Security-hardened CI/CD pipeline implementing shift-left security with SAST, DAST, container scanning, secret detection, HashiCorp Vault integration, and CIS benchmark compliance automation.
| Stage | Tool | Purpose |
|---|---|---|
| Secret Detection | gitleaks | Prevent credentials from entering the codebase |
| SAST | Semgrep | Static analysis with OWASP Top 10 rules |
| Container Scan | Trivy | Scan images for HIGH/CRITICAL CVEs |
| DAST | OWASP ZAP | Dynamic application security testing |
| Secrets Management | HashiCorp Vault | Runtime secret injection, zero hard-coded creds |
| Compliance | Ansible | CIS Level 1 benchmark hardening automation |
| Reporting | Python | Auto-generated compliance reports per pipeline run |
# Run the full pipeline locally with GitLab Runner
gitlab-runner exec docker security-scan
# Or test individual security tools:
semgrep scan --config=p/owasp-top-ten app/
gitleaks detect --source=. --config=security-tools/gitleaks/.gitleaks.toml
trivy image myapp:latest --severity HIGH,CRITICAL| Metric | Result |
|---|---|
| Security gate pass rate | 100% of deploys pass all gates |
| Hard-coded credentials | Zero — all secrets via Vault |
| CIS compliance | Level 1 on all managed hosts |
| Compliance reporting | Auto-generated per pipeline run |
├── .gitlab-ci/ # Pipeline definition
├── ansible/roles/cis-hardening/ # CIS Level 1 automation
├── docs/ # Compliance report generator
├── security-tools/
│ ├── gitleaks/ # Secret detection config
│ ├── semgrep/ # Custom SAST rules
│ ├── trivy/ # Container scan policy
│ └── zap/ # DAST configuration
└── vault/policies/ # Vault ACL policies
This project is for portfolio/demonstration purposes.