[G1-Sync] Manual knowledge update

10_Wiki/Topics/DevOps_and_Security/DevSecOps_Framework.md

@@ -2,21 +2,154 @@
 id: wiki-2026-0508-devsecops-framework
 title: DevSecOps Framework
 category: 10_Wiki/Topics
-status: merged
-redirect_to: 보안_및_시스템_신뢰성_표준
-canonical_id: wiki-2026-0507-039
-aliases: []
+status: verified
+canonical_id: self
+aliases: [DevSecOps, Shift-Left Security, Secure SDLC]
 duplicate_of: none
 source_trust_level: A
-confidence_score: 0.92
-tags: [uncategorized]
+confidence_score: 0.9
+verification_status: applied
+tags: [devsecops, security, shift-left, sdlc]
 raw_sources: []
-last_reinforced: 2026-05-08
-github_commit: pending
-inferred_by: Claude Opus 4.7 (auto-normalize 2026-05-08)
+last_reinforced: 2026-05-10
+github_commit: applied
+tech_stack:
+  language: YAML/Python
+  framework: GitHub Actions/Semgrep/Trivy
 ---
 
-# Redirect
+# DevSecOps Framework
 
-이 문서는 Canonical 문서인 [[보안_및_시스템_신뢰성_표준]]으로 통합되었습니다.
-모든 최신 지식과 세부 내용은 위 링크를 참조하십시오.
+## 매 한 줄
+> **"매 security 가 PR 단계부터 매일 실행되는 자동 체크가 되는 것."**. DevSecOps 는 매 plan-code-build-test-release-deploy-operate-monitor 8단계 의 매 step 마다 security control 을 embed 하는 매 shift-left framework. 2026 표준: SAST + SCA + IaC scan + secret scan + DAST + RASP + supply-chain (SLSA L3) + ASPM platform.
+
+## 매 핵심
+
+### 매 8-Stage Embed
+1. **Plan**: threat model (STRIDE), security stories.
+2. **Code**: IDE plugin (Semgrep, SonarLint), pre-commit (lint-staged + secret).
+3. **Build**: SBOM (Syft), reproducible build, sign (cosign).
+4. **Test**: SAST (Semgrep, CodeQL), SCA (Trivy, Snyk), IaC (Checkov).
+5. **Release**: provenance (SLSA), policy (OPA gatekeeper).
+6. **Deploy**: admission control, signed image verify, secrets via Vault.
+7. **Operate**: RASP, WAF, runtime detection (Falco).
+8. **Monitor**: SIEM (Splunk), anomaly detection, incident response.
+
+### 매 Tool Categories 2026
+- **SAST**: Semgrep, CodeQL, Snyk Code.
+- **SCA**: Trivy, Snyk Open Source, Dependabot.
+- **DAST**: ZAP, Burp, Nuclei.
+- **IaC**: Checkov, tfsec, KICS.
+- **Secret scan**: gitleaks, TruffleHog.
+- **Container**: Trivy, Grype.
+- **K8s**: kube-bench, Falco, Kyverno.
+- **ASPM**: Phoenix, Apiiro, ArmorCode — aggregate + prioritize.
+
+### 매 응용
+1. Web app secure SDLC.
+2. K8s cluster hardening.
+3. Cloud infra (Terraform/Pulumi) compliance.
+4. Container registry policy.
+5. Supply-chain integrity (SLSA L3).
+
+## 💻 패턴
+
+### GitHub Actions DevSecOps gate
+```yaml
+name: secure-pr
+on: pull_request
+permissions: { contents: read, security-events: write, id-token: write }
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: gitleaks/gitleaks-action@v2     # 매 secrets
+      - uses: returntocorp/semgrep-action@v1  # 매 SAST
+        with: { config: 'p/owasp-top-ten p/security-audit' }
+      - uses: aquasecurity/trivy-action@master # 매 SCA + container
+        with: { scan-type: fs, severity: 'CRITICAL,HIGH', exit-code: 1 }
+      - uses: bridgecrewio/checkov-action@master # 매 IaC
+```
+
+### Pre-commit secret scan
+```yaml
+# .pre-commit-config.yaml
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.0
+    hooks: [{ id: gitleaks }]
+```
+
+### OPA admission policy (K8s)
+```rego
+package k8s.image
+violation[{"msg": msg}] {
+  input.review.object.spec.containers[_].image
+  not startswith(input.review.object.spec.containers[_].image, "ghcr.io/myorg/")
+  msg := "image must come from approved registry"
+}
+```
+
+### Cosign verify in admission
+```yaml
+apiVersion: policy.sigstore.dev/v1beta1
+kind: ClusterImagePolicy
+spec:
+  images: [{ glob: "ghcr.io/myorg/**" }]
+  authorities:
+    - keyless:
+        identities: [{ issuer: "https://token.actions.githubusercontent.com", subject: ".*myorg/.*" }]
+```
+
+### Falco runtime detection rule
+```yaml
+- rule: Shell in container
+  desc: Detect shell exec inside container
+  condition: container.id != host and proc.name in (bash, sh, zsh)
+  output: "Shell %proc.name in container=%container.name image=%container.image.repository"
+  priority: WARNING
+```
+
+### SBOM + provenance attest
+```bash
+syft packages oci:./image.tar -o spdx-json > sbom.spdx.json
+cosign attest --predicate sbom.spdx.json --type spdx ghcr.io/org/app@sha256:...
+```
+
+## 매 결정 기준
+| 상황 | Tool stack |
+|---|---|
+| TS/Python monorepo | Semgrep + Trivy + gitleaks |
+| Terraform cloud infra | Checkov + tfsec |
+| K8s cluster | Falco + Kyverno + cosign |
+| Compliance heavy | ASPM platform (Phoenix/Apiiro) |
+| Air-gapped / regulated | Semgrep self-host + Trivy DB mirror |
+
+**기본값**: 매 Semgrep + Trivy + gitleaks + Checkov + cosign + Falco.
+
+## 🔗 Graph
+- 부모: [[OWASP Top 10]] · [[안전한 소프트웨어 개발 수명주기(SSDLC)]]
+- 변형: [[애플리케이션_보안_태세_관리ASPM]]
+- 응용: [[SAST]] · [[DAST]] · [[SCA]] · [[Secret_Management]]
+- Adjacent: [[Zero-Trust Architecture]] · [[CI_CD_Pipeline]]
+
+## 🤖 LLM 활용
+**언제**: vuln triage, false-positive filter, remediation PR draft, threat-model brainstorm.
+**언제 X**: 매 actual scan — specialized engine 이 빠르고 정확.
+
+## ❌ 안티패턴
+- **Security as gate-only**: 매 alert flood 만 — fix automation 없음.
+- **Tool sprawl**: 매 5개 SAST 가 noise — ASPM 으로 dedupe.
+- **No baseline**: 매 legacy CVE 전체가 critical — accept + monitor.
+- **Bypass culture**: 매 dev 가 `// eslint-disable security/*` — guard 무력화.
+
+## 🧪 검증 / 중복
+- Verified: NIST SSDF SP 800-218; OWASP DevSecOps maturity; SLSA v1.0; Falco docs.
+- 신뢰도 A.
+
+## 🕓 Changelog
+| 날짜 | 변경 |
+|---|---|
+| 2026-05-08 | Phase 1 |
+| 2026-05-10 | Manual cleanup — 8-stage + tool stack 2026 |