="l">write </span><span class="w"> </span><span class="c"># Required for keyless signing</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">REGISTRY</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">IMAGE_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.repository }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-sign-attest</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Checkout</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Log in to GHCR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">docker/login-action@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">registry</span><span class="p">:</span><span class="w"> </span><span class="l">${{ env.REGISTRY }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.actor }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build and push image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">docker/build-push-action@v5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span><span class="l">${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install cosign</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">sigstore/cosign-installer@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install syft</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">anchore/sbom-action/download-syft@v0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Sign the image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign sign --yes \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Generate SBOM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> syft packages \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }} \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -o cyclonedx-json &gt; sbom.cdx.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Attach and sign SBOM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign attach sbom --sbom sbom.cdx.json \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }} </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign sign --yes --attachment sbom \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Verify signature</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign verify \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --certificate-identity-regexp=&#34;https://github.com/${{ github.repository }}/*&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>id-token: write</code> permission is what enables keyless signing in GitHub Actions. The GitHub OIDC token is automatically used by cosign without any manual key management.</p> <h2 id="practical-adoption-roadmap">Practical Adoption Roadmap </h2><p>You do not need to do everything at once. Here is a sensible progression:</p> <p><strong>Week 1-2: Visibility</strong></p> <ul> <li>Start generating SBOMs for your most critical applications using syft.</li> <li>Integrate Grype into your CI pipeline for vulnerability scanning against the SBOM.</li> </ul> <p><strong>Week 3-4: Signing</strong></p> <ul> <li>Set up cosign keyless signing in your CI/CD pipelines.</li> <li>Sign your container images on every build.</li> </ul> <p><strong>Month 2: Verification</strong></p> <ul> <li>Enforce signature verification in your deployment pipelines (e.g., Kubernetes admission controllers like Kyverno or Sigstore policy-controller).</li> <li>Attach SBOMs to images and sign them.</li> </ul> <p><strong>Month 3+: SLSA Provenance</strong></p> <ul> <li>Add SLSA provenance generation using <a class="link" href="https://github.com/slsa-framework/slsa-github-generator" target="_blank" rel="noopener" >slsa-github-generator</a>.</li> <li>Work toward SLSA Level 2, then Level 3.</li> <li>Automate provenance verification in your deployment tooling.</li> </ul> <h2 id="key-takeaways">Key Takeaways </h2><ul> <li><strong>SBOMs give visibility</strong> - You can&rsquo;t secure what you can&rsquo;t see. Generate SBOMs for every artifact.</li> <li><strong>Sigstore removes the excuse</strong> - Keyless signing kills key management overhead. No good reason not to sign.</li> <li><strong>SLSA is a maturity model</strong> - Use it to improve supply chain integrity incrementally, not as all-or-nothing.</li> <li><strong>Automate everything</strong> - These tools are built for CI/CD integration. Manual doesn&rsquo;t scale.</li> </ul> <p>The supply chain security ecosystem is maturing fast. Tools are production-ready, standards are solidifying, and regulatory pressure keeps rising. The best time to start was yesterday. The second-best is now.</p>https://adurrr.github.io/en/p/kubernetes-security-hardening-guide/Sun, 03 Nov 2024 00:00:00 +0000https://adurrr.github.io/en/p/kubernetes-security-hardening-guide/<h2 id="kubernetes-attack-surface">Kubernetes Attack Surface </h2><p>Out-of-the-box Kubernetes isn&rsquo;t secure. The cluster exposes multiple attack vectors that need systematic attention:</p> <ul> <li><strong>API Server</strong> - Central control point; unauthorized access = full cluster compromise</li> <li><strong>etcd</strong> - Stores all cluster state including secrets in base64 (not encrypted by default)</li> <li><strong>Kubelet</strong> - Node agent; exposed kubelet API leaks pod info and allows command execution</li> <li><strong>Container runtime</strong> - Breakout vulnerabilities give host access</li> <li><strong>Network</strong> - Pods can communicate freely with any other pod by default</li> <li><strong>Supply chain</strong> - Malicious or vulnerable images introduce backdoors</li> </ul> <p>This guide covers the key hardening measures organized by attack vector.</p> <h2 id="api-server-hardening">API Server Hardening </h2><p>The API server is the most critical component. Secure it first:</p> <ul> <li><strong>Disable anonymous authentication</strong>: set <code>--anonymous-auth=false</code></li> <li><strong>Enable audit logging</strong>: track who did what (covered in detail below)</li> <li><strong>Restrict access</strong>: use firewall rules or security groups to limit who can reach the API server</li> <li><strong>Enable admission controllers</strong>: <code>PodSecurity</code>, <code>NodeRestriction</code>, <code>ResourceQuota</code>, and <code>LimitRanger</code> should all be active</li> <li><strong>Use OIDC for authentication</strong>: integrate with your identity provider instead of relying on client certificates</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check current API server flags (on kubeadm clusters)</span> </span></span><span class="line"><span class="cl">kubectl -n kube-system get pod kube-apiserver-&lt;node&gt; -o <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">&#39;{.spec.containers[0].command}&#39;</span> <span class="p">|</span> tr <span class="s1">&#39;,&#39;</span> <span class="s1">&#39;\n&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="rbac-best-practices">RBAC Best Practices </h2><p>RBAC is your primary authorization mechanism. Enforce least privilege rigorously.</p> <h3 id="key-rules">Key Rules </h3><ol> <li><strong>Never use <code>cluster-admin</code> for workloads</strong> &ndash; it grants unlimited access</li> <li><strong>Use Roles (namespaced) over ClusterRoles</strong> whenever possible</li> <li><strong>Avoid wildcards</strong> in resource or verb specifications</li> <li><strong>Bind to ServiceAccounts, not users</strong> for automated workloads</li> <li><strong>Review bindings regularly</strong> &ndash; permissions accumulate over time</li> </ol> <h3 id="example-restricted-deployment-role">Example: Restricted Deployment Role </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Can manage deployments</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;apps&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;deployments&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;list&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;watch&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;create&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Can view pods and logs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;pods/log&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;list&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;watch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Can view services</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;services&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;list&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;watch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Explicitly NO access to secrets, configmaps/write, or exec</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">RoleBinding</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-manager-binding</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">subjects</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ServiceAccount</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">ci-deployer</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">roleRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">apiGroup</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Audit existing RBAC with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># List all cluster-admin bindings</span> </span></span><span class="line"><span class="cl">kubectl get clusterrolebindings -o json <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> jq <span class="s1">&#39;.items[] | select(.roleRef.name == &#34;cluster-admin&#34;) | {name: .metadata.name, subjects: .subjects}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Check what a specific service account can do</span> </span></span><span class="line"><span class="cl">kubectl auth can-i --list --as<span class="o">=</span>system:serviceaccount:production:ci-deployer -n production </span></span></code></pre></td></tr></table> </div> </div><h2 id="pod-security-standards">Pod Security Standards </h2><p>Kubernetes Pod Security Standards (PSS) define three security restriction levels. Since 1.25, Pod Security Admission (PSA) is the built-in enforcement mechanism (replaces PodSecurityPolicy).</p> <h3 id="the-three-levels">The Three Levels </h3><table> <thead> <tr> <th>Level</th> <th>Description</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td><strong>Privileged</strong></td> <td>No restrictions</td> <td>System-level workloads (CNI, storage drivers)</td> </tr> <tr> <td><strong>Baseline</strong></td> <td>Blocks known privilege escalations</td> <td>General-purpose workloads</td> </tr> <tr> <td><strong>Restricted</strong></td> <td>Maximum hardening</td> <td>Sensitive workloads, multi-tenant clusters</td> </tr> </tbody> </table> <h3 id="enforcing-pod-security-standards">Enforcing Pod Security Standards </h3><p>Apply standards at the namespace level using labels:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Enforce restricted: reject pods that violate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce-version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Warn on baseline violations (shows warning but allows)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/warn</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/warn-version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Audit: log violations</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/audit</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/audit-version</span><span class="p">:</span><span class="w"> </span><span class="l">latest</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="compliant-pod-example">Compliant Pod Example </h3><p>A pod that passes the <code>restricted</code> level:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">secure-app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsNonRoot</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">seccompProfile</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">RuntimeDefault</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">app</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l">myregistry.com/app:v1.2.3@sha256:abc123...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">securityContext</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowPrivilegeEscalation</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">readOnlyRootFilesystem</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsUser</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runAsGroup</span><span class="p">:</span><span class="w"> </span><span class="m">1000</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">capabilities</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">drop</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ALL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">limits</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;256Mi&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;500m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">requests</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">memory</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;128Mi&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cpu</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;250m&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Key security settings to always include:</p> <ul> <li><code>runAsNonRoot: true</code> &ndash; never run containers as root</li> <li><code>readOnlyRootFilesystem: true</code> &ndash; prevent filesystem modifications</li> <li><code>allowPrivilegeEscalation: false</code> &ndash; block setuid/setgid</li> <li><code>capabilities.drop: [&quot;ALL&quot;]</code> &ndash; remove all Linux capabilities</li> <li><code>seccompProfile.type: RuntimeDefault</code> &ndash; apply default seccomp profile</li> <li>Always specify resource limits to prevent DoS</li> </ul> <h2 id="networkpolicies">NetworkPolicies </h2><p>By default, all pods can communicate with all other pods in a cluster. NetworkPolicies restrict this to only the traffic that is necessary.</p> <h3 id="default-deny-all">Default Deny All </h3><p>Start every namespace with a default deny policy:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny-all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="allow-specific-traffic">Allow Specific Traffic </h3><p>Then explicitly allow only what is needed:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">allow-api-to-db</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">from</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">api-server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">5432</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nn">---</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">api-server-egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">api-server</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Allow DNS resolution</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">UDP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">53</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Allow connection to database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">5432</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Allow external HTTPS</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">ipBlock</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cidr</span><span class="p">:</span><span class="w"> </span><span class="m">0.0.0.0</span><span class="l">/0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">except</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">10.0.0.0</span><span class="l">/8</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">172.16.0.0</span><span class="l">/12</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="m">192.168.0.0</span><span class="l">/16</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">443</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Note: NetworkPolicies require a CNI plugin that supports them (Calico, Cilium, Weave Net). The default <code>kubenet</code> does not enforce NetworkPolicies.</p> <h2 id="secrets-management">Secrets Management </h2><p>Kubernetes Secrets are base64-encoded, not encrypted. Anyone with read access to Secrets in a namespace can decode them trivially. Proper secrets management requires additional tooling.</p> <h3 id="option-1-sealed-secrets">Option 1: Sealed Secrets </h3><p>Sealed Secrets (by Bitnami) encrypts secrets client-side so they can be safely stored in Git:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install kubeseal CLI</span> </span></span><span class="line"><span class="cl"><span class="c1"># Encrypt a secret</span> </span></span><span class="line"><span class="cl">kubectl create secret generic db-creds <span class="se">\ </span></span></span><span class="line"><span class="cl"> --from-literal<span class="o">=</span><span class="nv">password</span><span class="o">=</span>supersecret <span class="se">\ </span></span></span><span class="line"><span class="cl"> --dry-run<span class="o">=</span>client -o yaml <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> kubeseal --format yaml &gt; sealed-db-creds.yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># The sealed secret can be committed to Git</span> </span></span><span class="line"><span class="cl"><span class="c1"># Only the cluster&#39;s controller can decrypt it</span> </span></span><span class="line"><span class="cl">kubectl apply -f sealed-db-creds.yaml </span></span></code></pre></td></tr></table> </div> </div><h3 id="option-2-external-secrets-operator">Option 2: External Secrets Operator </h3><p>External Secrets Operator syncs secrets from external providers (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) into Kubernetes:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">external-secrets.io/v1beta1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ExternalSecret</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">db-credentials</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l">1h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secretStoreRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">aws-secrets-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterSecretStore</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">db-credentials</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">data</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l">password</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">remoteRef</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l">production/database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l">password</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="enable-encryption-at-rest">Enable Encryption at Rest </h3><p>Ensure etcd encrypts secrets at rest:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/kubernetes/encryption-config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">apiserver.config.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">EncryptionConfiguration</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">secrets</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">providers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">aescbc</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">keys</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">key1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;base64-encoded-32-byte-key&gt;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">identity</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="audit-logging">Audit Logging </h2><p>Kubernetes audit logs record every request to the API server, providing a detailed trail of who did what and when.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># audit-policy.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">audit.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Log all requests to secrets at the Metadata level</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;secrets&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Log pod exec/attach at RequestResponse level</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">RequestResponse</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods/exec&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;pods/attach&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Log all write operations at Request level</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Request</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;create&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;delete&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Log everything else at Metadata level</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">omitStages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">RequestReceived</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Enable in the API server with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="o">--</span><span class="n">audit</span><span class="o">-</span><span class="n">policy</span><span class="o">-</span><span class="n">file</span><span class="o">=/</span><span class="n">etc</span><span class="o">/</span><span class="n">kubernetes</span><span class="o">/</span><span class="n">audit</span><span class="o">-</span><span class="n">policy</span><span class="o">.</span><span class="n">yaml</span> </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">audit</span><span class="o">-</span><span class="nb">log</span><span class="o">-</span><span class="n">path</span><span class="o">=/</span><span class="k">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">kubernetes</span><span class="o">/</span><span class="n">audit</span><span class="o">.</span><span class="n">log</span> </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">audit</span><span class="o">-</span><span class="nb">log</span><span class="o">-</span><span class="n">maxage</span><span class="o">=</span><span class="mi">30</span> </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">audit</span><span class="o">-</span><span class="nb">log</span><span class="o">-</span><span class="n">maxbackup</span><span class="o">=</span><span class="mi">10</span> </span></span><span class="line"><span class="cl"><span class="o">--</span><span class="n">audit</span><span class="o">-</span><span class="nb">log</span><span class="o">-</span><span class="n">maxsize</span><span class="o">=</span><span class="mi">100</span> </span></span></code></pre></td></tr></table> </div> </div><p>Ship audit logs to your SIEM or log aggregation system (Loki, Elasticsearch) for analysis and alerting.</p> <h2 id="image-policies-with-kyverno">Image Policies with Kyverno </h2><p>Kyverno is a policy engine for Kubernetes that validates, mutates, and generates resources based on policies. It is simpler to adopt than OPA Gatekeeper because policies are written as Kubernetes resources rather than Rego.</p> <h3 id="require-image-digest-and-trusted-registry">Require Image Digest and Trusted Registry </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">kyverno.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">ClusterPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-image-digest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validationFailureAction</span><span class="p">:</span><span class="w"> </span><span class="l">Enforce</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-digest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images must use a digest (@sha256:...) instead of a tag&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*@sha256:*&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">require-trusted-registry</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">match</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">any</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">kinds</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Pod</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validate</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;Images must come from the trusted registry&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pattern</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">containers</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;myregistry.com/*&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This policy ensures that only images from your trusted registry with pinned digests are deployed, preventing both supply chain attacks and tag mutability issues.</p> <h2 id="cis-kubernetes-benchmark">CIS Kubernetes Benchmark </h2><p>The CIS Kubernetes Benchmark provides a comprehensive set of security recommendations. Run automated checks with kube-bench:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Run CIS benchmark checks</span> </span></span><span class="line"><span class="cl">kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># View results</span> </span></span><span class="line"><span class="cl">kubectl logs job/kube-bench </span></span></code></pre></td></tr></table> </div> </div><p>Address findings by priority: critical items first (API server auth, etcd encryption), then high (RBAC, network policies), then medium and low.</p> <h2 id="hardening-checklist">Hardening Checklist </h2><p>Use this checklist as a starting point for securing your cluster:</p> <ul> <li><input disabled="" type="checkbox"> API server: anonymous auth disabled, audit logging enabled</li> <li><input disabled="" type="checkbox"> etcd: encrypted at rest, access restricted to API server only</li> <li><input disabled="" type="checkbox"> RBAC: no unnecessary <code>cluster-admin</code> bindings, least privilege enforced</li> <li><input disabled="" type="checkbox"> Pod Security: <code>restricted</code> PSS enforced on production namespaces</li> <li><input disabled="" type="checkbox"> NetworkPolicies: default deny in all namespaces, explicit allow rules</li> <li><input disabled="" type="checkbox"> Secrets: external secrets manager or sealed secrets, encryption at rest</li> <li><input disabled="" type="checkbox"> Images: signed images, trusted registry enforcement, digest pinning</li> <li><input disabled="" type="checkbox"> Nodes: automatic security updates, CIS-hardened OS</li> <li><input disabled="" type="checkbox"> Audit: API server audit logs shipped to SIEM</li> <li><input disabled="" type="checkbox"> Monitoring: alerts on RBAC changes, privileged pod creation, exec into pods</li> <li><input disabled="" type="checkbox"> Supply chain: vulnerability scanning in CI/CD, admission-time image scanning</li> <li><input disabled="" type="checkbox"> Network: TLS between all components, service mesh for mTLS between pods</li> </ul> <p>Security hardening is not a one-time activity. Schedule quarterly reviews to reassess your posture, run CIS benchmarks, review RBAC bindings, and update policies as your cluster evolves.</p>https://adurrr.github.io/en/p/devsecops-maturity-model/Sun, 08 Oct 2023 10:00:00 +0100https://adurrr.github.io/en/p/devsecops-maturity-model/<h2 id="why-a-maturity-model-helps">Why a Maturity Model Helps </h2><p>Most teams know they should &ldquo;shift security left,&rdquo; but knowing where to start is the hard part. A maturity model gives you a structured way to assess your current state, identify gaps, and plan a realistic roadmap for improvement.</p> <p>Without a model, security improvements tend to be reactive (triggered by incidents or audit findings rather than deliberate planning). A maturity model turns security from a fire drill into an engineering discipline with measurable progress.</p> <p>The model described here has five levels. The goal is not to rush to the highest level but to make steady, sustainable progress. Each level builds on the previous one.</p> <h2 id="the-five-maturity-levels">The Five Maturity Levels </h2><h3 id="level-1-ad-hoc">Level 1: Ad-Hoc </h3><p>At this level, security is an afterthought. There are no formal processes, and security activities happen sporadically if at all.</p> <p><strong>What it looks like:</strong></p> <ul> <li>No security testing in CI/CD pipelines.</li> <li>Vulnerabilities discovered in production or by external parties.</li> <li>No dedicated security tooling.</li> <li>Developers have little to no security training.</li> <li>Incident response is improvised.</li> <li>Compliance is addressed manually before audits.</li> </ul> <p><strong>Typical tools:</strong> None specifically for security. Maybe a firewall and antivirus.</p> <h3 id="level-2-reactive">Level 2: Reactive </h3><p>Security is recognized as important, but the approach is reactive. The team responds to vulnerabilities and incidents but doesn&rsquo;t proactively prevent them.</p> <p><strong>What it looks like:</strong></p> <ul> <li>Basic static analysis (SAST) runs occasionally, but findings are not always addressed.</li> <li>Dependency scanning is done manually or on an ad-hoc basis.</li> <li>There&rsquo;s some security documentation, but it&rsquo;s outdated.</li> <li>Incident response exists as a documented process, though it&rsquo;s rarely practiced.</li> <li>Security reviews happen late in the development cycle (right before release).</li> </ul> <p><strong>Typical tools:</strong> SonarQube (basic rules), OWASP Dependency-Check, manual penetration testing.</p> <h3 id="level-3-proactive">Level 3: Proactive </h3><p>Security is integrated into the development workflow. The team actively seeks to prevent vulnerabilities rather than just reacting to them.</p> <p><strong>What it looks like:</strong></p> <ul> <li>SAST and DAST run automatically in CI/CD pipelines.</li> <li>Dependency scanning with automated alerts for known vulnerabilities.</li> <li>Container image scanning before deployment (Trivy, Grype).</li> <li>Infrastructure as Code is scanned for misconfigurations (Checkov, tfsec).</li> <li>Threat modeling is performed for new features and architecture changes.</li> <li>Security champions exist within development teams.</li> <li>Blameless postmortems are conducted after security incidents.</li> <li>Regular security training for developers.</li> </ul> <p><strong>Typical tools:</strong> Semgrep, Trivy, Checkov, OWASP ZAP, HashiCorp Vault, Falco.</p> <h3 id="level-4-optimized">Level 4: Optimized </h3><p>Security is deeply embedded in every stage of the software lifecycle. Metrics drive decisions, and the team continuously improves based on data.</p> <p><strong>What it looks like:</strong></p> <ul> <li>Security gates in pipelines that block deployment if critical issues are found.</li> <li>Mean time to remediate (MTTR) is tracked and continuously reduced.</li> <li>Software Bill of Materials (SBOM) generated for every release.</li> <li>Signed artifacts and verified supply chain.</li> <li>Automated compliance checks mapped to frameworks (SOC2, ISO 27001, PCI-DSS).</li> <li>Runtime security monitoring with automated response (Falco + custom rules).</li> <li>Regular red team exercises and chaos engineering for security.</li> <li>Security metrics are part of engineering dashboards.</li> </ul> <p><strong>Typical tools:</strong> Sigstore/cosign, OPA/Gatekeeper, Kyverno, SIEM integration, automated compliance platforms.</p> <h3 id="level-5-innovative">Level 5: Innovative </h3><p>Security is a competitive advantage. The team contributes to the broader security community and pushes the state of the art.</p> <p><strong>What it looks like:</strong></p> <ul> <li>Bug bounty programs actively managed.</li> <li>Custom security tooling developed for organization-specific risks.</li> <li>Machine learning applied to anomaly detection and threat hunting.</li> <li>Security is a feature sold to customers (certifications, transparency reports).</li> <li>Active participation in open-source security projects.</li> <li>Zero-trust architecture fully implemented.</li> <li>Policy as code governs all infrastructure and application security.</li> </ul> <p><strong>Typical tools:</strong> Custom-built platforms, eBPF-based security tools, advanced SIEM with ML, zero-trust service mesh.</p> <h2 id="key-dimensions">Key Dimensions </h2><p>A maturity model isn&rsquo;t one-dimensional. Assess your organization across these dimensions, as progress is rarely uniform:</p> <h3 id="code-security">Code Security </h3><table> <thead> <tr> <th>Level</th> <th>Practices</th> </tr> </thead> <tbody> <tr> <td>Ad-Hoc</td> <td>No code scanning</td> </tr> <tr> <td>Reactive</td> <td>Occasional SAST, manual code reviews for security</td> </tr> <tr> <td>Proactive</td> <td>Automated SAST/DAST in CI, security-focused code review guidelines</td> </tr> <tr> <td>Optimized</td> <td>Custom rules for organization-specific patterns, MTTR tracked</td> </tr> <tr> <td>Innovative</td> <td>AI-assisted code review, automatic fix suggestions</td> </tr> </tbody> </table> <h3 id="infrastructure-security">Infrastructure Security </h3><table> <thead> <tr> <th>Level</th> <th>Practices</th> </tr> </thead> <tbody> <tr> <td>Ad-Hoc</td> <td>Manual server configuration, no hardening standards</td> </tr> <tr> <td>Reactive</td> <td>Basic hardening checklists, occasional audits</td> </tr> <tr> <td>Proactive</td> <td>IaC scanning, automated hardening, CIS benchmarks</td> </tr> <tr> <td>Optimized</td> <td>Policy as code (OPA), drift detection, automated remediation</td> </tr> <tr> <td>Innovative</td> <td>Self-healing infrastructure, zero-trust networking</td> </tr> </tbody> </table> <h3 id="monitoring-and-detection">Monitoring and Detection </h3><table> <thead> <tr> <th>Level</th> <th>Practices</th> </tr> </thead> <tbody> <tr> <td>Ad-Hoc</td> <td>No security monitoring</td> </tr> <tr> <td>Reactive</td> <td>Basic log collection, manual review after incidents</td> </tr> <tr> <td>Proactive</td> <td>Centralized logging, alerting on known patterns, runtime monitoring</td> </tr> <tr> <td>Optimized</td> <td>SIEM with correlation rules, automated response playbooks</td> </tr> <tr> <td>Innovative</td> <td>ML-based anomaly detection, threat hunting programs</td> </tr> </tbody> </table> <h3 id="incident-response">Incident Response </h3><table> <thead> <tr> <th>Level</th> <th>Practices</th> </tr> </thead> <tbody> <tr> <td>Ad-Hoc</td> <td>No process, ad-hoc response</td> </tr> <tr> <td>Reactive</td> <td>Documented runbooks, rarely tested</td> </tr> <tr> <td>Proactive</td> <td>Regular tabletop exercises, blameless postmortems, on-call rotation</td> </tr> <tr> <td>Optimized</td> <td>Automated incident classification, SLA-driven response times</td> </tr> <tr> <td>Innovative</td> <td>Chaos engineering for security, automated containment</td> </tr> </tbody> </table> <h3 id="compliance">Compliance </h3><table> <thead> <tr> <th>Level</th> <th>Practices</th> </tr> </thead> <tbody> <tr> <td>Ad-Hoc</td> <td>Manual evidence collection before audits</td> </tr> <tr> <td>Reactive</td> <td>Spreadsheet-based tracking, periodic reviews</td> </tr> <tr> <td>Proactive</td> <td>Automated evidence collection, continuous monitoring</td> </tr> <tr> <td>Optimized</td> <td>Compliance as code, real-time dashboards, automated reporting</td> </tr> <tr> <td>Innovative</td> <td>Continuous certification, public transparency reports</td> </tr> </tbody> </table> <h2 id="self-assessment-checklist">Self-Assessment Checklist </h2><p>Rate your organization on each item (Yes / Partial / No):</p> <p><strong>Build Phase:</strong></p> <ul> <li><input disabled="" type="checkbox"> SAST runs automatically on every pull request.</li> <li><input disabled="" type="checkbox"> Dependency scanning alerts on known CVEs.</li> <li><input disabled="" type="checkbox"> Container images are scanned before being pushed to a registry.</li> <li><input disabled="" type="checkbox"> IaC templates are scanned for misconfigurations.</li> <li><input disabled="" type="checkbox"> Secrets detection prevents credentials from being committed.</li> </ul> <p><strong>Deploy Phase:</strong></p> <ul> <li><input disabled="" type="checkbox"> Security gates can block deployment for critical findings.</li> <li><input disabled="" type="checkbox"> Artifacts are signed and signatures are verified.</li> <li><input disabled="" type="checkbox"> SBOM is generated for every release.</li> <li><input disabled="" type="checkbox"> Infrastructure changes go through policy-as-code validation.</li> </ul> <p><strong>Run Phase:</strong></p> <ul> <li><input disabled="" type="checkbox"> Runtime security monitoring is active (Falco, Sysdig, etc.).</li> <li><input disabled="" type="checkbox"> Centralized logging with security-relevant alerts.</li> <li><input disabled="" type="checkbox"> Network segmentation limits blast radius.</li> <li><input disabled="" type="checkbox"> Secrets are managed through a dedicated vault.</li> </ul> <p><strong>Culture and Process:</strong></p> <ul> <li><input disabled="" type="checkbox"> Developers receive regular security training.</li> <li><input disabled="" type="checkbox"> Security champions are embedded in development teams.</li> <li><input disabled="" type="checkbox"> Blameless postmortems are conducted after incidents.</li> <li><input disabled="" type="checkbox"> Threat modeling is part of the design process for new features.</li> <li><input disabled="" type="checkbox"> Security metrics are tracked and reviewed regularly.</li> </ul> <h2 id="roadmap-for-progression">Roadmap for Progression </h2><p>Moving up the maturity levels doesn&rsquo;t happen overnight. Here&rsquo;s a practical roadmap:</p> <h3 id="from-ad-hoc-to-reactive-3-6-months">From Ad-Hoc to Reactive (3-6 months) </h3><ol> <li>Add a SAST tool to your CI pipeline (start with Semgrep - it has good defaults and is fast).</li> <li>Enable dependency scanning (GitHub Dependabot, or <code>trivy fs</code> in CI).</li> <li>Document your incident response process, even if it&rsquo;s simple.</li> <li>Run a single security training session for the team.</li> </ol> <h3 id="from-reactive-to-proactive-6-12-months">From Reactive to Proactive (6-12 months) </h3><ol> <li>Add container image scanning and IaC scanning to pipelines.</li> <li>Implement secrets detection in pre-commit hooks (<code>gitleaks</code>, <code>detect-secrets</code>).</li> <li>Appoint security champions in each team.</li> <li>Start threat modeling for major features.</li> <li>Conduct your first blameless postmortem after an incident.</li> <li>Deploy runtime monitoring (Falco).</li> </ol> <h3 id="from-proactive-to-optimized-12-18-months">From Proactive to Optimized (12-18 months) </h3><ol> <li>Implement security gates that can block deployments.</li> <li>Track MTTR and set reduction targets.</li> <li>Generate SBOMs and sign artifacts.</li> <li>Implement policy-as-code for infrastructure (OPA/Gatekeeper).</li> <li>Map automated checks to compliance frameworks.</li> <li>Integrate security metrics into engineering dashboards.</li> </ol> <h3 id="from-optimized-to-innovative-18-months">From Optimized to Innovative (18+ months) </h3><ol> <li>Launch a bug bounty program.</li> <li>Build custom security tooling for organization-specific risks.</li> <li>Implement zero-trust architecture.</li> <li>Run regular red team exercises.</li> <li>Contribute to open-source security projects.</li> </ol> <h2 id="cultural-aspects">Cultural Aspects </h2><p>Tools and processes are necessary but insufficient. Culture determines whether security practices actually stick.</p> <h3 id="blameless-postmortems">Blameless Postmortems </h3><p>When a security incident occurs, the instinct is often to find someone to blame. This drives people to hide mistakes and cover up near-misses. Blameless postmortems flip this around: they focus on systemic failures and process improvements rather than individual fault. The question changes from &ldquo;who made this mistake?&rdquo; to &ldquo;what allowed this mistake to happen, and how do we prevent it?&rdquo;</p> <h3 id="security-champions">Security Champions </h3><p>A security champion is a developer who takes on extra responsibility for security within their team. They are not full-time security engineers &mdash; they are developers who act as a bridge between the security team and the development team. Their role includes:</p> <ul> <li>Reviewing security-relevant pull requests.</li> <li>Staying current on security topics and sharing knowledge.</li> <li>Participating in threat modeling sessions.</li> <li>Being the first point of contact for security questions.</li> </ul> <p>This model scales far better than having a central security team review everything.</p> <h3 id="making-security-easy">Making Security Easy </h3><p>If security practices are painful, people will find workarounds. The goal is to make security the easiest path:</p> <ul> <li>Provide secure templates and starter projects.</li> <li>Automate as much as possible so developers don&rsquo;t have to remember manual steps.</li> <li>Give fast feedback. A SAST scan that takes 30 minutes will be ignored; one that takes 30 seconds will be used.</li> <li>Celebrate security improvements just as you celebrate feature delivery.</li> </ul> <h2 id="conclusion">Conclusion </h2><p>A DevSecOps maturity model is a compass, not a destination. The value comes from honest self-assessment, setting realistic goals, and making steady progress. Start where you are, pick the dimension where improvement will have the most impact, and build from there. Security is a team sport. The best security cultures are built incrementally, one practice at a time.</p>https://adurrr.github.io/en/p/how-i-hardened-my-k3s-homelab/Thu, 14 Sep 2023 00:00:00 +0000https://adurrr.github.io/en/p/how-i-hardened-my-k3s-homelab/<h2 id="starting-point">Starting point </h2><p>I have been running K3s on a couple of physical machines at home for a while. I originally set it up to learn Kubernetes without deploying something heavy, and over time I started using it for small projects: a few web apps, monitoring services, things like that. The setup worked fine but I had never sat down to think carefully about security.</p> <p>A few months ago I decided to do that exercise. No rush, no generic checklist from the internet. Just look at what I had, understand what was wrong, and fix it.</p> <p>What I found was not catastrophic, but there were quite a few things I did not like. I am writing this down because K3s has its own quirks compared to a standard Kubernetes cluster, and most hardening guides cover kubeadm or managed clusters, not home setups running on a single binary.</p> <h2 id="what-makes-k3s-different">What makes K3s different </h2><p>Before getting into what I did, it is worth understanding what makes K3s distinct from a security standpoint.</p> <p>K3s packages everything in a single binary: API server, scheduler, controller manager, kubelet, kube-proxy, and containerd. Instead of etcd it uses SQLite by default. The default CNI is Flannel. The default ingress controller is Traefik. All of this makes the installation very simple, but it also means there are active components you might not need, and some design decisions favor ease of use over security.</p> <p>The main configuration file lives at <code>/etc/rancher/k3s/config.yaml</code>. That is where most of what I am going to touch ends up.</p> <h2 id="the-node-before-the-cluster">The node before the cluster </h2><p>Before touching anything Kubernetes-related, the operating system. The cluster runs on Debian, so I started there.</p> <h3 id="ssh">SSH </h3><p>I had password authentication enabled. That is the first thing to turn off:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># /etc/ssh/sshd_config </span></span><span class="line"><span class="cl">PasswordAuthentication no </span></span><span class="line"><span class="cl">PermitRootLogin no </span></span><span class="line"><span class="cl">AllowUsers myuser </span></span></code></pre></td></tr></table> </div> </div><p>I also changed the default port. It does not stop someone determined from finding you, but it eliminates a lot of noise in the logs.</p> <h3 id="firewall-with-nftables">Firewall with nftables </h3><p>The machine had its network interfaces completely open. With a home K3s cluster, the API server (port 6443) should not be reachable from outside your local network. My basic rules with nftables:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># List active ruleset</span> </span></span><span class="line"><span class="cl">nft list ruleset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Restrictive default policy</span> </span></span><span class="line"><span class="cl">nft add chain inet filter input <span class="o">{</span> <span class="nb">type</span> filter hook input priority <span class="m">0</span> <span class="se">\;</span> policy drop <span class="se">\;</span> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Allow loopback and established connections</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input iifname lo accept </span></span><span class="line"><span class="cl">nft add rule inet filter input ct state established,related accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SSH only from local network</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input ip saddr 192.168.1.0/24 tcp dport <span class="m">22</span> accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># K3s API server only from local network</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input ip saddr 192.168.1.0/24 tcp dport <span class="m">6443</span> accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Kubernetes node ports</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input tcp dport 30000-32767 accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Traefik (if used as ingress)</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input tcp dport <span class="o">{</span> 80, <span class="m">443</span> <span class="o">}</span> accept </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># ICMP</span> </span></span><span class="line"><span class="cl">nft add rule inet filter input icmp <span class="nb">type</span> echo-request accept </span></span></code></pre></td></tr></table> </div> </div><p>What surprised me when reviewing this: the API server was listening on all interfaces and was reachable directly from the WAN because the router had a port forward for another service that was dragging along some traffic. Small scare, nothing exploited, but not something I wanted to leave.</p> <h3 id="kernel-parameters">Kernel parameters </h3><p>K3s with the <code>--protect-kernel-defaults</code> flag verifies that certain kernel parameters are set correctly. If they are not, startup fails with a clear message. Better to configure them beforehand:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/sysctl.d/90-k3s-hardening.conf</span> </span></span><span class="line"><span class="cl">kernel.panic <span class="o">=</span> <span class="m">10</span> </span></span><span class="line"><span class="cl">kernel.panic_on_oops <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl">vm.overcommit_memory <span class="o">=</span> <span class="m">1</span> </span></span><span class="line"><span class="cl">vm.panic_on_oom <span class="o">=</span> <span class="m">0</span> </span></span><span class="line"><span class="cl">fs.inotify.max_user_watches <span class="o">=</span> <span class="m">524288</span> </span></span><span class="line"><span class="cl">fs.inotify.max_user_instances <span class="o">=</span> <span class="m">512</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sysctl --system </span></span></code></pre></td></tr></table> </div> </div><h2 id="k3s-configuration">K3s configuration </h2><p>With the node in order, onto the cluster.</p> <h3 id="base-configuration-file">Base configuration file </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/rancher/k3s/config.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">write-kubeconfig-mode</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;0600&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">protect-kernel-defaults</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">secrets-encryption</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kube-apiserver-arg</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;anonymous-auth=false&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;audit-log-path=/var/log/k3s/audit.log&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;audit-log-maxage=30&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;audit-policy-file=/etc/rancher/k3s/audit-policy.yaml&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kube-controller-manager-arg</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;terminated-pod-gc-threshold=10&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kubelet-arg</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;streaming-connection-idle-timeout=5m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;protect-kernel-defaults=true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">&#34;make-iptables-util-chains=true&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The three most important lines here:</p> <ul> <li><code>secrets-encryption: true</code> enables encryption at rest for Kubernetes secrets. In K3s this is a first-class flag, no need to configure <code>EncryptionConfiguration</code> manually like in kubeadm.</li> <li><code>anonymous-auth=false</code> removes anonymous access to the API server.</li> <li><code>write-kubeconfig-mode: &quot;0600&quot;</code> enforces restrictive permissions on the kubeconfig that K3s generates at <code>/etc/rancher/k3s/k3s.yaml</code>.</li> </ul> <h3 id="audit-policy">Audit policy </h3><p>Without audit logs you have no idea what is happening in your cluster. This is a reasonable minimum:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/rancher/k3s/audit-policy.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">audit.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Policy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;secrets&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">RequestResponse</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;pods/exec&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;pods/attach&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Request</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;create&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;delete&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">None</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">users</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;system:kube-proxy&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;watch&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">group</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;endpoints&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;services&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;services/status&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">level</span><span class="p">:</span><span class="w"> </span><span class="l">Metadata</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">omitStages</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">RequestReceived</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The logs go to <code>/var/log/k3s/audit.log</code>. In my case I collect them with Promtail and send them to Loki, so I can run queries from Grafana when I need to review something.</p> <h3 id="kubeconfig">Kubeconfig </h3><p>The kubeconfig K3s generates at <code>/etc/rancher/k3s/k3s.yaml</code> has admin credentials. A mistake I spotted in my own setup: I had that file copied to <code>~/.kube/config</code> with 644 permissions. Any process running under my user could read it.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Correct permissions</span> </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> ~/.kube/config </span></span></code></pre></td></tr></table> </div> </div><p>If you have additional users who need cluster access, create ServiceAccounts or use client certificates with limited RBAC. Do not distribute the admin kubeconfig.</p> <h2 id="cni-from-flannel-to-cilium">CNI: from Flannel to Cilium </h2><p>Flannel is the K3s default. It works, but it does not support NetworkPolicies out of the box. That means all pods can communicate with each other without restriction.</p> <p>I switched to Cilium. The process with K3s requires disabling Flannel first:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/rancher/k3s/config.yaml (add)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">flannel-backend</span><span class="p">:</span><span class="w"> </span><span class="l">none</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">disable-network-policy</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Then install Cilium with Helm:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add cilium https://helm.cilium.io/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">helm install cilium cilium/cilium <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace kube-system <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set operator.replicas<span class="o">=</span><span class="m">1</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set ipam.mode<span class="o">=</span>kubernetes <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set <span class="nv">kubeProxyReplacement</span><span class="o">=</span>strict <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set <span class="nv">k8sServiceHost</span><span class="o">=</span>192.168.1.10 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set <span class="nv">k8sServicePort</span><span class="o">=</span><span class="m">6443</span> </span></span></code></pre></td></tr></table> </div> </div><p>With <code>kubeProxyReplacement=strict</code>, Cilium also replaces kube-proxy, which gives better performance with eBPF and better network traffic visibility.</p> <p>After the switch I started applying NetworkPolicies. The first and most important one: default deny in all application namespaces:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">default-deny-all</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">apps</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span>{}<span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>From there, explicitly allowing only what is necessary.</p> <h2 id="secrets-what-to-do-when-it-is-just-k3s">Secrets: what to do when it is just K3s </h2><p>In a corporate environment you would use Vault or External Secrets Operator backed by AWS Secrets Manager or similar. In a homelab that is overkill. My solution was simpler.</p> <p>K3s&rsquo;s encryption at rest already protects secrets in the database. For manifests in Git I use <code>age</code> to encrypt sensitive values before committing them:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Encrypt a value</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;my-real-password&#34;</span> <span class="p">|</span> age -r <span class="k">$(</span>cat ~/.config/age/recipient.txt<span class="k">)</span> <span class="p">|</span> base64 </span></span></code></pre></td></tr></table> </div> </div><p>The encrypted value goes into the repository. Deploying it requires a manual decryption step. Less convenient than an automatic operator, but for a homelab it is good enough and does not add operational complexity.</p> <h2 id="falco-for-runtime-detection">Falco for runtime detection </h2><p>Everything above is prevention. Falco is detection: it monitors system calls and generates alerts when something suspicious happens inside a container.</p> <p>I installed it with Helm:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">helm repo add falcosecurity https://falcosecurity.github.io/charts </span></span><span class="line"><span class="cl">helm install falco falcosecurity/falco <span class="se">\ </span></span></span><span class="line"><span class="cl"> --namespace falco <span class="se">\ </span></span></span><span class="line"><span class="cl"> --create-namespace <span class="se">\ </span></span></span><span class="line"><span class="cl"> --set driver.kind<span class="o">=</span>ebpf </span></span></code></pre></td></tr></table> </div> </div><p>The default rules already cover quite a bit: shell execution in containers, writes to system directories, privilege changes, unexpected network connections. I added some custom rules for my specific use case.</p> <p>Alerts go to Loki as well. That way I have the API server audit logs and Falco alerts in the same place.</p> <h2 id="pod-security-standards">Pod Security Standards </h2><p>With K3s &gt;= 1.25 you can use Pod Security Admission directly. I applied the <code>baseline</code> level on application namespaces and <code>restricted</code> where possible:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">apps</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">baseline</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/warn</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>restricted</code> level is strict: containers cannot run as root, the root filesystem must be read-only, and all Linux capabilities must be dropped. Some of the workloads I had deployed did not comply. I fixed them one by one before raising the <code>enforce</code> level.</p> <h2 id="what-i-left-for-later">What I left for later </h2><p>Not everything is perfect. There are things I know I should do that I have not gotten to yet.</p> <p><strong>Rootless K3s</strong>: you can run K3s entirely without root, which reduces the impact of a potential privilege escalation. I have looked into it and it has some limitations with certain network features, but for my use case it should work.</p> <p><strong>Image verification with cosign</strong>: signing and verifying images before deploying them. I have a private registry for my own images and the third-party ones I use, but I am not verifying signatures yet.</p> <p><strong>CIS Benchmark</strong>: K3s has official documentation for the CIS K3s benchmark. I have reviewed it partially but have not run kube-bench systematically to see what is still pending.</p> <h2 id="what-i-learned">What I learned </h2><p>The default K3s installation is surprisingly reasonable for what it is: a distribution designed to be easy to deploy. But &ldquo;reasonable&rdquo; is not the same as &ldquo;hardened.&rdquo;</p> <p>What surprised me most was how easy most of the changes turned out to be. K3s has first-class flags for many things that require manual configuration in kubeadm. The <code>secrets-encryption</code>, <code>protect-kernel-defaults</code>, the audit policy directly in the config file. It is not that hard if you sit down and read the documentation.</p> <p>The biggest risk in a homelab is not that someone on the internet attacks you directly. It is that you have a bunch of services running on the same network as your personal life, and if one gets compromised, the blast radius can be larger than it seems. Worth taking seriously even if it is a toy environment.</p>https://adurrr.github.io/en/p/container-security-best-practices/Fri, 14 Jul 2023 10:00:00 +0100https://adurrr.github.io/en/p/container-security-best-practices/<h2 id="the-attack-surface-of-containers">The Attack Surface of Containers </h2><p>Containers give you process isolation, not security isolation. A misconfigured container can expose the host kernel, leak secrets, or become a pivot point for lateral movement. Understand the attack surface first:</p> <ul> <li><strong>Container images</strong> - Vulnerable libraries, hardcoded credentials, unnecessary tools</li> <li><strong>Container runtime</strong> - Vulnerabilities that allow breakouts</li> <li><strong>Orchestrator misconfigurations</strong> (Kubernetes RBAC, network policies) - Expose services, grant excessive permissions</li> <li><strong>Supply chain</strong> - Compromised base images or dependencies</li> <li><strong>Secrets</strong> - Baked into images or environment variables that any process can access</li> </ul> <p>Security requires defense in depth across the entire lifecycle: build, ship, run.</p> <h2 id="image-security">Image security </h2><h3 id="use-minimal-base-images">Use minimal base images </h3><p>Every additional package in a container image is a potential vulnerability. Prefer minimal base images:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Prefer distroless or Alpine over full distributions</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">gcr.io/distroless/static-debian11</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># or</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">alpine:3.18</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Distroless images</strong> contain only your application and its runtime dependencies &mdash; no shell, no package manager, no unnecessary binaries. This dramatically reduces the attack surface.</p> <h3 id="multi-stage-builds">Multi-stage builds </h3><p>Multi-stage builds let you compile in one stage and copy only the final artifact to a minimal runtime image:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Build stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> go.mod go.sum ./<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> go mod download<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> . .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> <span class="nv">CGO_ENABLED</span><span class="o">=</span><span class="m">0</span> go build -o /app/server<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># Runtime stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">gcr.io/distroless/static-debian11</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>builder /app/server /server<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">nonroot:nonroot</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENTRYPOINT</span> <span class="p">[</span><span class="s2">&#34;/server&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The build tools, source code, and intermediate files never make it into the final image.</p> <h3 id="never-run-as-root">Never run as root </h3><p>Running containers as root means a container escape gives the attacker root on the host. Always specify a non-root user:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Create a non-root user</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> addgroup -S appgroup <span class="o">&amp;&amp;</span> adduser -S appuser -G appgroup<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">appuser</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>In Kubernetes, enforce this with Pod Security Standards (more on this below).</p> <h3 id="secure-vs-insecure-dockerfile-comparison">Secure vs. insecure Dockerfile comparison </h3><p>Here is a side-by-side comparison of common mistakes versus secure practices:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># INSECURE - Do NOT do this</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">ubuntu:latest</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> apt-get update <span class="o">&amp;&amp;</span> apt-get install -y curl wget vim<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> . /app<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> <span class="nb">echo</span> <span class="s2">&#34;DB_PASSWORD=supersecret&#34;</span> &gt; /app/.env<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">EXPOSE</span><span class="w"> </span><span class="s">22</span> <span class="m">80</span> <span class="m">443</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">root</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">CMD</span> <span class="p">[</span><span class="s2">&#34;python3&#34;</span><span class="p">,</span> <span class="s2">&#34;/app/main.py&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># SECURE - Follow this pattern</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> requirements.txt .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> pip install --no-cache-dir --user -r requirements.txt<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11-slim</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> groupadd -r appgroup <span class="o">&amp;&amp;</span> useradd -r -g appgroup appuser<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>builder /root/.local /home/appuser/.local<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --chown<span class="o">=</span>appuser:appgroup . .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PATH</span><span class="o">=</span>/home/appuser/.local/bin:<span class="nv">$PATH</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">EXPOSE</span><span class="w"> </span><span class="s">8080</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">appuser</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">HEALTHCHECK</span> --interval<span class="o">=</span>30s --timeout<span class="o">=</span>3s <span class="k">CMD</span> curl -f http://localhost:8080/health <span class="o">||</span> <span class="nb">exit</span> <span class="m">1</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">CMD</span> <span class="p">[</span><span class="s2">&#34;python3&#34;</span><span class="p">,</span> <span class="s2">&#34;main.py&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Key differences: minimal base image, multi-stage build, no secrets in the image, non-root user, only necessary ports exposed, health check included.</p> <h2 id="image-scanning-with-trivy">Image scanning with Trivy </h2><p>Trivy is an open-source vulnerability scanner that checks container images, filesystems, and IaC configurations. Integrate it into your CI pipeline to catch vulnerabilities before deployment.</p> <h3 id="basic-image-scan">Basic image scan </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan an image for vulnerabilities</span> </span></span><span class="line"><span class="cl">trivy image python:3.11-slim </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan with severity filter</span> </span></span><span class="line"><span class="cl">trivy image --severity HIGH,CRITICAL myapp:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Fail CI if critical vulnerabilities are found</span> </span></span><span class="line"><span class="cl">trivy image --exit-code <span class="m">1</span> --severity CRITICAL myapp:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="scanning-in-cicd">Scanning in CI/CD </h3><p>Add Trivy to your pipeline so that no image with critical vulnerabilities reaches production:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Example GitHub Actions step</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy vulnerability scanner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;myapp:${{ github.sha }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">format</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;table&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;CRITICAL,HIGH&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="scanning-iac-and-filesystems">Scanning IaC and filesystems </h3><p>Trivy goes beyond container images:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan Kubernetes manifests for misconfigurations</span> </span></span><span class="line"><span class="cl">trivy config ./k8s-manifests/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan a filesystem for secrets and vulnerabilities</span> </span></span><span class="line"><span class="cl">trivy fs --security-checks vuln,secret ./ </span></span></code></pre></td></tr></table> </div> </div><h2 id="runtime-security-with-falco">Runtime security with Falco </h2><p>While scanning catches vulnerabilities at build time, Falco monitors containers at runtime. It uses kernel-level instrumentation to detect suspicious behavior:</p> <ul> <li>Unexpected shell spawns inside containers.</li> <li>Processes reading sensitive files (<code>/etc/shadow</code>, <code>/etc/passwd</code>).</li> <li>Outbound network connections to unexpected destinations.</li> <li>Privilege escalation attempts.</li> </ul> <h3 id="example-falco-rules">Example Falco rules </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">- <span class="nt">rule</span><span class="p">:</span><span class="w"> </span><span class="l">Terminal shell in container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">desc</span><span class="p">:</span><span class="w"> </span><span class="l">Detect a shell being spawned in a container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> spawned_process and container and </span></span></span><span class="line"><span class="cl"><span class="sd"> proc.name in (bash, sh, zsh, dash)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> Shell spawned in container </span></span></span><span class="line"><span class="cl"><span class="sd"> (user=%user.name container=%container.name </span></span></span><span class="line"><span class="cl"><span class="sd"> shell=%proc.name parent=%proc.pname)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">priority</span><span class="p">:</span><span class="w"> </span><span class="l">WARNING</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">rule</span><span class="p">:</span><span class="w"> </span><span class="l">Read sensitive file in container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">desc</span><span class="p">:</span><span class="w"> </span><span class="l">Detect reads of sensitive files</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> open_read and container and </span></span></span><span class="line"><span class="cl"><span class="sd"> fd.name in (/etc/shadow, /etc/passwd)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> Sensitive file read in container </span></span></span><span class="line"><span class="cl"><span class="sd"> (user=%user.name file=%fd.name container=%container.name)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">priority</span><span class="p">:</span><span class="w"> </span><span class="l">ERROR</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Deploy Falco as a DaemonSet in your Kubernetes cluster to get visibility into runtime behavior across all nodes.</p> <h2 id="kubernetes-security">Kubernetes security </h2><h3 id="pod-security-standards">Pod Security Standards </h3><p>Kubernetes Pod Security Standards define three levels of restriction:</p> <ul> <li><strong>Privileged</strong> &mdash; Unrestricted (for system-level workloads only).</li> <li><strong>Baseline</strong> &mdash; Prevents known privilege escalations.</li> <li><strong>Restricted</strong> &mdash; Heavily restricted, following security best practices.</li> </ul> <p>Apply them at the namespace level:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/audit</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/warn</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="networkpolicies">NetworkPolicies </h3><p>By default, all pods in Kubernetes can communicate with each other. NetworkPolicies let you restrict traffic:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">api-allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">api</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">from</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">frontend</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">8080</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">5432</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This policy ensures the API pod only receives traffic from the frontend and only sends traffic to the database.</p> <h3 id="rbac">RBAC </h3><p>Follow the principle of least privilege. Avoid giving <code>cluster-admin</code> to service accounts. Create specific roles:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;apps&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;deployments&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;list&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;watch&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Regularly audit RBAC bindings with tools like <code>kubectl-who-can</code> or <code>rbac-tool</code>.</p> <h2 id="secrets-management">Secrets management </h2><p>Never store secrets in container images, environment variables in plain Dockerfiles, or version control. Instead:</p> <ul> <li>Use <strong>Kubernetes Secrets</strong> (encrypted at rest with KMS).</li> <li>Use external secrets managers: <strong>HashiCorp Vault</strong>, <strong>AWS Secrets Manager</strong>, <strong>Azure Key Vault</strong>.</li> <li>Use the <strong>External Secrets Operator</strong> to sync secrets from external providers into Kubernetes.</li> <li>Rotate secrets regularly and audit access.</li> </ul> <h2 id="supply-chain-security">Supply chain security </h2><h3 id="signed-images">Signed images </h3><p>Sign your container images with <strong>cosign</strong> (part of the Sigstore project) and verify signatures before deployment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Sign an image</span> </span></span><span class="line"><span class="cl">cosign sign --key cosign.key myregistry/myapp:v1.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify a signature</span> </span></span><span class="line"><span class="cl">cosign verify --key cosign.pub myregistry/myapp:v1.0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="sbom-software-bill-of-materials">SBOM (Software Bill of Materials) </h3><p>Generate an SBOM for every image so you can quickly check whether a newly disclosed CVE affects your running containers:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate SBOM with Trivy</span> </span></span><span class="line"><span class="cl">trivy image --format spdx-json --output sbom.json myapp:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Or use syft</span> </span></span><span class="line"><span class="cl">syft myapp:latest -o spdx-json &gt; sbom.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="container-security-checklist">Container security checklist </h2><p>Use this checklist to assess your container security posture:</p> <ul> <li><input disabled="" type="checkbox"> Base images are minimal (distroless or Alpine).</li> <li><input disabled="" type="checkbox"> Multi-stage builds are used to exclude build tools.</li> <li><input disabled="" type="checkbox"> Containers run as non-root users.</li> <li><input disabled="" type="checkbox"> Images are scanned for vulnerabilities in CI/CD.</li> <li><input disabled="" type="checkbox"> No secrets are stored in images or plain environment variables.</li> <li><input disabled="" type="checkbox"> Kubernetes Pod Security Standards are enforced.</li> <li><input disabled="" type="checkbox"> NetworkPolicies restrict pod-to-pod communication.</li> <li><input disabled="" type="checkbox"> RBAC follows least privilege.</li> <li><input disabled="" type="checkbox"> Runtime security monitoring is in place (Falco or equivalent).</li> <li><input disabled="" type="checkbox"> Images are signed and signatures are verified before deployment.</li> <li><input disabled="" type="checkbox"> SBOMs are generated and stored for all production images.</li> <li><input disabled="" type="checkbox"> Secrets are managed through an external secrets manager.</li> <li><input disabled="" type="checkbox"> Image pull policies are set to <code>Always</code> for mutable tags.</li> <li><input disabled="" type="checkbox"> Regular security audits and penetration tests are conducted.</li> </ul> <h2 id="conclusion">Conclusion </h2><p>Container security is an ongoing practice, not a one-time task. Start with basics: minimal images, non-root users, scanning. Then layer on runtime monitoring, network policies, supply chain verification, and automated enforcement. Each layer shrinks the blast radius and moves you closer to actual security.</p>https://adurrr.github.io/en/p/ci/cd-pipeline-security-a-shift-left-approach/Mon, 20 Jun 2022 00:00:00 +0000https://adurrr.github.io/en/p/ci/cd-pipeline-security-a-shift-left-approach/<h2 id="what-is-shift-left-security">What is shift-left security? </h2><p>Shift-left security means moving security practices earlier in the software development lifecycle. Rather than treating security as a final gate (or worse, an afterthought) before production, you embed security checks directly into your CI/CD pipelines. This catches vulnerabilities when they&rsquo;re cheapest to fix: at development time.</p> <p>The traditional &ldquo;build it, then audit it&rdquo; model doesn&rsquo;t scale. Modern applications ship dozens of times a day. If your security review is a manual quarterly process, you&rsquo;re deploying vulnerable code most of the time.</p> <h2 id="threat-vectors-in-cicd-pipelines">Threat vectors in CI/CD pipelines </h2><p>Before hardening your pipeline, understand what you&rsquo;re defending against. CI/CD systems are high-value targets because they have access to production credentials, source code, and build artifacts.</p> <p>Common threat vectors include:</p> <ul> <li><strong>Compromised dependencies</strong>: A malicious package in your dependency tree (supply chain attack).</li> <li><strong>Leaked secrets</strong>: API keys, tokens, or passwords committed to source code or exposed in build logs.</li> <li><strong>Code vulnerabilities</strong>: SQL injection, XSS, insecure deserialization, and other OWASP Top 10 issues introduced in your application code.</li> <li><strong>Insecure pipeline configuration</strong>: Overly permissive runner access, unprotected branch rules, or missing approval gates.</li> <li><strong>Container image vulnerabilities</strong>: Base images with known CVEs that end up in production.</li> <li><strong>Build artifact tampering</strong>: Unsigned or unverified artifacts that attackers can replace.</li> </ul> <h2 id="integrating-sast-into-your-pipeline">Integrating SAST into your pipeline </h2><p><strong>Static Application Security Testing (SAST)</strong> analyzes source code without executing it. It catches vulnerabilities early, before code even runs.</p> <h3 id="recommended-tools">Recommended tools </h3><ul> <li><strong>Semgrep</strong>: Fast, flexible, and supports custom rules. Works across many languages. My top recommendation for most teams.</li> <li><strong>Bandit</strong>: Python-specific. Excellent for Python projects because it understands Python-specific security patterns.</li> <li><strong>SonarQube</strong>: Broader scope (code quality and security combined). Heavier to set up but useful if you want a single dashboard.</li> </ul> <h3 id="running-semgrep-locally">Running Semgrep locally </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">pip install semgrep </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run with default rulesets</span> </span></span><span class="line"><span class="cl">semgrep --config auto . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run with OWASP Top 10 rules specifically</span> </span></span><span class="line"><span class="cl">semgrep --config <span class="s2">&#34;p/owasp-top-ten&#34;</span> . </span></span></code></pre></td></tr></table> </div> </div><h3 id="running-bandit-for-python-projects">Running Bandit for Python projects </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pip install bandit </span></span><span class="line"><span class="cl">bandit -r ./src -f json -o bandit-report.json </span></span></code></pre></td></tr></table> </div> </div><p>The key is to run these tools on every pull request, not just on the main branch. Developers should see findings before code is merged.</p> <h2 id="integrating-dast-into-your-pipeline">Integrating DAST into your pipeline </h2><p><strong>Dynamic Application Security Testing (DAST)</strong> tests the running application from the outside, simulating an attacker. It catches issues that SAST misses (misconfigurations, authentication flaws, and runtime vulnerabilities).</p> <h3 id="owasp-zap">OWASP ZAP </h3><p>OWASP ZAP is the standard open-source DAST tool. You can run it in your pipeline against a staging deployment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Pull the ZAP Docker image</span> </span></span><span class="line"><span class="cl">docker pull ghcr.io/zaproxy/zaproxy:stable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run a baseline scan against a target URL</span> </span></span><span class="line"><span class="cl">docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py <span class="se">\ </span></span></span><span class="line"><span class="cl"> -t https://staging.example.com <span class="se">\ </span></span></span><span class="line"><span class="cl"> -r zap-report.html </span></span></code></pre></td></tr></table> </div> </div><p>DAST is typically slower than SAST. Run it after deployment to a staging environment rather than on every commit. A nightly or per-release cadence works well for most teams.</p> <h2 id="secret-scanning">Secret scanning </h2><p>Leaked secrets are one of the most common and damaging security failures. Once a secret makes it into Git history, consider it compromised, even if you remove it in a later commit.</p> <h3 id="tools">Tools </h3><ul> <li><strong>gitleaks</strong>: Scans Git repositories for secrets using regex and entropy-based detection.</li> <li><strong>trufflehog</strong>: Searches through Git history for high-entropy strings and known secret patterns.</li> </ul> <h3 id="running-gitleaks">Running gitleaks </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">brew install gitleaks <span class="c1"># or download binary from GitHub releases</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan the current repo</span> </span></span><span class="line"><span class="cl">gitleaks detect --source . --report-path gitleaks-report.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan in CI (detect only new leaks in the PR)</span> </span></span><span class="line"><span class="cl">gitleaks detect --source . --log-opts<span class="o">=</span><span class="s2">&#34;origin/main..HEAD&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="pre-commit-hook">Pre-commit hook </h3><p>Block secrets before they even reach the remote:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># .pre-commit-config.yaml</span> </span></span><span class="line"><span class="cl">repos: </span></span><span class="line"><span class="cl"> - repo: https://github.com/gitleaks/gitleaks </span></span><span class="line"><span class="cl"> rev: v8.16.1 </span></span><span class="line"><span class="cl"> hooks: </span></span><span class="line"><span class="cl"> - id: gitleaks </span></span></code></pre></td></tr></table> </div> </div><h2 id="dependency-scanning">Dependency scanning </h2><p>Your application is only as secure as its weakest dependency. Supply chain attacks are increasing, so you need to scan your dependency tree regularly.</p> <h3 id="tools-1">Tools </h3><ul> <li><strong>Trivy</strong>: Scans container images, filesystems, and Git repos for vulnerabilities. Fast and comprehensive.</li> <li><strong>Snyk</strong>: Commercial option with a generous free tier. Good developer experience.</li> <li><strong>OWASP Dependency-Check</strong>: Mature, open-source, supports multiple ecosystems.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan a container image with Trivy</span> </span></span><span class="line"><span class="cl">trivy image my-app:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan the filesystem for vulnerable dependencies</span> </span></span><span class="line"><span class="cl">trivy fs --severity HIGH,CRITICAL . </span></span></code></pre></td></tr></table> </div> </div><h2 id="github-actions-workflow-with-security-stages">GitHub Actions workflow with security stages </h2><p>Here is a practical GitHub Actions workflow that integrates all the security stages discussed above:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Secure CI/CD Pipeline</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pull_request</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Secret Scanning</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fetch-depth</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run gitleaks</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">gitleaks/gitleaks-action@v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GITHUB_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sast</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Static Analysis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Semgrep</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">returntocorp/semgrep-action@v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> p/security-audit </span></span></span><span class="line"><span class="cl"><span class="sd"> p/owasp-top-ten</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Bandit (Python)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> pip install bandit </span></span></span><span class="line"><span class="cl"><span class="sd"> bandit -r ./src -f json -o bandit-report.json || true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload SAST reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/upload-artifact@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sast-reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*.json&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependency-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Dependency Scanning</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy filesystem scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scan-type</span><span class="p">:</span><span class="w"> </span><span class="l">fs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH,CRITICAL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-and-scan-image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build &amp; Scan Image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">secret-scan, sast, dependency-scan]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build Docker image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">docker build -t my-app:${{ github.sha }} .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Scan image with Trivy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="l">my-app:${{ github.sha }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH,CRITICAL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy-staging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy to Staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">build-and-scan-image]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy to staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">echo &#34;Deploy to staging environment&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dast</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Dynamic Analysis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">deploy-staging]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">OWASP ZAP Baseline Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">zaproxy/action-baseline@v0.9.0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://staging.example.com&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Notice the deliberate ordering: secret scanning, SAST, and dependency scanning run in parallel (fast feedback). Image scanning runs after build. DAST runs after staging deployment.</p> <h2 id="best-practices-checklist">Best practices checklist </h2><p>Here is a checklist to assess the security maturity of your CI/CD pipeline:</p> <ul> <li><input disabled="" type="checkbox"> <strong>Secret scanning</strong> runs on every PR and blocks merge on findings.</li> <li><input disabled="" type="checkbox"> <strong>Pre-commit hooks</strong> prevent secrets from being committed locally.</li> <li><input disabled="" type="checkbox"> <strong>SAST</strong> runs on every PR with rules covering OWASP Top 10.</li> <li><input disabled="" type="checkbox"> <strong>Dependency scanning</strong> runs on every PR and flags HIGH/CRITICAL CVEs.</li> <li><input disabled="" type="checkbox"> <strong>Container image scanning</strong> runs before pushing images to a registry.</li> <li><input disabled="" type="checkbox"> <strong>DAST</strong> runs against staging on every release (or nightly at minimum).</li> <li><input disabled="" type="checkbox"> <strong>Branch protection</strong> requires passing security checks before merge.</li> <li><input disabled="" type="checkbox"> <strong>Least privilege</strong> is enforced on CI runner permissions and secrets access.</li> <li><input disabled="" type="checkbox"> <strong>Signed commits</strong> and <strong>signed artifacts</strong> are enforced for production releases.</li> <li><input disabled="" type="checkbox"> <strong>Build logs</strong> are reviewed to ensure secrets are not leaked in output.</li> <li><input disabled="" type="checkbox"> <strong>Dependency pinning</strong> is used (exact versions, not ranges) to prevent supply chain attacks.</li> <li><input disabled="" type="checkbox"> <strong>Regular rotation</strong> of all CI/CD secrets and service account keys.</li> </ul> <h2 id="final-thoughts">Final thoughts </h2><p>Shift-left security isn&rsquo;t about buying a tool, it&rsquo;s about changing the culture. Security checks in CI/CD should be fast, automated, and non-negotiable. Start with secret scanning (highest ROI), add SAST, then layer in dependency scanning and DAST.</p> <p>The goal isn&rsquo;t to catch everything in the pipeline. The goal is to raise the bar high enough that obvious issues never reach production, freeing your security team to focus on the subtle, high-impact threats that require human judgment.</p>