--- id: wiki-2026-0508-ci-cd-ide-security title: CI/CD Pipeline & IDE Security Integration category: 10_Wiki/Topics status: verified canonical_id: self aliases: [DevSecOps, shift-left security, SAST in CI, IDE security plugin, quality gate, security gating] duplicate_of: none source_trust_level: A confidence_score: 0.93 verification_status: applied tags: [devsecops, ci-cd, sast, sca, secret-scan, shift-left, security-gating, sonarqube, snyk, github-actions] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: any framework: GitHub Actions / GitLab CI / Jenkins / SonarQube / Snyk --- # CI/CD Pipeline & IDE Security Integration ## 📌 한 줄 통찰 > **"매 shift-left 의 fastest feedback"**. 매 IDE 의 type 의 즉시 + 매 PR 의 block. 매 production 의 reach 전 의 catch. 매 SAST + SCA + secret + IaC scan 의 모두 의 automate. 매 modern DevSecOps 의 standard. ## 📖 핵심 ### 매 4 layer #### 1. IDE (real-time, while-coding) - **SonarLint / SonarQube for IDE**: SAST inline. - **Snyk Code IDE plugin**. - **GitHub Copilot Vulnerability Filter**. - **Semgrep VS Code extension**. - ✅ 매 fastest feedback (sec). #### 2. Pre-commit (local, before commit) - **Husky + lint-staged**. - **pre-commit framework** (Python). - **gitleaks** (secret scan). - **detect-secrets**. #### 3. PR (CI gate) - **SAST**: Semgrep, CodeQL, SonarQube, Checkmarx. - **SCA**: Snyk, Dependabot, Trivy, OWASP Dep-Check. - **Secret**: gitleaks, TruffleHog. - **IaC**: Checkov, tfsec, KICS. - **License**: FOSSA, Black Duck. - 매 fail → 매 block merge. #### 4. Pre-deploy (image / runtime) - **Container scan**: Trivy, Grype. - **Image signing**: Cosign, Notary. - **Policy**: OPA, Kyverno. - **Runtime**: Falco, Sysdig. ### 매 standard #### OWASP Top 10 - 매 web app 의 most critical. #### CWE Top 25 - 매 weakness category. #### CIS Benchmark - 매 OS / cloud config. #### NIST 800-53 / 800-218 (SSDF) - 매 government compliance. #### PCI-DSS / HIPAA / SOC 2 - 매 industry-specific. ### Quality Gate (SonarQube 식) - 매 metric: bug, vuln, code smell, coverage, duplication. - 매 threshold: e.g., 0 vuln, < 5% duplication, > 80% coverage. - 매 fail → 매 block merge. ### 매 modern best practice 1. **Shift-left + shift-right**: 매 dev → 매 runtime 의 모두. 2. **Fail fast**: 매 PR 의 stop. 3. **Auto-fix where possible**: Dependabot PR. 4. **Risk-based prioritization**: 매 모든 issue X — 매 critical first. 5. **Allowlist (SBOM-based)**. 6. **Signed commit / build attestation** (SLSA). 7. **Secret rotation 의 automate**. ### 매 SLSA (Supply-chain Levels for Software Artifacts) - 매 build provenance. - 매 source-to-binary trust. - 매 4 levels. ### 매 modern AI-augmented - **CodeRabbit / Greptile**: AI review (security focus). - **GitHub Code Scanning + Copilot Autofix**: 매 fix suggestion. - **Snyk DeepCode**: ML-based. ## 💻 패턴 ### GitHub Actions (full DevSecOps) ```yaml # .github/workflows/security.yml name: Security on: [pull_request] jobs: sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Semgrep SAST uses: returntocorp/semgrep-action@v1 with: config: 'p/security-audit p/owasp-top-ten' - name: CodeQL uses: github/codeql-action/init@v3 with: { languages: javascript, python } - uses: github/codeql-action/analyze@v3 sca: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Snyk SCA uses: snyk/actions/node@master env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} } with: { args: --severity-threshold=high } secret-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: { fetch-depth: 0 } - name: Gitleaks uses: gitleaks/gitleaks-action@v2 iac-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Checkov uses: bridgecrewio/checkov-action@master with: { directory: terraform/ } container-scan: needs: [sast, sca] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: docker build -t myapp . - name: Trivy uses: aquasecurity/trivy-action@master with: image-ref: myapp severity: 'CRITICAL,HIGH' exit-code: 1 # 매 fail PR ``` ### Pre-commit hook (husky) ```bash # .husky/pre-commit #!/bin/sh npx lint-staged npx gitleaks protect --staged ``` ```js // package.json { "lint-staged": { "*.{js,ts,jsx,tsx}": ["eslint --fix", "prettier --write"], "*.{yaml,yml}": ["prettier --write"] } } ``` ### pre-commit framework (Python) ```yaml # .pre-commit-config.yaml repos: - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: [{ id: gitleaks }] - repo: https://github.com/returntocorp/semgrep rev: v1.50.0 hooks: [{ id: semgrep, args: ['--config=p/python', '--error'] }] - repo: https://github.com/Yelp/detect-secrets rev: v1.4.0 hooks: [{ id: detect-secrets, args: ['--baseline', '.secrets.baseline'] }] ``` ### SonarQube quality gate ```yaml # sonar-project.properties sonar.projectKey=myproject sonar.sources=src sonar.tests=tests sonar.coverage.exclusions=**/*.test.ts,**/test/** # Custom quality gate (defined in SonarQube UI): # - Coverage on New Code > 80% # - Duplicated Lines on New Code < 3% # - 0 New Bugs (severity HIGH/CRITICAL) # - 0 New Vulnerabilities # - Security Hotspots Reviewed = 100% ``` ### CodeQL custom query ```ql // 매 detect missing CSRF protection import javascript from Routing::RouteSetup setup, MethodCallExpr handler where setup.getMethodName() = "post" and setup.getHandler() = handler and not handler.getReceiver().toString().matches("%csrf%") select setup, "POST route may be missing CSRF protection." ``` ### Container signing (Cosign) ```bash # 매 build + sign docker build -t myrepo/myapp:v1.0 . docker push myrepo/myapp:v1.0 cosign sign myrepo/myapp:v1.0 # 매 verify in deployment cosign verify --certificate-identity=https://github.com/myorg/myrepo \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ myrepo/myapp:v1.0 ``` ### SBOM generation ```bash # 매 Syft 의 SBOM syft myrepo/myapp:v1.0 -o spdx-json > sbom.json # 매 attach to release gh release upload v1.0 sbom.json # 매 vulnerability scan grype sbom:sbom.json --fail-on high ``` ### Auto-fix PR (Dependabot) ```yaml # .github/dependabot.yml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: { interval: "weekly" } groups: production-deps: patterns: ["*"] update-types: ["patch", "minor"] ``` ### Risk-based prioritization ```python def prioritize_findings(findings): """매 severity × exploitability × reachability.""" scored = [] for f in findings: sev = {'critical': 4, 'high': 3, 'medium': 2, 'low': 1}[f.severity] exploit = 1.5 if f.has_known_exploit else 1.0 reachable = 2.0 if f.in_call_graph_from_entry else 0.5 scored.append((f, sev * exploit * reachable)) return sorted(scored, key=lambda x: -x[1]) # 매 top 10 의 dev 의 focus. ``` ## 🤔 결정 기준 | Layer | Tool | |---|---| | IDE SAST | SonarLint / Snyk Code | | Pre-commit secrets | gitleaks | | CI SAST | Semgrep / CodeQL | | CI SCA | Snyk / Dependabot | | CI IaC | Checkov / tfsec | | Container | Trivy / Grype | | Image sign | Cosign + Sigstore | | Runtime | Falco / Sysdig | | Compliance | InSpec / Chef Compliance | **기본값**: 매 4 layer 의 모두 + 매 quality gate + 매 SLSA Level 2+. ## 🔗 Graph - 부모: [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] · [[CI CD]] - 변형: [[Shift-Left-Security]] · [[Quality-Gate]] · [[SLSA]] · [[SBOM]] - 응용: [[SonarQube]] · [[Semgrep]] · [[CodeQL]] · [[Trivy]] · [[Cosign]] - Adjacent: [[AI 코드 리뷰 및 보안 취약점 점검(DevSecOps)]] · [[OWASP Top 10]] · [[Git Branching Strategies]] · [[Quality_Code_Review_Modern]] ## 🤖 LLM 활용 **언제**: 매 DevSecOps pipeline design. 매 security policy. 매 compliance audit. 매 vulnerability triage. **언제 X**: 매 single dev 의 toy project (over-engineering). ## ❌ 안티패턴 - **Pre-prod 만 의 scan**: 매 too late. - **모든 issue 의 block (no priority)**: 매 dev fatigue. - **Allowlist 의 stale**: 매 false security. - **Secret 의 commit**: 매 rotate 필요. - **No SBOM**: 매 supply chain blind. - **Image 의 unsigned**: 매 trust X. - **Compliance 의 only (no real security)**: 매 checkbox. ## 🧪 검증 / 중복 - Verified (NIST SSDF, OWASP, SLSA spec). - 신뢰도 A. - Related: [[AI 코드 리뷰 및 보안 취약점 점검(DevSecOps)]] · [[Software-Supply-Chain-Security]] · [[OWASP Top 10]] · [[Git Branching Strategies]]. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-04-19 | Auto-mapped | | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — 4 layer + standard + 매 GitHub Actions / pre-commit / SLSA / Cosign code |