GitHub SecOps: DevSecOps Pipeline

A robust DevSecOps pipeline in GitHub Actions integrates security at every stage of your CI/CD process. Below is a practical example covering secrets detection, SAST, SCA, container scanning, DAST, and system auditing.

name: DevSecOps Pipeline

on:
  push:
    branches:
      - main

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      # Checkout code
      - name: Checkout code
        uses: actions/checkout@v4

      # Secret scanning (GitGuardian or truffleHog recommended)
      - name: Secret Scan (truffleHog)
        uses: trufflesecurity/trufflehog@v3
        with:
          scan: true

      # Static Application Security Testing (SAST) with SonarCloud
      - name: SAST (SonarCloud)
        uses: SonarSource/sonarcloud-github-action@v2
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          projectKey: ${{ secrets.SONAR_PROJECT_KEY }}

      # Software Composition Analysis (SCA) with OWASP Dependency-Check
      - name: SCA (OWASP Dependency-Check)
        uses: dependency-check/Dependency-Check_Action@v3
        with:
          project: my-app
          format: 'HTML'
          out: 'reports'

      # Container image scanning with Trivy
      - name: Container Scan (Trivy)
        uses: aquasecurity/trivy-action@v0.14.0
        with:
          image-ref: 'myorg/myimage:latest'

      # Dynamic Application Security Testing (DAST) with OWASP ZAP
      - name: DAST (OWASP ZAP)
        uses: zaproxy/action-full-scan@v0.7.0
        with:
          target: 'https://your-app-url.com'

      # System Security Audit (Lynis)
      - name: System Security Audit (Lynis)
        uses: docker://cisagov/lynis
        with:
          args: audit system

      # Optional: Bug tracking integration (e.g., Jira, GitHub Issues)
      # - name: Create Issue on Failure
      #   uses: actions/github-script@v7
      #   if: failure()
      #   with:
      #     script: |
      #       // Create an issue or notify on failure

Pipeline Stages Explained:

Secret Scanning: Detects hardcoded secrets using truffleHog or GitGuardian.
SAST: Analyzes code for vulnerabilities before deployment (SonarCloud).
SCA: Checks dependencies for known vulnerabilities (OWASP Dependency-Check).
Container Scanning: Scans Docker images for vulnerabilities (Trivy).
DAST: Tests running applications for security issues (OWASP ZAP).
System Audit: Runs a system-level security audit (Lynis).
Bug Tracking: Optionally create issues for failed security checks.

Best Practices

Store all tokens and credentials in GitHub Secrets.
Use branch protection rules to enforce security checks before merging.
Regularly update action versions to include the latest security patches.
Review GitHub Advanced Security for built-in secret scanning and code scanning.

References

Tip: Integrate this pipeline with your existing CI/CD workflows for continuous, automated security coverage across your DevOps lifecycle.

PreviousGitHub Actions NextGitLab

Last updated 2 months ago