koriweb
d8a80f6272
이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해 끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은 과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업. 도구: Datacollect/scripts/link_reconcile_apply.mjs Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
8.9 KiB
8.9 KiB
id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack
| id | title | category | status | canonical_id | aliases | duplicate_of | source_trust_level | confidence_score | verification_status | tags | raw_sources | last_reinforced | github_commit | tech_stack | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| wiki-2026-0508-ci-cd-ide-security | CI/CD Pipeline & IDE Security Integration | 10_Wiki/Topics | verified | self |
|
none | A | 0.93 | applied |
|
2026-05-10 | pending |
|
CI/CD Pipeline & IDE Security Integration
📌 한 줄 통찰
"매 shift-left 의 fastest feedback". 매 IDE 의 type 의 즉시 + 매 PR 의 block. 매 production 의 reach 전 의 catch. 매 SAST + SCA + secret + IaC scan 의 모두 의 automate. 매 modern DevSecOps 의 standard.
📖 핵심
매 4 layer
1. IDE (real-time, while-coding)
- SonarLint / SonarQube for IDE: SAST inline.
- Snyk Code IDE plugin.
- GitHub Copilot Vulnerability Filter.
- Semgrep VS Code extension.
- ✅ 매 fastest feedback (sec).
2. Pre-commit (local, before commit)
- Husky + lint-staged.
- pre-commit framework (Python).
- gitleaks (secret scan).
- detect-secrets.
3. PR (CI gate)
- SAST: Semgrep, CodeQL, SonarQube, Checkmarx.
- SCA: Snyk, Dependabot, Trivy, OWASP Dep-Check.
- Secret: gitleaks, TruffleHog.
- IaC: Checkov, tfsec, KICS.
- License: FOSSA, Black Duck.
- 매 fail → 매 block merge.
4. Pre-deploy (image / runtime)
- Container scan: Trivy, Grype.
- Image signing: Cosign, Notary.
- Policy: OPA, Kyverno.
- Runtime: Falco, Sysdig.
매 standard
OWASP Top 10
- 매 web app 의 most critical.
CWE Top 25
- 매 weakness category.
CIS Benchmark
- 매 OS / cloud config.
NIST 800-53 / 800-218 (SSDF)
- 매 government compliance.
PCI-DSS / HIPAA / SOC 2
- 매 industry-specific.
Quality Gate (SonarQube 식)
- 매 metric: bug, vuln, code smell, coverage, duplication.
- 매 threshold: e.g., 0 vuln, < 5% duplication, > 80% coverage.
- 매 fail → 매 block merge.
매 modern best practice
- Shift-left + shift-right: 매 dev → 매 runtime 의 모두.
- Fail fast: 매 PR 의 stop.
- Auto-fix where possible: Dependabot PR.
- Risk-based prioritization: 매 모든 issue X — 매 critical first.
- Allowlist (SBOM-based).
- Signed commit / build attestation (SLSA).
- Secret rotation 의 automate.
매 SLSA (Supply-chain Levels for Software Artifacts)
- 매 build provenance.
- 매 source-to-binary trust.
- 매 4 levels.
매 modern AI-augmented
- CodeRabbit / Greptile: AI review (security focus).
- GitHub Code Scanning + Copilot Autofix: 매 fix suggestion.
- Snyk DeepCode: ML-based.
💻 패턴
GitHub Actions (full DevSecOps)
# .github/workflows/security.yml
name: Security
on: [pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Semgrep SAST
uses: returntocorp/semgrep-action@v1
with:
config: 'p/security-audit p/owasp-top-ten'
- name: CodeQL
uses: github/codeql-action/init@v3
with: { languages: javascript, python }
- uses: github/codeql-action/analyze@v3
sca:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Snyk SCA
uses: snyk/actions/node@master
env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} }
with: { args: --severity-threshold=high }
secret-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
iac-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkov
uses: bridgecrewio/checkov-action@master
with: { directory: terraform/ }
container-scan:
needs: [sast, sca]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: docker build -t myapp .
- name: Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp
severity: 'CRITICAL,HIGH'
exit-code: 1 # 매 fail PR
Pre-commit hook (husky)
# .husky/pre-commit
#!/bin/sh
npx lint-staged
npx gitleaks protect --staged
// package.json
{
"lint-staged": {
"*.{js,ts,jsx,tsx}": ["eslint --fix", "prettier --write"],
"*.{yaml,yml}": ["prettier --write"]
}
}
pre-commit framework (Python)
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks: [{ id: gitleaks }]
- repo: https://github.com/returntocorp/semgrep
rev: v1.50.0
hooks: [{ id: semgrep, args: ['--config=p/python', '--error'] }]
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks: [{ id: detect-secrets, args: ['--baseline', '.secrets.baseline'] }]
SonarQube quality gate
# sonar-project.properties
sonar.projectKey=myproject
sonar.sources=src
sonar.tests=tests
sonar.coverage.exclusions=**/*.test.ts,**/test/**
# Custom quality gate (defined in SonarQube UI):
# - Coverage on New Code > 80%
# - Duplicated Lines on New Code < 3%
# - 0 New Bugs (severity HIGH/CRITICAL)
# - 0 New Vulnerabilities
# - Security Hotspots Reviewed = 100%
CodeQL custom query
// 매 detect missing CSRF protection
import javascript
from Routing::RouteSetup setup, MethodCallExpr handler
where setup.getMethodName() = "post"
and setup.getHandler() = handler
and not handler.getReceiver().toString().matches("%csrf%")
select setup, "POST route may be missing CSRF protection."
Container signing (Cosign)
# 매 build + sign
docker build -t myrepo/myapp:v1.0 .
docker push myrepo/myapp:v1.0
cosign sign myrepo/myapp:v1.0
# 매 verify in deployment
cosign verify --certificate-identity=https://github.com/myorg/myrepo \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
myrepo/myapp:v1.0
SBOM generation
# 매 Syft 의 SBOM
syft myrepo/myapp:v1.0 -o spdx-json > sbom.json
# 매 attach to release
gh release upload v1.0 sbom.json
# 매 vulnerability scan
grype sbom:sbom.json --fail-on high
Auto-fix PR (Dependabot)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule: { interval: "weekly" }
groups:
production-deps:
patterns: ["*"]
update-types: ["patch", "minor"]
Risk-based prioritization
def prioritize_findings(findings):
"""매 severity × exploitability × reachability."""
scored = []
for f in findings:
sev = {'critical': 4, 'high': 3, 'medium': 2, 'low': 1}[f.severity]
exploit = 1.5 if f.has_known_exploit else 1.0
reachable = 2.0 if f.in_call_graph_from_entry else 0.5
scored.append((f, sev * exploit * reachable))
return sorted(scored, key=lambda x: -x[1])
# 매 top 10 의 dev 의 focus.
🤔 결정 기준
| Layer | Tool |
|---|---|
| IDE SAST | SonarLint / Snyk Code |
| Pre-commit secrets | gitleaks |
| CI SAST | Semgrep / CodeQL |
| CI SCA | Snyk / Dependabot |
| CI IaC | Checkov / tfsec |
| Container | Trivy / Grype |
| Image sign | Cosign + Sigstore |
| Runtime | Falco / Sysdig |
| Compliance | InSpec / Chef Compliance |
기본값: 매 4 layer 의 모두 + 매 quality gate + 매 SLSA Level 2+.
🔗 Graph
- 부모: CI/CD Pipeline & IDE Security Integration · CI CD
- 변형: Shift-Left-Security · Quality-Gate · SLSA · SBOM
- 응용: SonarQube · Semgrep · CodeQL · Trivy · Cosign
- Adjacent: AI 코드 리뷰 및 보안 취약점 점검(DevSecOps) · OWASP Top 10 · Git Branching Strategies · Quality_Code_Review_Modern
🤖 LLM 활용
언제: 매 DevSecOps pipeline design. 매 security policy. 매 compliance audit. 매 vulnerability triage. 언제 X: 매 single dev 의 toy project (over-engineering).
❌ 안티패턴
- Pre-prod 만 의 scan: 매 too late.
- 모든 issue 의 block (no priority): 매 dev fatigue.
- Allowlist 의 stale: 매 false security.
- Secret 의 commit: 매 rotate 필요.
- No SBOM: 매 supply chain blind.
- Image 의 unsigned: 매 trust X.
- Compliance 의 only (no real security): 매 checkbox.
🧪 검증 / 중복
- Verified (NIST SSDF, OWASP, SLSA spec).
- 신뢰도 A.
- Related: AI 코드 리뷰 및 보안 취약점 점검(DevSecOps) · Software-Supply-Chain-Security · OWASP Top 10 · Git Branching Strategies.
🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-04-19 | Auto-mapped |
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — 4 layer + standard + 매 GitHub Actions / pre-commit / SLSA / Cosign code |