Public, forkable secure delivery lab for showing container hardening, SBOM generation, vulnerability scanning, secret scanning, policy guardrails, and release evidence.
This repo is designed to demonstrate how a platform or DevOps engineer can make security checks part of the delivery workflow without requiring a cloud account or external SaaS product.
- Hardened Node.js container image
- Non-root runtime user
- Digest-pinned base image
- Dockerfile linting with Hadolint
- Secret scanning with Gitleaks
- SBOM generation with Syft
- Vulnerability scanning with Grype
- Policy-as-code checks with Conftest
- GitHub Actions workflow validation with Actionlint
- Release evidence template for secure delivery review
- Local validation with checksum-verified tool downloads
- GitHub Actions validation with SHA-pinned actions
| Path | Purpose |
|---|---|
app |
Small HTTP service and hardened Dockerfile |
policies/conftest |
OPA policies for supply-chain evidence checks |
security/evidence |
Machine-readable policy input for validation |
security/reports |
Security review and release evidence templates |
scripts |
Local validation automation |
Run:
./scripts/validate-local.shThe validation script checks:
- Node.js syntax
- Docker Compose configuration
- Dockerfile linting
- Secret scanning
- Docker image build
- SBOM generation
- Vulnerability scanning
- Policy-as-code guardrails
- GitHub Actions workflow syntax
Each successful validation produces local evidence under .artifacts.
The expected evidence includes:
sbom.cdx.jsongrype.jsongitleaks.jsonpolicy.json
These files are generated locally and ignored by git.
Before using this pattern for a real production release:
- Sign container images with keyless signing.
- Publish SBOMs as release artifacts.
- Store provenance with the release.
- Require branch protection and status checks.
- Review vulnerability exceptions through a time-bound process.
- Keep release evidence attached to the change record.