bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0165cd367e5886856257e40d1102eae2b8e30285
2nd/10_Wiki/Topics/DevOps_and_Security/DevSecOps_Framework.md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

5.4 KiB
Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
id title category status canonical_id aliases duplicate_of source_trust_level confidence_score verification_status tags raw_sources last_reinforced github_commit tech_stack
wiki-2026-0508-devsecops-framework DevSecOps Framework 10_Wiki/Topics verified self
DevSecOps
Shift-Left Security
Secure SDLC
none A 0.9 applied
devsecops
security
shift-left
sdlc
2026-05-10 applied
language framework
YAML/Python GitHub Actions/Semgrep/Trivy

DevSecOps Framework

매 한 줄

"매 security 가 PR 단계부터 매일 실행되는 자동 체크가 되는 것.". DevSecOps 는 매 plan-code-build-test-release-deploy-operate-monitor 8단계 의 매 step 마다 security control 을 embed 하는 매 shift-left framework. 2026 표준: SAST + SCA + IaC scan + secret scan + DAST + RASP + supply-chain (SLSA L3) + ASPM platform.

매 핵심

매 8-Stage Embed

  1. Plan: threat model (STRIDE), security stories.
  2. Code: IDE plugin (Semgrep, SonarLint), pre-commit (lint-staged + secret).
  3. Build: SBOM (Syft), reproducible build, sign (cosign).
  4. Test: SAST (Semgrep, CodeQL), SCA (Trivy, Snyk), IaC (Checkov).
  5. Release: provenance (SLSA), policy (OPA gatekeeper).
  6. Deploy: admission control, signed image verify, secrets via Vault.
  7. Operate: RASP, WAF, runtime detection (Falco).
  8. Monitor: SIEM (Splunk), anomaly detection, incident response.

매 Tool Categories 2026

  • SAST: Semgrep, CodeQL, Snyk Code.
  • SCA: Trivy, Snyk Open Source, Dependabot.
  • DAST: ZAP, Burp, Nuclei.
  • IaC: Checkov, tfsec, KICS.
  • Secret scan: gitleaks, TruffleHog.
  • Container: Trivy, Grype.
  • K8s: kube-bench, Falco, Kyverno.
  • ASPM: Phoenix, Apiiro, ArmorCode — aggregate + prioritize.

매 응용

  1. Web app secure SDLC.
  2. K8s cluster hardening.
  3. Cloud infra (Terraform/Pulumi) compliance.
  4. Container registry policy.
  5. Supply-chain integrity (SLSA L3).

💻 패턴

GitHub Actions DevSecOps gate

name: secure-pr
on: pull_request
permissions: { contents: read, security-events: write, id-token: write }
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: gitleaks/gitleaks-action@v2     # 매 secrets
      - uses: returntocorp/semgrep-action@v1  # 매 SAST
        with: { config: 'p/owasp-top-ten p/security-audit' }
      - uses: aquasecurity/trivy-action@master # 매 SCA + container
        with: { scan-type: fs, severity: 'CRITICAL,HIGH', exit-code: 1 }
      - uses: bridgecrewio/checkov-action@master # 매 IaC

Pre-commit secret scan

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks: [{ id: gitleaks }]

OPA admission policy (K8s)

package k8s.image
violation[{"msg": msg}] {
  input.review.object.spec.containers[_].image
  not startswith(input.review.object.spec.containers[_].image, "ghcr.io/myorg/")
  msg := "image must come from approved registry"
}

Cosign verify in admission

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
spec:
  images: [{ glob: "ghcr.io/myorg/**" }]
  authorities:
    - keyless:
        identities: [{ issuer: "https://token.actions.githubusercontent.com", subject: ".*myorg/.*" }]

Falco runtime detection rule

- rule: Shell in container
  desc: Detect shell exec inside container
  condition: container.id != host and proc.name in (bash, sh, zsh)
  output: "Shell %proc.name in container=%container.name image=%container.image.repository"
  priority: WARNING

SBOM + provenance attest

syft packages oci:./image.tar -o spdx-json > sbom.spdx.json
cosign attest --predicate sbom.spdx.json --type spdx ghcr.io/org/app@sha256:...

매 결정 기준

상황 Tool stack
TS/Python monorepo Semgrep + Trivy + gitleaks
Terraform cloud infra Checkov + tfsec
K8s cluster Falco + Kyverno + cosign
Compliance heavy ASPM platform (Phoenix/Apiiro)
Air-gapped / regulated Semgrep self-host + Trivy DB mirror

기본값: 매 Semgrep + Trivy + gitleaks + Checkov + cosign + Falco.

🔗 Graph

🤖 LLM 활용

언제: vuln triage, false-positive filter, remediation PR draft, threat-model brainstorm. 언제 X: 매 actual scan — specialized engine 이 빠르고 정확.

안티패턴

  • Security as gate-only: 매 alert flood 만 — fix automation 없음.
  • Tool sprawl: 매 5개 SAST 가 noise — ASPM 으로 dedupe.
  • No baseline: 매 legacy CVE 전체가 critical — accept + monitor.
  • Bypass culture: 매 dev 가 // eslint-disable security/* — guard 무력화.

🧪 검증 / 중복

  • Verified: NIST SSDF SP 800-218; OWASP DevSecOps maturity; SLSA v1.0; Falco docs.
  • 신뢰도 A.

🕓 Changelog

날짜 변경
2026-05-08 Phase 1
2026-05-10 Manual cleanup — 8-stage + tool stack 2026
Reference in New Issue View Git Blame Copy Permalink