RAPID CYBER AI
WEEK 5 OF 8
0 steps completed
WEEK 5

CI/CD Pipeline Security

Secure every stage from commit to deploy

8-10 hours

Lab 1: Secret Scanning & Pre-Commit

~60 min

Install and run gitleaks

Catches API keys, passwords, and credentials before they reach your repository.

Gitleaks
$ curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz | tar xz
$ sudo mv gitleaks /usr/local/bin/

# Create a test repo with a planted secret
$ mkdir test-repo && cd test-repo && git init
$ echo 'AKIAIOSFODNN7EXAMPLE' > config.txt
$ git add . && git commit -m 'test'

# Scan
$ gitleaks detect -v
# Should find the AWS key pattern

Set up pre-commit hooks

Every commit is scanned automatically. Secrets never reach the repo.

Pre-commit
$ cat > .pre-commit-config.yaml << 'EOF'
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks
EOF

$ pre-commit install

# Try to commit a secret — should be blocked:
$ echo 'aws_secret=wJalrXUtnFEMI/K7MDENG' > test.txt
$ git add . && git commit -m 'test'
# Blocked by gitleaks

Lab 2: SAST & Dependency Scanning

~60 min

Run Semgrep SAST

Finds SQL injection, command injection, hardcoded credentials, and insecure functions.

Semgrep
$ pip3 install semgrep --break-system-packages

# Scan with auto-detect rules
$ semgrep --config auto .

# Or target specific vulnerability classes:
$ semgrep --config p/python --config p/owasp-top-ten .

Scan dependencies with Trivy

Checks every dependency against known vulnerability databases.

SCA
# Scan Python dependencies
$ trivy fs --scanners vuln requirements.txt

# Scan Node dependencies
$ trivy fs --scanners vuln package-lock.json

# CI gate:
$ trivy fs --severity HIGH,CRITICAL --exit-code 1 .

Lab 3: Secure GitHub Actions Pipeline

~90 min

Build the complete pipeline

Secret scanning, SAST, and container scanning run in parallel. All must pass.

Full CI/CD workflow
$ cat > .github/workflows/security-pipeline.yml << 'EOF'
name: Security Pipeline
on: [pull_request]
permissions:
  contents: read
jobs:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with: { fetch-depth: 0 }
    - uses: gitleaks/gitleaks-action@v2
  sast:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: returntocorp/semgrep-action@v1
  image-scan:
    runs-on: ubuntu-latest
    needs: [secret-scan, sast]
    steps:
    - uses: actions/checkout@v4
    - run: docker build -t myapp:${{ github.sha }} .
    - uses: aquasecurity/trivy-action@master
      with:
        image-ref: myapp:${{ github.sha }}
        severity: HIGH,CRITICAL
        exit-code: 1
EOF

Pin actions to SHA digests

Tags can be overwritten in supply chain attacks. SHA digests are immutable.

Supply chain hardening
# INSECURE — mutable tag:
# uses: actions/checkout@v4

# SECURE — immutable SHA:
# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

Lab 4: Container Build Pipeline

~60 min

Add container scanning to pipeline

Lint, build, scan, and sign — all automated in the pipeline.

Container CI
# Dockerfile linting
- name: Lint Dockerfile
  uses: hadolint/hadolint-action@v3
  with:
    dockerfile: Dockerfile

# Build, scan, sign
- run: docker build -t $ECR_REPO:${{ github.sha }} .
- run: trivy image --exit-code 1 --severity HIGH,CRITICAL $ECR_REPO:${{ github.sha }}
- run: cosign sign --yes $ECR_REPO:${{ github.sha }}

Lab 5: Pipeline Hardening & Audit

~60 min

Audit your pipeline configuration

Review and harden every aspect of your CI/CD configuration.

Pipeline audit
# Check for common weaknesses:
# 1. Unpinned actions (using @v4 instead of @sha)
# 2. Excessive permissions (contents: write when read suffices)
# 3. Secrets in logs (echo $SECRET)
# 4. Missing branch protection
# 5. No CODEOWNERS for workflow files

# Create CODEOWNERS
$ echo '/.github/ @security-team' > CODEOWNERS
NEXT: WEEK 6 →