Files

T

Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization

10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 23:52:15 +09:00

8.9 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

CI/CD Pipeline & IDE Security Integration

📌 한 줄 통찰

"매 shift-left 의 fastest feedback". 매 IDE 의 type 의 즉시 + 매 PR 의 block. 매 production 의 reach 전 의 catch. 매 SAST + SCA + secret + IaC scan 의 모두 의 automate. 매 modern DevSecOps 의 standard.

📖 핵심

매 4 layer

1. IDE (real-time, while-coding)

SonarLint / SonarQube for IDE: SAST inline.
Snyk Code IDE plugin.
GitHub Copilot Vulnerability Filter.
Semgrep VS Code extension.
✅ 매 fastest feedback (sec).

2. Pre-commit (local, before commit)

Husky + lint-staged.
pre-commit framework (Python).
gitleaks (secret scan).
detect-secrets.

3. PR (CI gate)

SAST: Semgrep, CodeQL, SonarQube, Checkmarx.
SCA: Snyk, Dependabot, Trivy, OWASP Dep-Check.
Secret: gitleaks, TruffleHog.
IaC: Checkov, tfsec, KICS.
License: FOSSA, Black Duck.
매 fail → 매 block merge.

4. Pre-deploy (image / runtime)

Container scan: Trivy, Grype.
Image signing: Cosign, Notary.
Policy: OPA, Kyverno.
Runtime: Falco, Sysdig.

매 standard

OWASP Top 10

매 web app 의 most critical.

CWE Top 25

매 weakness category.

CIS Benchmark

매 OS / cloud config.

NIST 800-53 / 800-218 (SSDF)

매 government compliance.

PCI-DSS / HIPAA / SOC 2

매 industry-specific.

Quality Gate (SonarQube 식)

매 metric: bug, vuln, code smell, coverage, duplication.
매 threshold: e.g., 0 vuln, < 5% duplication, > 80% coverage.
매 fail → 매 block merge.

매 modern best practice

Shift-left + shift-right: 매 dev → 매 runtime 의 모두.
Fail fast: 매 PR 의 stop.
Auto-fix where possible: Dependabot PR.
Risk-based prioritization: 매 모든 issue X — 매 critical first.
Allowlist (SBOM-based).
Signed commit / build attestation (SLSA).
Secret rotation 의 automate.

매 SLSA (Supply-chain Levels for Software Artifacts)

매 build provenance.
매 source-to-binary trust.
매 4 levels.

매 modern AI-augmented

CodeRabbit / Greptile: AI review (security focus).
GitHub Code Scanning + Copilot Autofix: 매 fix suggestion.
Snyk DeepCode: ML-based.

💻 패턴

GitHub Actions (full DevSecOps)

# .github/workflows/security.yml
name: Security
on: [pull_request]

jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Semgrep SAST
        uses: returntocorp/semgrep-action@v1
        with:
          config: 'p/security-audit p/owasp-top-ten'
      
      - name: CodeQL
        uses: github/codeql-action/init@v3
        with: { languages: javascript, python }
      - uses: github/codeql-action/analyze@v3
  
  sca:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Snyk SCA
        uses: snyk/actions/node@master
        env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} }
        with: { args: --severity-threshold=high }
  
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
  
  iac-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Checkov
        uses: bridgecrewio/checkov-action@master
        with: { directory: terraform/ }
  
  container-scan:
    needs: [sast, sca]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: docker build -t myapp .
      - name: Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: myapp
          severity: 'CRITICAL,HIGH'
          exit-code: 1  # 매 fail PR

Pre-commit hook (husky)

# .husky/pre-commit
#!/bin/sh
npx lint-staged
npx gitleaks protect --staged

// package.json
{
  "lint-staged": {
    "*.{js,ts,jsx,tsx}": ["eslint --fix", "prettier --write"],
    "*.{yaml,yml}": ["prettier --write"]
  }
}

pre-commit framework (Python)

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks: [{ id: gitleaks }]
  
  - repo: https://github.com/returntocorp/semgrep
    rev: v1.50.0
    hooks: [{ id: semgrep, args: ['--config=p/python', '--error'] }]
  
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks: [{ id: detect-secrets, args: ['--baseline', '.secrets.baseline'] }]

SonarQube quality gate

# sonar-project.properties
sonar.projectKey=myproject
sonar.sources=src
sonar.tests=tests
sonar.coverage.exclusions=**/*.test.ts,**/test/**

# Custom quality gate (defined in SonarQube UI):
# - Coverage on New Code > 80%
# - Duplicated Lines on New Code < 3%
# - 0 New Bugs (severity HIGH/CRITICAL)
# - 0 New Vulnerabilities
# - Security Hotspots Reviewed = 100%

CodeQL custom query

// 매 detect missing CSRF protection
import javascript

from Routing::RouteSetup setup, MethodCallExpr handler
where setup.getMethodName() = "post"
  and setup.getHandler() = handler
  and not handler.getReceiver().toString().matches("%csrf%")
select setup, "POST route may be missing CSRF protection."

Container signing (Cosign)

# 매 build + sign
docker build -t myrepo/myapp:v1.0 .
docker push myrepo/myapp:v1.0
cosign sign myrepo/myapp:v1.0

# 매 verify in deployment
cosign verify --certificate-identity=https://github.com/myorg/myrepo \
              --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
              myrepo/myapp:v1.0

SBOM generation

# 매 Syft 의 SBOM
syft myrepo/myapp:v1.0 -o spdx-json > sbom.json

# 매 attach to release
gh release upload v1.0 sbom.json

# 매 vulnerability scan
grype sbom:sbom.json --fail-on high

Auto-fix PR (Dependabot)

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule: { interval: "weekly" }
    groups:
      production-deps:
        patterns: ["*"]
        update-types: ["patch", "minor"]

Risk-based prioritization

def prioritize_findings(findings):
    """매 severity × exploitability × reachability."""
    scored = []
    for f in findings:
        sev = {'critical': 4, 'high': 3, 'medium': 2, 'low': 1}[f.severity]
        exploit = 1.5 if f.has_known_exploit else 1.0
        reachable = 2.0 if f.in_call_graph_from_entry else 0.5
        scored.append((f, sev * exploit * reachable))
    return sorted(scored, key=lambda x: -x[1])

# 매 top 10 의 dev 의 focus.

🤔 결정 기준

Layer	Tool
IDE SAST	SonarLint / Snyk Code
Pre-commit secrets	gitleaks
CI SAST	Semgrep / CodeQL
CI SCA	Snyk / Dependabot
CI IaC	Checkov / tfsec
Container	Trivy / Grype
Image sign	Cosign + Sigstore
Runtime	Falco / Sysdig
Compliance	InSpec / Chef Compliance

기본값: 매 4 layer 의 모두 + 매 quality gate + 매 SLSA Level 2+.

🔗 Graph

부모: CI_CD 파이프라인 및 IDE 통합 보안 · CI-CD
변형: Shift-Left-Security · Quality-Gate · SLSA · SBOM
응용: SonarQube · Semgrep · CodeQL · Trivy · Cosign
Adjacent: AI 코드 리뷰 및 보안 취약점 점검(DevSecOps) · OWASP-Top-10 · Branching-Strategies · Quality_Code_Review_Modern

🤖 LLM 활용

언제: 매 DevSecOps pipeline design. 매 security policy. 매 compliance audit. 매 vulnerability triage. 언제 X: 매 single dev 의 toy project (over-engineering).

❌ 안티패턴

Pre-prod 만 의 scan: 매 too late.
모든 issue 의 block (no priority): 매 dev fatigue.
Allowlist 의 stale: 매 false security.
Secret 의 commit: 매 rotate 필요.
No SBOM: 매 supply chain blind.
Image 의 unsigned: 매 trust X.
Compliance 의 only (no real security): 매 checkbox.

🧪 검증 / 중복

Verified (NIST SSDF, OWASP, SLSA spec).
신뢰도 A.
Related: AI 코드 리뷰 및 보안 취약점 점검(DevSecOps) · Software-Supply-Chain-Security · OWASP-Top-10 · Branching-Strategies.

🕓 Changelog

날짜	변경
2026-04-19	Auto-mapped
2026-05-08	Phase 1
2026-05-10	Manual cleanup — 4 layer + standard + 매 GitHub Actions / pre-commit / SLSA / Cosign code

8.9 KiB Raw Blame History Unescape Escape