Supply-Chain on Adurhttps://adurrr.github.io/en/tags/supply-chain/Recent content in Supply-Chain on AdurHugo -- gohugo.ioenMon, 10 Feb 2025 00:00:00 +0000Supply chain security: SBOM and Sigstorehttps://adurrr.github.io/en/p/supply-chain-security-sbom-and-sigstore/Mon, 10 Feb 2025 00:00:00 +0000https://adurrr.github.io/en/p/supply-chain-security-sbom-and-sigstore/<p>Supply chain attacks are no longer theoretical. The 2020 SolarWinds breach showed how one compromised build pipeline could hit thousands of organizations, including government agencies. Then Log4Shell in 2021 proved that a vulnerability deep in a transitive dependency could threaten every Java app overnight. The message was clear: we need visibility into what&rsquo;s in our software and stronger integrity guarantees.</p> <p>This guide covers the practical tools: SBOMs, Sigstore, and SLSA framework.</p> <h2 id="why-supply-chain-security-matters">Why Supply Chain Security Matters </h2><p>Traditional security focuses on your own code: static analysis, dependency scanning, penetration testing. Supply chain security extends that perimeter to everything your software depends on and every step in the process of building and delivering it.</p> <p>The attack surface includes:</p> <ul> <li><strong>Source code repositories</strong>: compromised developer accounts, malicious commits</li> <li><strong>Dependencies</strong>: typosquatting, dependency confusion, compromised upstream packages</li> <li><strong>Build systems</strong>: tampered CI/CD pipelines, injected build steps</li> <li><strong>Artifact registries</strong>: replaced binaries, unsigned packages</li> <li><strong>Deployment pipelines</strong>: modified manifests, man-in-the-middle attacks</li> </ul> <p>A single weak link in any of these stages can compromise the entire chain.</p> <h2 id="software-bill-of-materials-sbom">Software Bill of Materials (SBOM) </h2><p>An SBOM is a formal, machine-readable inventory of all components in a piece of software. Think of it as an ingredients list for your application. It includes direct dependencies, transitive dependencies, their versions, licenses, and relationships.</p> <h3 id="why-you-need-one">Why You Need One </h3><ul> <li><strong>Vulnerability response</strong>: When a new CVE drops (like Log4Shell), you can instantly check if any of your applications are affected.</li> <li><strong>License compliance</strong>: Know exactly what licenses you are shipping.</li> <li><strong>Regulatory requirements</strong>: The US Executive Order 14028 and the EU Cyber Resilience Act both push toward mandatory SBOMs.</li> <li><strong>Transparency</strong>: Customers and partners can verify what they are running.</li> </ul> <h3 id="sbom-formats">SBOM Formats </h3><p>Two main formats dominate:</p> <ul> <li><strong>SPDX</strong> (Software Package Data Exchange): An ISO standard (ISO/IEC 5962:2021), originally focused on license compliance, now comprehensive. Supports JSON, RDF, YAML, and tag-value formats.</li> <li><strong>CycloneDX</strong>: An OWASP project, designed from the ground up for security use cases. Supports JSON and XML. Lighter weight and more opinionated.</li> </ul> <p>Both are solid choices. CycloneDX tends to be easier to work with for security-focused workflows. SPDX has broader adoption in compliance-heavy industries.</p> <h3 id="generating-sboms-with-syft">Generating SBOMs with Syft </h3><p><a class="link" href="https://github.com/anchore/syft" target="_blank" rel="noopener" >Syft</a> from Anchore is one of the best tools for generating SBOMs. It supports container images, filesystems, and archives.</p> <p><strong>Install syft:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh <span class="p">|</span> sh -s -- -b /usr/local/bin </span></span></code></pre></td></tr></table> </div> </div><p><strong>Generate an SBOM from a container image:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># CycloneDX format (JSON)</span> </span></span><span class="line"><span class="cl">syft packages registry.example.com/myapp:v1.2.3 -o cyclonedx-json &gt; sbom.cdx.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SPDX format (JSON)</span> </span></span><span class="line"><span class="cl">syft packages registry.example.com/myapp:v1.2.3 -o spdx-json &gt; sbom.spdx.json </span></span></code></pre></td></tr></table> </div> </div><p><strong>Generate an SBOM from a local directory:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">syft packages dir:/path/to/project -o cyclonedx-json &gt; sbom.cdx.json </span></span></code></pre></td></tr></table> </div> </div><p>You can then scan the SBOM for vulnerabilities using <a class="link" href="https://github.com/anchore/grype" target="_blank" rel="noopener" >Grype</a>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype sbom:sbom.cdx.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-sigstore-ecosystem">The Sigstore Ecosystem </h2><p><a class="link" href="https://www.sigstore.dev/" target="_blank" rel="noopener" >Sigstore</a> is an open-source project that makes cryptographic signing and verification accessible. It eliminates the need to manage long-lived signing keys, which has historically been the main barrier to adoption of artifact signing.</p> <p>The ecosystem has three core components:</p> <ul> <li><strong>cosign</strong>: Signs and verifies container images and other OCI artifacts.</li> <li><strong>Fulcio</strong>: A certificate authority that issues short-lived certificates based on OIDC identity (your existing identity provider).</li> <li><strong>Rekor</strong>: A transparency log that creates an immutable, tamper-resistant record of signing events.</li> </ul> <h3 id="how-it-works">How It Works </h3><ol> <li>You authenticate with an OIDC provider (GitHub, Google, Microsoft, etc.).</li> <li>Fulcio issues a short-lived certificate tied to your identity.</li> <li>cosign uses that certificate to sign your artifact.</li> <li>The signing event is recorded in Rekor&rsquo;s transparency log.</li> <li>Anyone can verify the signature using the transparency log, without needing your public key.</li> </ol> <p>This is called &ldquo;keyless&rdquo; signing. No keys to rotate, no secrets to manage, no PKI infrastructure to maintain.</p> <h3 id="signing-container-images-with-cosign">Signing Container Images with Cosign </h3><p><strong>Install cosign:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Using Go</span> </span></span><span class="line"><span class="cl">go install github.com/sigstore/cosign/v2/cmd/cosign@latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Or download a release</span> </span></span><span class="line"><span class="cl">curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign </span></span><span class="line"><span class="cl">chmod +x /usr/local/bin/cosign </span></span></code></pre></td></tr></table> </div> </div><p><strong>Sign an image (keyless mode):</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cosign sign registry.example.com/myapp:v1.2.3 </span></span></code></pre></td></tr></table> </div> </div><p>This will open a browser for OIDC authentication. In CI, you can use workload identity (e.g., GitHub Actions OIDC token) for non-interactive signing.</p> <p><strong>Verify an image:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cosign verify registry.example.com/myapp:v1.2.3 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --certificate-identity<span class="o">=</span>user@example.com <span class="se">\ </span></span></span><span class="line"><span class="cl"> --certificate-oidc-issuer<span class="o">=</span>https://accounts.google.com </span></span></code></pre></td></tr></table> </div> </div><p><strong>Attach an SBOM to an image and sign it:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Attach the SBOM</span> </span></span><span class="line"><span class="cl">cosign attach sbom --sbom sbom.cdx.json registry.example.com/myapp:v1.2.3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Sign the SBOM attachment</span> </span></span><span class="line"><span class="cl">cosign sign --attachment sbom registry.example.com/myapp:v1.2.3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-slsa-framework">The SLSA Framework </h2><p><a class="link" href="https://slsa.dev/" target="_blank" rel="noopener" >SLSA</a> (Supply-chain Levels for Software Artifacts, pronounced &ldquo;salsa&rdquo;) is a framework that defines increasing levels of supply chain integrity guarantees.</p> <h3 id="slsa-levels">SLSA Levels </h3><ul> <li><strong>Level 0</strong>: No guarantees. This is where most projects start.</li> <li><strong>Level 1</strong>: The build process is documented and produces provenance (metadata about how an artifact was built).</li> <li><strong>Level 2</strong>: The build is hosted on a hosted build service that generates authenticated provenance.</li> <li><strong>Level 3</strong>: The build platform provides hardened builds with tamper-resistant provenance. The build environment is isolated and ephemeral.</li> </ul> <p>Each level builds on the previous one. The goal is not to jump to Level 3 immediately but to incrementally improve your posture.</p> <h3 id="slsa-provenance">SLSA Provenance </h3><p>Provenance answers the critical questions: Who built this? What source was used? What build process was followed? Was the build environment tamper-proof?</p> <p>SLSA provenance is a signed attestation in the <a class="link" href="https://in-toto.io/" target="_blank" rel="noopener" >in-toto</a> format that captures this information.</p> <h2 id="cicd-integration-github-actions-example">CI/CD Integration: GitHub Actions Example </h2><p>Here is a practical GitHub Actions workflow that builds an image, generates an SBOM, signs everything, and generates SLSA provenance:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build, Sign, and Attest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;v*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">permissions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="l">read</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">packages</span><span class="p">:</span><span class="w"> </span><span class="l">write</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">id-token</span><span class="p">:</span><span class="w"> </span><span class="l">write </span><span class="w"> </span><span class="c"># Required for keyless signing</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">REGISTRY</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">IMAGE_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.repository }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-sign-attest</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Checkout</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Log in to GHCR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">docker/login-action@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">registry</span><span class="p">:</span><span class="w"> </span><span class="l">${{ env.REGISTRY }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.actor }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build and push image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">docker/build-push-action@v5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span><span class="l">${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install cosign</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">sigstore/cosign-installer@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install syft</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">anchore/sbom-action/download-syft@v0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Sign the image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign sign --yes \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Generate SBOM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> syft packages \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }} \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -o cyclonedx-json &gt; sbom.cdx.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Attach and sign SBOM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign attach sbom --sbom sbom.cdx.json \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }} </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign sign --yes --attachment sbom \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Verify signature</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign verify \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --certificate-identity-regexp=&#34;https://github.com/${{ github.repository }}/*&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>id-token: write</code> permission is what enables keyless signing in GitHub Actions. The GitHub OIDC token is automatically used by cosign without any manual key management.</p> <h2 id="practical-adoption-roadmap">Practical Adoption Roadmap </h2><p>You do not need to do everything at once. Here is a sensible progression:</p> <p><strong>Week 1-2: Visibility</strong></p> <ul> <li>Start generating SBOMs for your most critical applications using syft.</li> <li>Integrate Grype into your CI pipeline for vulnerability scanning against the SBOM.</li> </ul> <p><strong>Week 3-4: Signing</strong></p> <ul> <li>Set up cosign keyless signing in your CI/CD pipelines.</li> <li>Sign your container images on every build.</li> </ul> <p><strong>Month 2: Verification</strong></p> <ul> <li>Enforce signature verification in your deployment pipelines (e.g., Kubernetes admission controllers like Kyverno or Sigstore policy-controller).</li> <li>Attach SBOMs to images and sign them.</li> </ul> <p><strong>Month 3+: SLSA Provenance</strong></p> <ul> <li>Add SLSA provenance generation using <a class="link" href="https://github.com/slsa-framework/slsa-github-generator" target="_blank" rel="noopener" >slsa-github-generator</a>.</li> <li>Work toward SLSA Level 2, then Level 3.</li> <li>Automate provenance verification in your deployment tooling.</li> </ul> <h2 id="key-takeaways">Key Takeaways </h2><ul> <li><strong>SBOMs give visibility</strong> - You can&rsquo;t secure what you can&rsquo;t see. Generate SBOMs for every artifact.</li> <li><strong>Sigstore removes the excuse</strong> - Keyless signing kills key management overhead. No good reason not to sign.</li> <li><strong>SLSA is a maturity model</strong> - Use it to improve supply chain integrity incrementally, not as all-or-nothing.</li> <li><strong>Automate everything</strong> - These tools are built for CI/CD integration. Manual doesn&rsquo;t scale.</li> </ul> <p>The supply chain security ecosystem is maturing fast. Tools are production-ready, standards are solidifying, and regulatory pressure keeps rising. The best time to start was yesterday. The second-best is now.</p>CI/CD pipeline security: a shift-left approachhttps://adurrr.github.io/en/p/ci/cd-pipeline-security-a-shift-left-approach/Mon, 20 Jun 2022 00:00:00 +0000https://adurrr.github.io/en/p/ci/cd-pipeline-security-a-shift-left-approach/<h2 id="what-is-shift-left-security">What is shift-left security? </h2><p>Shift-left security means moving security practices earlier in the software development lifecycle. Rather than treating security as a final gate (or worse, an afterthought) before production, you embed security checks directly into your CI/CD pipelines. This catches vulnerabilities when they&rsquo;re cheapest to fix: at development time.</p> <p>The traditional &ldquo;build it, then audit it&rdquo; model doesn&rsquo;t scale. Modern applications ship dozens of times a day. If your security review is a manual quarterly process, you&rsquo;re deploying vulnerable code most of the time.</p> <h2 id="threat-vectors-in-cicd-pipelines">Threat vectors in CI/CD pipelines </h2><p>Before hardening your pipeline, understand what you&rsquo;re defending against. CI/CD systems are high-value targets because they have access to production credentials, source code, and build artifacts.</p> <p>Common threat vectors include:</p> <ul> <li><strong>Compromised dependencies</strong>: A malicious package in your dependency tree (supply chain attack).</li> <li><strong>Leaked secrets</strong>: API keys, tokens, or passwords committed to source code or exposed in build logs.</li> <li><strong>Code vulnerabilities</strong>: SQL injection, XSS, insecure deserialization, and other OWASP Top 10 issues introduced in your application code.</li> <li><strong>Insecure pipeline configuration</strong>: Overly permissive runner access, unprotected branch rules, or missing approval gates.</li> <li><strong>Container image vulnerabilities</strong>: Base images with known CVEs that end up in production.</li> <li><strong>Build artifact tampering</strong>: Unsigned or unverified artifacts that attackers can replace.</li> </ul> <h2 id="integrating-sast-into-your-pipeline">Integrating SAST into your pipeline </h2><p><strong>Static Application Security Testing (SAST)</strong> analyzes source code without executing it. It catches vulnerabilities early, before code even runs.</p> <h3 id="recommended-tools">Recommended tools </h3><ul> <li><strong>Semgrep</strong>: Fast, flexible, and supports custom rules. Works across many languages. My top recommendation for most teams.</li> <li><strong>Bandit</strong>: Python-specific. Excellent for Python projects because it understands Python-specific security patterns.</li> <li><strong>SonarQube</strong>: Broader scope (code quality and security combined). Heavier to set up but useful if you want a single dashboard.</li> </ul> <h3 id="running-semgrep-locally">Running Semgrep locally </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">pip install semgrep </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run with default rulesets</span> </span></span><span class="line"><span class="cl">semgrep --config auto . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run with OWASP Top 10 rules specifically</span> </span></span><span class="line"><span class="cl">semgrep --config <span class="s2">&#34;p/owasp-top-ten&#34;</span> . </span></span></code></pre></td></tr></table> </div> </div><h3 id="running-bandit-for-python-projects">Running Bandit for Python projects </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">pip install bandit </span></span><span class="line"><span class="cl">bandit -r ./src -f json -o bandit-report.json </span></span></code></pre></td></tr></table> </div> </div><p>The key is to run these tools on every pull request, not just on the main branch. Developers should see findings before code is merged.</p> <h2 id="integrating-dast-into-your-pipeline">Integrating DAST into your pipeline </h2><p><strong>Dynamic Application Security Testing (DAST)</strong> tests the running application from the outside, simulating an attacker. It catches issues that SAST misses (misconfigurations, authentication flaws, and runtime vulnerabilities).</p> <h3 id="owasp-zap">OWASP ZAP </h3><p>OWASP ZAP is the standard open-source DAST tool. You can run it in your pipeline against a staging deployment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Pull the ZAP Docker image</span> </span></span><span class="line"><span class="cl">docker pull ghcr.io/zaproxy/zaproxy:stable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Run a baseline scan against a target URL</span> </span></span><span class="line"><span class="cl">docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py <span class="se">\ </span></span></span><span class="line"><span class="cl"> -t https://staging.example.com <span class="se">\ </span></span></span><span class="line"><span class="cl"> -r zap-report.html </span></span></code></pre></td></tr></table> </div> </div><p>DAST is typically slower than SAST. Run it after deployment to a staging environment rather than on every commit. A nightly or per-release cadence works well for most teams.</p> <h2 id="secret-scanning">Secret scanning </h2><p>Leaked secrets are one of the most common and damaging security failures. Once a secret makes it into Git history, consider it compromised, even if you remove it in a later commit.</p> <h3 id="tools">Tools </h3><ul> <li><strong>gitleaks</strong>: Scans Git repositories for secrets using regex and entropy-based detection.</li> <li><strong>trufflehog</strong>: Searches through Git history for high-entropy strings and known secret patterns.</li> </ul> <h3 id="running-gitleaks">Running gitleaks </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Install</span> </span></span><span class="line"><span class="cl">brew install gitleaks <span class="c1"># or download binary from GitHub releases</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan the current repo</span> </span></span><span class="line"><span class="cl">gitleaks detect --source . --report-path gitleaks-report.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan in CI (detect only new leaks in the PR)</span> </span></span><span class="line"><span class="cl">gitleaks detect --source . --log-opts<span class="o">=</span><span class="s2">&#34;origin/main..HEAD&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="pre-commit-hook">Pre-commit hook </h3><p>Block secrets before they even reach the remote:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># .pre-commit-config.yaml</span> </span></span><span class="line"><span class="cl">repos: </span></span><span class="line"><span class="cl"> - repo: https://github.com/gitleaks/gitleaks </span></span><span class="line"><span class="cl"> rev: v8.16.1 </span></span><span class="line"><span class="cl"> hooks: </span></span><span class="line"><span class="cl"> - id: gitleaks </span></span></code></pre></td></tr></table> </div> </div><h2 id="dependency-scanning">Dependency scanning </h2><p>Your application is only as secure as its weakest dependency. Supply chain attacks are increasing, so you need to scan your dependency tree regularly.</p> <h3 id="tools-1">Tools </h3><ul> <li><strong>Trivy</strong>: Scans container images, filesystems, and Git repos for vulnerabilities. Fast and comprehensive.</li> <li><strong>Snyk</strong>: Commercial option with a generous free tier. Good developer experience.</li> <li><strong>OWASP Dependency-Check</strong>: Mature, open-source, supports multiple ecosystems.</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan a container image with Trivy</span> </span></span><span class="line"><span class="cl">trivy image my-app:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan the filesystem for vulnerable dependencies</span> </span></span><span class="line"><span class="cl">trivy fs --severity HIGH,CRITICAL . </span></span></code></pre></td></tr></table> </div> </div><h2 id="github-actions-workflow-with-security-stages">GitHub Actions workflow with security stages </h2><p>Here is a practical GitHub Actions workflow that integrates all the security stages discussed above:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Secure CI/CD Pipeline</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pull_request</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">branches</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">main]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">secret-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Secret Scanning</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fetch-depth</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run gitleaks</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">gitleaks/gitleaks-action@v2</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GITHUB_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">sast</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Static Analysis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Semgrep</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">returntocorp/semgrep-action@v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">config</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;-</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> p/security-audit </span></span></span><span class="line"><span class="cl"><span class="sd"> p/owasp-top-ten</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Bandit (Python)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> pip install bandit </span></span></span><span class="line"><span class="cl"><span class="sd"> bandit -r ./src -f json -o bandit-report.json || true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Upload SAST reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/upload-artifact@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">sast-reports</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;*.json&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dependency-scan</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Dependency Scanning</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy filesystem scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scan-type</span><span class="p">:</span><span class="w"> </span><span class="l">fs</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH,CRITICAL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-and-scan-image</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build &amp; Scan Image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">secret-scan, sast, dependency-scan]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build Docker image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">docker build -t my-app:${{ github.sha }} .</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Scan image with Trivy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="l">my-app:${{ github.sha }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="l">HIGH,CRITICAL</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="m">1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">deploy-staging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy to Staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">build-and-scan-image]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="l">staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy to staging</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="l">echo &#34;Deploy to staging environment&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">dast</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Dynamic Analysis</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">deploy-staging]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">OWASP ZAP Baseline Scan</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">zaproxy/action-baseline@v0.9.0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">target</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;https://staging.example.com&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Notice the deliberate ordering: secret scanning, SAST, and dependency scanning run in parallel (fast feedback). Image scanning runs after build. DAST runs after staging deployment.</p> <h2 id="best-practices-checklist">Best practices checklist </h2><p>Here is a checklist to assess the security maturity of your CI/CD pipeline:</p> <ul> <li><input disabled="" type="checkbox"> <strong>Secret scanning</strong> runs on every PR and blocks merge on findings.</li> <li><input disabled="" type="checkbox"> <strong>Pre-commit hooks</strong> prevent secrets from being committed locally.</li> <li><input disabled="" type="checkbox"> <strong>SAST</strong> runs on every PR with rules covering OWASP Top 10.</li> <li><input disabled="" type="checkbox"> <strong>Dependency scanning</strong> runs on every PR and flags HIGH/CRITICAL CVEs.</li> <li><input disabled="" type="checkbox"> <strong>Container image scanning</strong> runs before pushing images to a registry.</li> <li><input disabled="" type="checkbox"> <strong>DAST</strong> runs against staging on every release (or nightly at minimum).</li> <li><input disabled="" type="checkbox"> <strong>Branch protection</strong> requires passing security checks before merge.</li> <li><input disabled="" type="checkbox"> <strong>Least privilege</strong> is enforced on CI runner permissions and secrets access.</li> <li><input disabled="" type="checkbox"> <strong>Signed commits</strong> and <strong>signed artifacts</strong> are enforced for production releases.</li> <li><input disabled="" type="checkbox"> <strong>Build logs</strong> are reviewed to ensure secrets are not leaked in output.</li> <li><input disabled="" type="checkbox"> <strong>Dependency pinning</strong> is used (exact versions, not ranges) to prevent supply chain attacks.</li> <li><input disabled="" type="checkbox"> <strong>Regular rotation</strong> of all CI/CD secrets and service account keys.</li> </ul> <h2 id="final-thoughts">Final thoughts </h2><p>Shift-left security isn&rsquo;t about buying a tool, it&rsquo;s about changing the culture. Security checks in CI/CD should be fast, automated, and non-negotiable. Start with secret scanning (highest ROI), add SAST, then layer in dependency scanning and DAST.</p> <p>The goal isn&rsquo;t to catch everything in the pipeline. The goal is to raise the bar high enough that obvious issues never reach production, freeing your security team to focus on the subtle, high-impact threats that require human judgment.</p>