nadeemkhan9876/devops-gatekeeper-lab

GitHub: nadeemkhan9876/devops-gatekeeper-lab

基于 GitHub Actions 与 Trivy 的自动化 DevSecOps 流水线,在容器镜像部署到 Azure Container Registry 前强制执行漏洞扫描门禁。

Stars: 0 | Forks: 0

# 自动化容器安全流水线 (DevSecOps Gatekeeper) 一条自动化、云原生的 CI/CD 安全流水线,旨在在容器镜像部署到云环境之前强制执行漏洞门禁。该项目通过在自动化测试阶段拦截不安全的配置,防止镜像仓库污染,展示了**“安全左移”**的实际应用。 ## 🚀 架构与工作流 该流水线利用一个自动化检查清单,在全新的云端托管 runner 上针对每次代码提交按顺序执行: ``` [Code Push] ──> [Build Local Docker Image] ──> [Trivy Security Scan] │ ┌───────────────┴───────────────┐ (Passes Scan) (Fails Scan) │ │ ▼ ▼ [Push to Azure Registry] [Pipeline Terminated] (Registry Protected!) Code Checkout: GitHub Actions provisions an isolated Ubuntu runner and checks out the source code repository. ACR Authentication: Securely authenticates with the cloud environment using encrypted repository secrets (ACR_LOGIN_SERVER, ACR_USERNAME, ACR_PASSWORD). Local Compilation: Builds the container image locally on the runner's ephemeral drive using the Dockerfile configuration. Automated Security Gate (Trivy): Evaluates the filesystem and dependencies of the built container image against current CVE databases. Conditional Deployment: Uses a logical gating condition (if: success()). If the image contains zero severe security bugs, it ships to storage. If a threat is detected, the workflow returns a non-zero exit code (exit-code: 1), breaking the build instantly. 🛠️ Technical Stack & Frameworks CI/CD Orchestration: GitHub Actions Static Application Security Testing (SAST) / Container Scanning: Aqua Security Trivy (v0.36.0) Containerization Engine: Docker Core Cloud Infrastructure Environment: Azure Container Registry (ACR) 🧪 Validation & Test Scenarios To verify the enforcement capabilities of the security gatekeeper, the workflow was rigorously tested across two distinct operational scenarios: 🟢 Scenario A: Compliant Production Path (main branch) Base Configuration: FROM python:3.11-slim Vulnerability Assessment: Retrospectively clean image layer baseline. Scan Result: 0 CRITICAL vulnerabilities found. Pipeline Status: PASSED (Green). Image successfully authenticated and pushed to Azure Container Registry. 🔴 Scenario B: Non-Compliant/Legacy Path (vulnerable branch) Base Configuration: FROM python:3.6 Vulnerability Assessment: Inherited multiple unpatched high-severity CVE dependencies due to an outdated runtime environment. Scan Result: Multiple CRITICAL vulnerabilities identified. Pipeline Status: FAILED (Red). The gatekeeper successfully aborted the process, isolating the threat and blocking transmission to Azure. ```
标签:DevSecOps, GitHub Actions, Web截图, 上游代理, 容器安全, 自动化流水线, 自动笔记, 请求拦截