Full DevSecOps Pipeline

🔥 Vibe Prompt

"Design a complete DevSecOps pipeline with security gates at every stage."

DevSecOps Pipeline

[Code] → [Build] → [Test] → [Deploy] → [Monitor]
   |         |         |         |          |
   SAST     Image    DAST      Sign      Runtime
   Secrets   Scan     IaC       K8s       RASP
   Lint      SBOM     Policy    Audit     Anomaly

Detailed Pipeline

# .github/workflows/devsecops.yml
name: DevSecOps Pipeline
on: push

jobs:
  # Stage 1: Code Security
  code-scan:
    steps:
      - uses: gitleaks/gitleaks-action@v2  # Secrets
      - uses: semgrep/semgrep-action@v1    # SAST
        with: { config: p/owasp-top-ten }
  
  # Stage 2: Build Security
  build-scan:
    needs: code-scan
    steps:
      - uses: aquasecurity/trivy-action@master  # Image scan
        with: { image-ref: myapp:latest }
      - uses: anchore/sbom-action@v0  # SBOM
  
  # Stage 3: Deploy Security
  deploy:
    needs: build-scan
    steps:
      - uses: bridgecrewio/checkov-action@v12  # IaC scan
      - run: cosign sign myapp:latest  # Sign image
      - run: kubectl apply -f k8s/
  
  # Stage 4: Runtime Security
  post-deploy:
    needs: deploy
    steps:
      - uses: zaproxy/action-baseline@v0  # DAST
        with: { target: "https://staging.myapp.com" }

Security Gates

┌─────────┐    ┌─────────┐    ┌─────────┐    ┌─────────┐
│  Code   │ →  │  Build  │ →  │  Deploy │ →  │ Runtime │
│ SAST ❌ │    │  SBOM   │    │ IaC ❌  │    │  DAST   │
│ Sec ❌  │    │ Trivy ❌│    │ Sign ✅ │    │  RASP   │
└─────────┘    └─────────┘    └─────────┘    └─────────┘
     ↓              ↓              ↓              ↓
   Block PR      Block push     Block dep     Alert on-call

Compliance Gates

| Gate | Tool | Block If | |------|------|----------| | SAST | Semgrep | Any ERROR finding | | Secrets | GitLeaks | Any secret detected | | Image | Trivy | Any CRITICAL CVE | | SBOM | Grype | Any CRITICAL dependency CVE | | IaC | Checkov | Any FAIL (custom policies) | | DAST | ZAP | Any HIGH finding | | Sign | Cosign | No signature |

DevSecOps Culture

1. Security is everyone's responsibility
2. Automate security (don't rely on manual review)
3. Fail fast, fail safely (block problematic code early)
4. Provide developers with fix suggestions (not just errors)
5. Measure security posture over time (dashboard)
6. Celebrate security wins (not just blame)
7. Continuously update (new threats, new tools)

DevSecOps Course Complete! 🎉

  • ✅ CI/CD Security
  • ✅ SAST & DAST
  • ✅ IaC Security
  • ✅ Runtime Security
  • ✅ Full Pipeline

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


DevSecOps 流水線:安全內建在每個階段

DevSecOps 不是一個工具,是一種文化——將安全檢查嵌入到開發流程的每個階段,而不是等到上線前才做資安稽核。

完整的 DevSecOps 流水線

開發階段
  ├─ SAST(SonarQube)→ 靜態程式碼分析
  └─ Secret Scanning → 檢查是否誤傳 API Key

建置階段
  ├─ SCA(Snyk / OWASP Dependency Check)→ 依賴漏洞掃描
  ├─ Container Scan(Trivy)→ Docker Image 漏洞掃描
  └─ 簽署 Artifact → 確保建置產物未被竄改

部署階段
  ├─ IaC Scan(Checkov)→ Terraform/K8s YAML 安全檢查
  ├─ DAST(OWASP ZAP)→ 動態應用程式安全測試
  └─ 金鑰輪換 → 部署後立即更新憑證

營運階段
  ├─ 即時監控(SIEM)→ 異常行為偵測
  └─ 定期滲透測試 → 手動驗證自動掃描找不到的漏洞

為什麼要自動化?

安全檢查如果靠人工,一定會有遺漏。自動化安全掃描可以確保:

  1. 每次 commit 都自動執行安全檢查
  2. 發現高風險漏洞時自動阻擋部署
  3. 安全報告自動產出,方便稽核

課程總結

這堂 DevSecOps 課你從 CI/CD 安全、SAST、SCA 到完整流水線——你現在知道如何在開發流程中內建安全,而不是等到上線前才補救。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!