實戰:完整安全 Pipeline
Vibe Prompt
「幫我建立一個完整的安全 CI/CD Pipeline:程式碼推送 → SAST → 建置 → Container Scan → 部署 Staging → DAST → 部署 Production。」
完整 Pipeline
name: Secure CI/CD Pipeline
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-checks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# 1. SAST - SonarQube
- name: SonarQube Scan
uses: SonarSource/sonarcloud-github-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# 2. SAST - CodeQL
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript, typescript
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
# 3. SCA - Snyk
- name: Snyk Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# 4. IaC - Checkov
- name: Checkov Scan
uses: bridgecrewio/checkov-action@master
with:
directory: k8s/
framework: kubernetes
build-and-scan:
needs: security-checks
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Build Docker Image
run: docker build -t ghcr.io/${{ github.repository }}:${{ github.sha }} .
# 5. Container Scan - Trivy
- name: Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
exit-code: '1'
severity: 'HIGH,CRITICAL'
- name: Push Image
run: |
docker push ghcr.io/${{ github.repository }}:${{ github.sha }}
deploy-staging:
needs: build-and-scan
runs-on: ubuntu-latest
steps:
- name: Deploy to Staging
run: |
kubectl set image deployment/myapp-staging app=ghcr.io/${{ github.repository }}:${{ github.sha }}
# 6. DAST - ZAP(部署後掃描)
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: https://staging.myapp.com
fail_action: true
deploy-production:
needs: deploy-staging
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Deploy to Production
run: |
kubectl set image deployment/myapp-prod app=ghcr.io/${{ github.repository }}:${{ github.sha }}
kubectl rollout status deployment/myapp-prod --timeout=5m
安全左移
將安全檢查盡可能移到 Pipeline 早期階段
Commit → SAST → Build → Container Scan → Test → DAST → Deploy
↑ ↑ ↑ ↑ ↑
最便宜 中等 中等 較貴 最貴
發現漏洞的階段越早,修復成本越低
課程總結
DevSecOps 課程完成!
- ✅ SAST / CodeQL
- ✅ DAST / ZAP
- ✅ SCA / Snyk / Dependabot
- ✅ 安全 Pipeline
- ✅ 完整 Secure CI/CD
整合所有安全工具到一條 Pipeline
前面的章節你學會了 SAST、SCA、DAST、Container Scan 等工具。這章將它們全部整合到一條 GitHub Actions Pipeline 中——每次 Push 都自動執行所有安全檢查。
Pipeline 的階段與閘門
Push / PR
↓
① SAST(SonarQube)
├─ 通過 → 繼續
└─ 失敗 → 阻擋 PR
↓
② SCA(Snyk / Dependency Check)
├─ 無高風險漏洞 → 繼續
└─ 有高風險漏洞 → 阻擋
↓
③ Container Build + Scan(Trivy)
├─ 無漏洞 → push 到 Registry
└─ 有漏洞 → 重新建置
↓
④ DAST(OWASP ZAP)
├─ 部署到 Staging → 執行 ZAP 掃描
└─ 高風險 → 通知 + 不部署到 Production
↓
⑤ Production Deploy ✅
Pipeline 的關鍵設計原則
- Fail Fast:SAST 和 SCA 在最前面,幾秒鐘就能回饋
- 閘門(Gate):每個階段都有明確的通過條件
- 通知:失敗時通知相關開發者,附上報告連結
- 中斷 vs 允許:Critical 漏洞阻擋部署,Low 漏洞只記錄
課程總結
這堂 DevSecOps 課程你學到了從 CI/CD 安全、SAST、SCA、DAST 到完整 Pipeline 整合。你現在可以在自己的專案中實現安全內建的 DevSecOps 流程。