實戰:完整安全 Pipeline
Vibe Prompt
「幫我建立一個完整的安全 CI/CD Pipeline:程式碼推送 → SAST → 建置 → Container Scan → 部署 Staging → DAST → 部署 Production。」
完整 Pipeline
name: Secure CI/CD Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# 1. SAST - SonarQube
- name: SonarQube Scan
uses: SonarSource/sonarcloud-github-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# 2. SAST - CodeQL
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript, typescript
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
# 3. SCA - Snyk
- name: Snyk Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# 4. IaC - Checkov
- name: Checkov Scan
uses: bridgecrewio/checkov-action@master
with:
directory: k8s/
framework: kubernetes
build-and-scan:
needs: security-checks
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
run: docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
# 5. Container Scan - Trivy
- name: Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
exit-code: '1'
severity: 'HIGH,CRITICAL'
- name: Push Image
run: |
docker push ghcr.io/${{ github.repository }}:${{ github.sha }}
deploy-staging:
needs: build-and-scan
runs-on: ubuntu-latest
steps:
- name: Deploy to Staging
run: |
kubectl set image deployment/myapp-staging app=ghcr.io/${{ github.repository }}:${{ github.sha }}
# 6. DAST - ZAP(部署後掃描)
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: https://staging.myapp.com
fail_action: true
deploy-production:
needs: deploy-staging
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Deploy to Production
run: |
kubectl set image deployment/myapp-prod app=ghcr.io/${{ github.repository }}:${{ github.sha }}
kubectl rollout status deployment/myapp-prod --timeout=5m
安全左移
將安全檢查盡可能移到 Pipeline 早期階段
Commit → SAST → Build → Container Scan → Test → DAST → Deploy
↑ ↑ ↑ ↑ ↑
最便宜 中等 中等 較貴 最貴
發現漏洞的階段越早,修復成本越低
課程總結
DevSecOps 課程完成!
- ✅ SAST / CodeQL
- ✅ DAST / ZAP
- ✅ SCA / Snyk / Dependabot
- ✅ 安全 Pipeline
- ✅ 完整 Secure CI/CD