Self-Hosted DevSecOps for Kubernetes — Scan Every Push. Block Misconfigurations Before They Reach Production.
A self-hosted DevSecOps platform that scans every Git push and blocks security misconfigurations, hardcoded secrets, and infrastructure vulnerabilities before they reach production.
🚀 Quick Start · 📖 Documentation · 🛡️ SecTL Engine · 🗺️ Roadmap · 🤝 Contributing
Real-time overview of connected repositories, scan history, and security posture at a glance.
Add, remove, and monitor repositories — each automatically webhook-connected to the scan pipeline.
Per-repository scan summary with status indicators and quick-action controls.
Scan history list with PASS/FAIL status, timestamps, and scan type breakdown.
Detailed findings view — rule ID, severity, file path, description, and remediation guidance per violation.
High-level scan result summary grouped by severity (CRITICAL → LOW) with finding counts.
Manually trigger a scan from the dashboard, or let the GitHub webhook fire it automatically on every push.
ZeroTrustOps scans every Git push, detects misconfigurations and secrets, and blocks insecure infrastructure before it reaches production.
Powered by a custom enforcement engine (SecTL), along with Gitleaks for secrets detection, it provides an end-to-end DevSecOps pipeline with automated scanning, CI/CD enforcement, and a real-time dashboard — all running locally with a single command.
Every push is treated as a security checkpoint. If it fails, it never deploys.
git push
└── GitHub webhook triggers the scan pipeline
└── Repository is cloned into an isolated scan environment
│
├── 🔍 Static Analysis (SecTL)
│ ├── Scans IaC: Kubernetes, Terraform, Helm
│ ├── Detects misconfigurations (RBAC, networking, privilege escalation)
│ ├── Applies 70+ security rules
│ └── Assigns severity levels (CRITICAL → LOW)
│
├── 🔑 Secrets Detection (Gitleaks)
│ └── Identifies API keys, tokens, passwords, and exposed credentials
│
├── 🧠 Findings Processing
│ ├── Normalizes results (rule_id, severity, file path)
│ ├── Deduplicates issues
│ └── Attaches precise remediation guidance
│
├── 🚦 Enforcement Engine (CI/CD Gate)
│ ├── Evaluates findings against severity thresholds
│ └── Returns binary decision → PASS / FAIL
│
├── 🗄️ Persistence Layer
│ └── Stores scan results, history, and findings in PostgreSQL
│
└── 📊 Real-time Feedback Loop
├── Updates dashboard instantly
├── Displays repo status (PASS / FAIL)
├── Shows severity breakdown
└── Provides actionable fixes per finding
- 🚫 Blocks insecure Kubernetes deployments before they ever reach your cluster
- 🔑 Prevents secrets from leaving your repo by detecting hardcoded credentials on every push
- 🚦 Fails CI instantly on critical issues with a clear PASS/FAIL security gate
- 🛡️ Enforces security policies at deployment time using admission control (Kyverno)
- 🔍 Detects misconfigurations across IaC and containers (Kubernetes, Terraform, Helm, images)
- 📊 Gives actionable insights, not just logs — every finding includes exact fixes and context
| Component | Technology | Role |
|---|---|---|
| SecTL CLI | Go 1.21+ | Custom static analysis engine — 70+ built-in rules |
| Platform API | Python / FastAPI | Webhook receiver, scan orchestrator, REST API |
| Dashboard | React + Vite | Real-time scan results and repository management |
| Database | PostgreSQL 16 | Persistent storage for repos, scans, and findings |
| Secrets Scanner | Gitleaks | Detects hardcoded secrets and credentials |
All services run in Docker Compose and communicate over an internal bridge network.
┌────────────────────────────────────────────────────────────┐
│ Docker Compose Network │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐ │
│ │ React │ │ FastAPI │ │ PostgreSQL │ │
│ │ Dashboard │◄──►│ Backend │◄──►│ 16 │ │
│ │ :3000 │ │ :8000 │ │ :5432 │ │
│ └──────────────┘ └──────┬───────┘ └─────────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ SecTL CLI │ │
│ │ + Gitleaks │ │
│ └─────────────────┘ │
└────────────────────────────────────────────────────────────┘
▲
│ GitHub Webhook (ngrok tunnel)
│
┌─────┴──────┐
│ GitHub │
│ Repos │
└────────────┘
SecTL is a purpose-built CLI tool written in Go. It scans Infrastructure-as-Code files for security misconfigurations and produces a binary PASS/FAIL exit code suitable for use as a CI/CD gate.
| Type | Target | Coverage |
|---|---|---|
k8s |
Kubernetes manifests | Pods, Deployments, RBAC, Ingress, ConfigMaps, ServiceAccounts |
terraform |
Infrastructure as Code | AWS, GCP, Azure — S3, IAM, Security Groups, RDS, EKS, CloudTrail |
helm |
Helm charts | Chart.yaml, values.yaml, rendered templates |
posture |
Live AWS account | IAM root keys, MFA enforcement, password policy, S3 bucket posture |
supply-chain |
Container images | Digest pinning, :latest tag detection, EOL base images |
| Rule ID | Severity | Description |
|---|---|---|
| K8S-001 | 🔴 CRITICAL | hostPID enabled — container sees all host processes |
| K8S-004 | 🔴 CRITICAL | Privileged container — full host device access |
| K8S-020 | 🔴 CRITICAL | RBAC wildcard apiGroups (*) |
| K8S-024 | 🔴 CRITICAL | Binding to cluster-admin role |
| K8S-025 | 🔴 CRITICAL | Binding to unauthenticated/anonymous subject |
| K8S-031 | 🟠 HIGH | Hardcoded secret in environment variable |
| K8S-005 | 🟠 HIGH | allowPrivilegeEscalation not set to false |
| Rule ID | Severity | Description |
|---|---|---|
| TF-S3-010 | 🔴 CRITICAL | S3 bucket ACL set to public |
| TF-IAM-001 | 🔴 CRITICAL | IAM policy allows Action: * (all actions) |
| TF-SG-001 | 🔴 CRITICAL | Security group: sensitive port open to internet |
| TF-RDS-002 | 🔴 CRITICAL | RDS instance publicly accessible |
| TF-EKS-002 | 🟠 HIGH | EKS API server publicly accessible |
📋 Full rule list:
sectl rules— filter with--source k8s,--source terraform,--severity critical
# Scan Kubernetes manifests
sectl scan ./manifests --type k8s
# Scan Terraform — fail CI on HIGH or above
sectl scan ./infra --type terraform --severity high --fail-on-findings
# Scan Helm chart
sectl scan ./charts/myapp --type helm
# Verify container images (digest, EOL, latest tag)
sectl verify nginx:latest myapp:1.0.0
# Audit live AWS account posture
sectl audit --provider aws --region us-east-1
# JSON output for programmatic use
sectl scan ./manifests --type k8s --output json
# SARIF output for GitHub Security tab
sectl scan ./manifests --type k8s --output sarif| Dependency | Minimum Version | Notes |
|---|---|---|
| Docker | 24+ | With Docker Compose plugin |
| Docker Compose | 2.x | Bundled with Docker Desktop |
| Go | 1.21+ | For compiling SecTL |
| Git | Any | For cloning and webhook use |
# 1. Clone the repository
git clone https://github.com/Debasish-87/ZeroTrustOps-Platform.git
cd ZeroTrustOps-Platform
# 2. Run the one-command installer
bash setup.shThe setup.sh script will automatically:
- ✅ Verify all prerequisites are installed
- ⚙️ Compile the SecTL binary from source
- 🐳 Build and start all Docker containers
- 🩺 Wait for all services to pass health checks
| Service | URL | Description |
|---|---|---|
| 📊 Dashboard | http://localhost:3000 | React UI — main interface |
| ⚡ API | http://localhost:8000 | FastAPI backend |
| 📖 API Reference | http://localhost:8000/docs | Swagger / OpenAPI docs |
# Step 1: Expose the local platform publicly via ngrok
ngrok http 8000In your GitHub repository → Settings > Webhooks > Add webhook:
| Field | Value |
|---|---|
| Payload URL | https://<your-ngrok-url>/webhook/github |
| Content type | application/json |
| Events | ✅ Push events |
Every subsequent git push will automatically trigger a full scan.
bash uninstall.shRemoves all containers, volumes, images, networks, and the
sectlbinary. Source code is not affected.
| Method | Endpoint | Description | Auth |
|---|---|---|---|
GET |
/health |
Health check — all services | — |
GET |
/api/stats |
Dashboard overview counts | — |
GET |
/api/repos |
List all connected repositories | — |
POST |
/api/repos |
Add a new repository | — |
DELETE |
/api/repos/:id |
Remove a repository | — |
GET |
/api/scans |
List recent scans | — |
GET |
/api/scans/:id |
Scan detail with all findings | — |
POST |
/api/scans/trigger |
Manually trigger a scan | — |
POST |
/webhook/github |
GitHub push webhook receiver | HMAC |
curl -X POST http://localhost:8000/api/scans/trigger \
-H "Content-Type: application/json" \
-d '{"repo_id": 1}'curl http://localhost:8000/api/scans/42 | jq '.findings[] | select(.severity == "CRITICAL")'ZeroTrustOps-Platform/
├── setup.sh # One-command installer
├── uninstall.sh # Complete cleanup script
├── docker-compose.yml # Service orchestration
│
├── sectl/ # Security CLI (Go)
│ ├── main.go
│ ├── cmd/ # scan, audit, verify, rules commands
│ │ ├── audit.go
│ │ ├── helpers.go
│ │ ├── root.go
│ │ ├── rules.go
│ │ ├── scan.go
│ │ └── verify.go
│ └── internal/
│ ├── scanner/ # K8s, Terraform, Helm analyzers + unit tests
│ │ ├── finding.go
│ │ ├── helm.go
│ │ ├── k8s.go
│ │ ├── k8s_test.go
│ │ ├── terraform.go
│ │ └── terraform_test.go
│ ├── posture/ # Live AWS account audit
│ │ └── aws.go
│ ├── supply/ # Container image supply chain checks
│ │ └── chain.go
│ └── report/ # Table, JSON, SARIF output renderers
│ └── render.go
│
├── platform/
│ ├── api/ # FastAPI backend
│ │ ├── main.py # Webhook handler, scan engine, REST API
│ │ ├── requirements.txt
│ │ └── Dockerfile
│ ├── web/ # React dashboard
│ │ ├── src/
│ │ │ ├── pages/ # Dashboard, Repositories, Scans, Setup
│ │ │ │ ├── Dashboard.jsx
│ │ │ │ ├── Repositories.jsx
│ │ │ │ ├── ScanDetail.jsx
│ │ │ │ ├── Scans.jsx
│ │ │ │ └── Setup.jsx
│ │ │ ├── components/
│ │ │ │ └── Layout.jsx
│ │ │ ├── App.jsx
│ │ │ └── main.jsx
│ │ └── Dockerfile
│ └── db/
│ └── init.sql # PostgreSQL schema
│
└── manifests/
├── dev/ # Hardened Kubernetes deployment example
│ ├── deployment.yaml
│ └── service.yaml
└── kyverno-policies/ # Admission control enforcement policies
├── disallow-latest-tag.yaml
├── disallow-privileged.yaml
└── require-resource-limits.yaml
Three cluster-wide admission control policies are included. All run in Enforce mode — they actively block non-compliant resources from entering the cluster.
| Policy | Mode | Enforcement |
|---|---|---|
disallow-latest-tag |
Enforce | Blocks containers using :latest or untagged images |
disallow-privileged |
Enforce | Blocks privileged containers, privilege escalation, host namespaces |
require-resource-limits |
Enforce | Requires CPU and memory requests and limits on all containers |
# Apply all Kyverno policies to your cluster
kubectl apply -f manifests/kyverno-policies/
# Verify policies are active
kubectl get clusterpolicyorganizations
└── repositories
└── scans
└── findings
Each finding record stores:
| Field | Type | Description |
|---|---|---|
tool |
text | sectl or gitleaks |
rule_id |
text | e.g. K8S-001, TF-IAM-001 |
severity |
text | CRITICAL, HIGH, MEDIUM, LOW |
category |
text | e.g. rbac, network, secrets |
title |
text | Short rule description |
description |
text | Full violation explanation |
file_path |
text | Relative path to the affected file |
remediation |
text | How to fix the violation |
# Unit tests for SecTL scanners
cd sectl
go test ./internal/scanner/... -v
# Run with race condition detection
go test -race ./internal/...
# Test against sample manifests
sectl scan ./sectl/testdata/k8s --type k8s
sectl scan ./sectl/testdata/terraform --type terraformTest data included:
| File | Purpose |
|---|---|
testdata/k8s/bad-deployment.yaml |
Triggers K8S rules |
testdata/k8s/good-deployment.yaml |
Should produce zero findings |
testdata/terraform/bad-infra.tf |
Triggers TF rules |
testdata/terraform/good-infra.tf |
Should produce zero findings |
Create a .env file in the project root (copied from .env.example):
# Database
POSTGRES_USER=zerotrust
POSTGRES_PASSWORD=changeme
POSTGRES_DB=zerotrust
# GitHub Webhook
GITHUB_WEBHOOK_SECRET=your-secret-here
# API
API_HOST=0.0.0.0
API_PORT=8000| Service | Internal Port | External Port | Configurable |
|---|---|---|---|
| Dashboard | 3000 | 3000 | ✅ |
| API | 8000 | 8000 | ✅ |
| PostgreSQL | 5432 | 5432 | ✅ |
- GitHub commit status API — report PASS/FAIL directly on pull requests
- Slack and Microsoft Teams webhook notifications
- Trivy container image vulnerability scanning
- Falco runtime threat detection
- SARIF upload to GitHub Advanced Security via API
- Multi-organization support
- Prometheus metrics endpoint (
/metrics) - Role-based access control (RBAC) for multi-team environments
- GitLab webhook support
Contributions are welcome! Here's how to get started:
# Fork and clone
git clone https://github.com/<your-handle>/ZeroTrustOps-Platform.git
cd ZeroTrustOps-Platform
# Create a feature branch
git checkout -b feature/my-new-rule
# Add your rule in sectl/internal/scanner/
# Add a test in the corresponding _test.go file
# Add test data in sectl/testdata/
# Run tests
go test ./...
# Submit a pull requestAdding a new SecTL rule: See sectl/internal/scanner/k8s.go or terraform.go for patterns. Each rule requires a RuleID, Severity, Title, Description, and Remediation.
A developer pushes a Kubernetes manifest with:
- privileged container enabled
- latest image tag
→ Scan triggers automatically
→ Critical issues detected
→ CI fails
→ Deployment is BLOCKED
Nothing insecure reaches production.
Most security tools only detect issues.
ZeroTrustOps enforces them.
If it's insecure, it doesn't deploy. Period.
Distributed under the Apache 2.0 License.
Debasish Mohanty
"Trust nothing. Scan everything. Deploy with confidence."
⭐ Star this repo if it helps secure your infrastructure! ⭐