Full DevSecOps Pipeline
🔥 Vibe Prompt
"Design a complete DevSecOps pipeline with security gates at every stage."
DevSecOps Pipeline
[Code] → [Build] → [Test] → [Deploy] → [Monitor]
| | | | |
SAST Image DAST Sign Runtime
Secrets Scan IaC K8s RASP
Lint SBOM Policy Audit Anomaly
Detailed Pipeline
# .github/workflows/devsecops.yml
name: DevSecOps Pipeline
on: push
jobs:
# Stage 1: Code Security
code-scan:
steps:
- uses: gitleaks/gitleaks-action@v2 # Secrets
- uses: semgrep/semgrep-action@v1 # SAST
with: { config: p/owasp-top-ten }
# Stage 2: Build Security
build-scan:
needs: code-scan
steps:
- uses: aquasecurity/trivy-action@master # Image scan
with: { image-ref: myapp:latest }
- uses: anchore/sbom-action@v0 # SBOM
# Stage 3: Deploy Security
deploy:
needs: build-scan
steps:
- uses: bridgecrewio/checkov-action@v12 # IaC scan
- run: cosign sign myapp:latest # Sign image
- run: kubectl apply -f k8s/
# Stage 4: Runtime Security
post-deploy:
needs: deploy
steps:
- uses: zaproxy/action-baseline@v0 # DAST
with: { target: "https://staging.myapp.com" }
Security Gates
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Code │ → │ Build │ → │ Deploy │ → │ Runtime │
│ SAST ❌ │ │ SBOM │ │ IaC ❌ │ │ DAST │
│ Sec ❌ │ │ Trivy ❌│ │ Sign ✅ │ │ RASP │
└─────────┘ └─────────┘ └─────────┘ └─────────┘
↓ ↓ ↓ ↓
Block PR Block push Block dep Alert on-call
Compliance Gates
| Gate | Tool | Block If | |------|------|----------| | SAST | Semgrep | Any ERROR finding | | Secrets | GitLeaks | Any secret detected | | Image | Trivy | Any CRITICAL CVE | | SBOM | Grype | Any CRITICAL dependency CVE | | IaC | Checkov | Any FAIL (custom policies) | | DAST | ZAP | Any HIGH finding | | Sign | Cosign | No signature |
DevSecOps Culture
1. Security is everyone's responsibility
2. Automate security (don't rely on manual review)
3. Fail fast, fail safely (block problematic code early)
4. Provide developers with fix suggestions (not just errors)
5. Measure security posture over time (dashboard)
6. Celebrate security wins (not just blame)
7. Continuously update (new threats, new tools)
DevSecOps Course Complete! 🎉
- ✅ CI/CD Security
- ✅ SAST & DAST
- ✅ IaC Security
- ✅ Runtime Security
- ✅ Full Pipeline
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
DevSecOps 流水線:安全內建在每個階段
DevSecOps 不是一個工具,是一種文化——將安全檢查嵌入到開發流程的每個階段,而不是等到上線前才做資安稽核。
完整的 DevSecOps 流水線
開發階段
├─ SAST(SonarQube)→ 靜態程式碼分析
└─ Secret Scanning → 檢查是否誤傳 API Key
建置階段
├─ SCA(Snyk / OWASP Dependency Check)→ 依賴漏洞掃描
├─ Container Scan(Trivy)→ Docker Image 漏洞掃描
└─ 簽署 Artifact → 確保建置產物未被竄改
部署階段
├─ IaC Scan(Checkov)→ Terraform/K8s YAML 安全檢查
├─ DAST(OWASP ZAP)→ 動態應用程式安全測試
└─ 金鑰輪換 → 部署後立即更新憑證
營運階段
├─ 即時監控(SIEM)→ 異常行為偵測
└─ 定期滲透測試 → 手動驗證自動掃描找不到的漏洞
為什麼要自動化?
安全檢查如果靠人工,一定會有遺漏。自動化安全掃描可以確保:
- 每次 commit 都自動執行安全檢查
- 發現高風險漏洞時自動阻擋部署
- 安全報告自動產出,方便稽核
課程總結
這堂 DevSecOps 課你從 CI/CD 安全、SAST、SCA 到完整流水線——你現在知道如何在開發流程中內建安全,而不是等到上線前才補救。