nadeemkhan9876/devops-gatekeeper-lab
GitHub: nadeemkhan9876/devops-gatekeeper-lab
基于 GitHub Actions 与 Trivy 的自动化 DevSecOps 流水线,在容器镜像部署到 Azure Container Registry 前强制执行漏洞扫描门禁。
Stars: 0 | Forks: 0
# 自动化容器安全流水线 (DevSecOps Gatekeeper)
一条自动化、云原生的 CI/CD 安全流水线,旨在在容器镜像部署到云环境之前强制执行漏洞门禁。该项目通过在自动化测试阶段拦截不安全的配置,防止镜像仓库污染,展示了**“安全左移”**的实际应用。
## 🚀 架构与工作流
该流水线利用一个自动化检查清单,在全新的云端托管 runner 上针对每次代码提交按顺序执行:
```
[Code Push] ──> [Build Local Docker Image] ──> [Trivy Security Scan]
│
┌───────────────┴───────────────┐
(Passes Scan) (Fails Scan)
│ │
▼ ▼
[Push to Azure Registry] [Pipeline Terminated]
(Registry Protected!)
Code Checkout: GitHub Actions provisions an isolated Ubuntu runner and checks out the source code repository.
ACR Authentication: Securely authenticates with the cloud environment using encrypted repository secrets (ACR_LOGIN_SERVER, ACR_USERNAME, ACR_PASSWORD).
Local Compilation: Builds the container image locally on the runner's ephemeral drive using the Dockerfile configuration.
Automated Security Gate (Trivy): Evaluates the filesystem and dependencies of the built container image against current CVE databases.
Conditional Deployment: Uses a logical gating condition (if: success()). If the image contains zero severe security bugs, it ships to storage. If a threat is detected, the workflow returns a non-zero exit code (exit-code: 1), breaking the build instantly.
🛠️ Technical Stack & Frameworks
CI/CD Orchestration: GitHub Actions
Static Application Security Testing (SAST) / Container Scanning: Aqua Security Trivy (v0.36.0)
Containerization Engine: Docker Core
Cloud Infrastructure Environment: Azure Container Registry (ACR)
🧪 Validation & Test Scenarios
To verify the enforcement capabilities of the security gatekeeper, the workflow was rigorously tested across two distinct operational scenarios:
🟢 Scenario A: Compliant Production Path (main branch)
Base Configuration: FROM python:3.11-slim
Vulnerability Assessment: Retrospectively clean image layer baseline.
Scan Result: 0 CRITICAL vulnerabilities found.
Pipeline Status: PASSED (Green). Image successfully authenticated and pushed to Azure Container Registry.
🔴 Scenario B: Non-Compliant/Legacy Path (vulnerable branch)
Base Configuration: FROM python:3.6
Vulnerability Assessment: Inherited multiple unpatched high-severity CVE dependencies due to an outdated runtime environment.
Scan Result: Multiple CRITICAL vulnerabilities identified.
Pipeline Status: FAILED (Red). The gatekeeper successfully aborted the process, isolating the threat and blocking transmission to Azure.
```
标签:DevSecOps, GitHub Actions, Web截图, 上游代理, 容器安全, 自动化流水线, 自动笔记, 请求拦截