Skip to content

bharathadigopula/devsecops-supply-chain-lab

Repository files navigation

DevSecOps Supply Chain Lab

Public, forkable secure delivery lab for showing container hardening, SBOM generation, vulnerability scanning, secret scanning, policy guardrails, and release evidence.

This repo is designed to demonstrate how a platform or DevOps engineer can make security checks part of the delivery workflow without requiring a cloud account or external SaaS product.

What This Shows

  • Hardened Node.js container image
  • Non-root runtime user
  • Digest-pinned base image
  • Dockerfile linting with Hadolint
  • Secret scanning with Gitleaks
  • SBOM generation with Syft
  • Vulnerability scanning with Grype
  • Policy-as-code checks with Conftest
  • GitHub Actions workflow validation with Actionlint
  • Release evidence template for secure delivery review
  • Local validation with checksum-verified tool downloads
  • GitHub Actions validation with SHA-pinned actions

Repository Structure

Path Purpose
app Small HTTP service and hardened Dockerfile
policies/conftest OPA policies for supply-chain evidence checks
security/evidence Machine-readable policy input for validation
security/reports Security review and release evidence templates
scripts Local validation automation

Local Validation

Run:

./scripts/validate-local.sh

The validation script checks:

  • Node.js syntax
  • Docker Compose configuration
  • Dockerfile linting
  • Secret scanning
  • Docker image build
  • SBOM generation
  • Vulnerability scanning
  • Policy-as-code guardrails
  • GitHub Actions workflow syntax

Release Evidence

Each successful validation produces local evidence under .artifacts.

The expected evidence includes:

  • sbom.cdx.json
  • grype.json
  • gitleaks.json
  • policy.json

These files are generated locally and ignored by git.

Production Notes

Before using this pattern for a real production release:

  1. Sign container images with keyless signing.
  2. Publish SBOMs as release artifacts.
  3. Store provenance with the release.
  4. Require branch protection and status checks.
  5. Review vulnerability exceptions through a time-bound process.
  6. Keep release evidence attached to the change record.

About

Production-style DevSecOps supply chain security lab using SBOMs, vulnerability scanning, secret scanning, policy-as-code, and secure container validation.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Contributors