實戰:完整安全 Pipeline

Vibe Prompt

「幫我建立一個完整的安全 CI/CD Pipeline:程式碼推送 → SAST → 建置 → Container Scan → 部署 Staging → DAST → 部署 Production。」

完整 Pipeline

name: Secure CI/CD Pipeline

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  security-checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      # 1. SAST - SonarQube
      - name: SonarQube Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
      
      # 2. SAST - CodeQL
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript, typescript
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
      
      # 3. SCA - Snyk
      - name: Snyk Scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high
      
      # 4. IaC - Checkov
      - name: Checkov Scan
        uses: bridgecrewio/checkov-action@master
        with:
          directory: k8s/
          framework: kubernetes
  
  build-and-scan:
    needs: security-checks
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@v4
      
      - name: Build Docker Image
        run: docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
      
      # 5. Container Scan - Trivy
      - name: Trivy Scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
          exit-code: '1'
          severity: 'HIGH,CRITICAL'
      
      - name: Push Image
        run: |
          docker push ghcr.io/${{ github.repository }}:${{ github.sha }}
  
  deploy-staging:
    needs: build-and-scan
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to Staging
        run: |
          kubectl set image deployment/myapp-staging app=ghcr.io/${{ github.repository }}:${{ github.sha }}
      
      # 6. DAST - ZAP(部署後掃描)
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: https://staging.myapp.com
          fail_action: true
  
  deploy-production:
    needs: deploy-staging
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to Production
        run: |
          kubectl set image deployment/myapp-prod app=ghcr.io/${{ github.repository }}:${{ github.sha }}
          kubectl rollout status deployment/myapp-prod --timeout=5m

安全左移

將安全檢查盡可能移到 Pipeline 早期階段

Commit → SAST → Build → Container Scan → Test → DAST → Deploy
  ↑         ↑           ↑                  ↑          ↑
最便宜      中等        中等               較貴       最貴

發現漏洞的階段越早,修復成本越低

課程總結

DevSecOps 課程完成!

  • ✅ SAST / CodeQL
  • ✅ DAST / ZAP
  • ✅ SCA / Snyk / Dependabot
  • ✅ 安全 Pipeline
  • ✅ 完整 Secure CI/CD

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!