Research Project: Assessing the effectiveness of open-source DevOps security tools across the entire SDLC by testing their ability to detect/prevent real-world CVEs.
To answer the critical question: Can security tools effectively catch bugs at different SDLC stages before they become CVEs in production?
This project tests 25+ open-source security tools against 30+ real-world CVEs to determine:
- β Which tools provide the best CVE prevention coverage
- β At which SDLC stage vulnerabilities are most effectively caught
- β What's the optimal minimal viable toolset for different organization sizes
- β What vulnerability classes still require human review or custom policies
devops_rp/
βββ tools/ # Tool organization by SDLC stage
β βββ development/ # IDE plugins, linters
β βββ pre-commit/ # Git hooks, fast scanners
β βββ ci-cd/ # Pipeline integration
β βββ pre-deploy/ # Admission control, policies
β βββ runtime/ # Runtime security
β βββ supporting/ # SBOM, secrets, licenses
β
βββ vulnerable-configs/ # Recreated CVE configurations
β βββ kubernetes/ # K8s CVE configs
β βββ terraform/ # IaC CVE configs
β βββ ansible/ # Config management CVEs
β βββ docker/ # Container CVEs
β βββ github-actions/ # CI/CD pipeline CVEs
β βββ source-code/ # Application code CVEs
β
βββ policies/ # Custom OPA/Rego policies
β βββ kubernetes/ # K8s custom policies
β βββ terraform/ # Terraform policies
β βββ ansible/ # Ansible policies
β βββ ci-cd/ # CI/CD security policies
β
βββ scripts/ # Automated testing scripts
β βββ run_development_scan.sh # Development stage
β βββ run_precommit_scan.sh # Pre-commit stage
β βββ run_cicd_scan.sh # CI/CD stage
β βββ run_predeploy_scan.sh # Pre-deploy stage
β βββ run_all_stages.sh # Master orchestration
β βββ verify_tools.sh # Tool verification
β
βββ results/ # Scan outputs by stage
β βββ development/
β βββ pre-commit/
β βββ ci-cd/
β βββ pre-deploy/
β βββ aggregated/
β
βββ cve_tracking.csv # Main prevention tracking matrix
βββ tools_catalog.csv # Tool metadata & feasibility scores
βββ README.md # This file
- Semgrep - SAST for custom patterns & logic flaws
- Bandit - Python security scanning
- gosec - Go security analysis
- ESLint - JavaScript/TypeScript linting
- ShellCheck - Shell script analysis
- ansible-lint - Ansible best practices
- Checkov - IaC security (Terraform, K8s, Docker)
- Trivy - Multi-scanner (containers, IaC, secrets)
- tfsec - Terraform-specific security
- Hadolint - Dockerfile best practices
- Gitleaks - Secret detection
- detect-secrets - Secret baseline scanning
- yamllint - YAML validation
- KICS - Multi-IaC scanning (50+ platforms)
- Terrascan - OPA-based IaC policies
- Grype - Vulnerability scanning
- Syft - SBOM generation
- OSV-Scanner - Open Source Vulnerabilities DB
- TruffleHog - Deep secret scanning
- Kubescape - K8s security posture
- Kubesec - K8s manifest scoring
- Polaris - K8s best practices validation
- OPA/Conftest - Policy-as-code engine
- Datree - K8s policy enforcement
- Kyverno - K8s-native policies
- Falco - Runtime threat detection
- OWASP ZAP - Dynamic application security
- Nuclei - Template-based vulnerability scanning
All 25+ tools pre-packaged in a single container!
# 1. Build the container (one-time, ~5-10 minutes)
./docker-quickstart.sh
# Choose option 1: Build the container image
# 2. Run interactive scanner shell
./docker-quickstart.sh
# Choose option 2: Run interactive shell
# Inside container, run any scan:
./scripts/run_precommit_scan.sh
./scripts/run_all_stages.shOr using docker-compose directly:
# Build the image
docker-compose build
# Run interactive shell
docker-compose run --rm devsecops-scanner
# Run all scans (non-interactive)
docker-compose run --rm devsecops-scanner /workspace/scripts/run_all_stages.shBenefits:
- β Zero manual tool installation
- β Consistent environment across all systems
- β Reproducible results
- β No dependency conflicts
- β Easy to share and distribute
Image Details:
- Base: Ubuntu 22.04
- Size: ~2-3GB (includes all tools)
- Tools: 25+ pre-installed and verified
- Mount points:
vulnerable-configs/,results/,policies/
If you prefer to install tools directly on your system:
# Check which tools are installed
./scripts/verify_tools.shPython-based tools:
pip install checkov bandit semgrep ansible-lint detect-secrets yamllintBinary tools (macOS/Linux via Homebrew):
brew install trivy tfsec hadolint gitleaks shellcheck
brew install kubescape terrascanGo tools:
go install github.com/securego/gosec/v2/cmd/gosec@latest
go install github.com/trufflesecurity/trufflehog/v3@latestContainer-based tools:
# KICS, Kubesec, etc. run via Docker
docker pull checkmarx/kicsAdditional tools:
# Grype & Syft
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh
# OSV-Scanner
go install github.com/google/osv-scanner/cmd/osv-scanner@latestSingle stage:
# Development stage (fast, IDE-accessible)
./scripts/run_development_scan.sh
# Pre-commit stage (<30s target)
./scripts/run_precommit_scan.sh
# CI/CD stage (comprehensive, 2-5 min)
./scripts/run_cicd_scan.sh
# Pre-deploy stage (policy enforcement)
./scripts/run_predeploy_scan.shAll stages:
# Run complete multi-stage analysis
./scripts/run_all_stages.shResults are organized by SDLC stage in results/ directory:
# View development stage results
ls -lh results/development/
# View CI/CD stage results
ls -lh results/ci-cd/
# Check aggregated findings
cat results/aggregated/summary.txtThe project includes real-world vulnerable configurations for CVEs including:
| CVE ID | Tool/Project | Type | SDLC Catch Stage |
|---|---|---|---|
| CVE-2025-1974 | ingress-nginx | K8s Admission Exposure | Pre-Commit, CI/CD, Pre-Deploy |
| CVE-2024-8775 | Ansible | Secret Exposure | Pre-Commit, CI/CD |
| CVE-2025-13357 | Vault TF Provider | LDAP Auth Bypass | Pre-Commit, CI/CD |
| CVE-2025-49013 | GitHub Actions | Script Injection | Pre-Commit, CI/CD |
| CVE-2024-23652 | BuildKit | Path Traversal | Pre-Commit, CI/CD |
| CVE-2024-21626 | runc | Container Escape | CI/CD (scanning), Runtime |
| CVE-2024-6385 | GitLab | Pipeline Execution | Pre-Commit, CI/CD |
Full list: See cve_tracking.csv for 30+ CVEs with metadata.
- Install all 25+ security tools across SDLC stages
- Create comprehensive CVE catalog with vulnerable versions
- Recreate vulnerable configurations for each testable CVE
- Run stage-specific scans (Development β Pre-Commit β CI/CD β Pre-Deploy)
- Document detection results for each tool-CVE combination
- Measure feasibility metrics (scan time, false positives, complexity)
- Calculate CVE prevention effectiveness by stage
- Identify tool coverage gaps
- Create custom policies for undetected CVEs
- Generate ROI-based tool recommendations
- Populate
cve_tracking.csvwith complete prevention data - Document tool feasibility scores in
tools_catalog.csv - Create final feasibility assessment report
- Generate implementation roadmap
-
cve_tracking.csv - Complete prevention effectiveness matrix
- CVE detection by tool and SDLC stage
- Prevention confidence scores
- Integration complexity ratings
-
tools_catalog.csv - Tool feasibility assessment
- Integration complexity (1-5 scale)
- Scan speed metrics
- False positive rates
- Developer friction scores
- CVE detection coverage percentages
-
Custom Policies (
policies/)- OPA/Rego policies for tool gaps
- CVE-specific detection rules
- Best practice enforcement
-
Scan Results (
results/)- Raw tool outputs by SDLC stage
- Aggregated findings
- Performance metrics
-
Feasibility Report
- Overall CVE prevention statistics
- SDLC stage effectiveness analysis
- Tool ROI rankings
- Recommended minimal viable toolset
- Implementation roadmap by organization size
- Q: What percentage of CVEs would be caught by standard tools?
- Measure: Detection rate across 30+ CVEs
- Q: Which stage catches the most CVEs earliest?
- Measure: Prevention by stage (Development, Pre-Commit, CI/CD, Pre-Deploy, Runtime)
- Q: Which tools provide best value (coverage vs. complexity)?
- Measure: Detection coverage / (Integration complexity + False positive rate)
- Q: What vulnerability classes require custom policies?
- Measure: CVEs undetected by any standard tool
- Q: What's the minimal viable toolset?
- Measure: Smallest tool combination achieving 80%+ coverage
$ ./scripts/run_all_stages.sh
=========================================
DevSecOps CVE Prevention Assessment
Multi-Stage Security Scanning
=========================================
βββββββββββββββββββββββββββββββββββββββββββ
β Stage 1/4: Development Stage β
βββββββββββββββββββββββββββββββββββββββββββ
[1/7] Running Semgrep (SAST)...
[2/7] Running Bandit (Python)...
...
β
Development stage scanning complete
βββββββββββββββββββββββββββββββββββββββββββ
β Stage 2/4: Pre-Commit Stage β
βββββββββββββββββββββββββββββββββββββββββββ
[1/7] Running Checkov...
[2/7] Running Trivy...
...
β
Pre-commit stage scanning complete
β±οΈ Scan time: 24s
βββββββββββββββββββββββββββββββββββββββββββ
β Stage 3/4: CI/CD Build Stage β
βββββββββββββββββββββββββββββββββββββββββββ
[1/15] Running Checkov...
[2/15] Running Trivy Config Scanner...
...
β
CI/CD stage scanning complete
β±οΈ Scan time: 3m 42s
βββββββββββββββββββββββββββββββββββββββββββ
β Stage 4/4: Pre-Deploy Stage β
βββββββββββββββββββββββββββββββββββββββββββ
[1/6] Running Conftest (K8s policies)...
...
β
Pre-deploy stage scanning complete
=========================================
β
All stages complete!
=========================================
β±οΈ Total scan time: 5m 12s
π Results: results/
π CSV Tracking: cve_tracking.csv
=========================================# policies/kubernetes/cve-2025-1974-admission-exposure.rego
package kubernetes.admission.cve_2025_1974
deny[msg] {
input.kind == "Service"
contains(lower(input.metadata.name), "admission")
input.spec.type == "LoadBalancer"
msg := "CVE-2025-1974: Admission controller must not be LoadBalancer type"
}# policies/ansible/cve-2024-8775-no-log.rego
package ansible.security.cve_2024_8775
deny[msg] {
task := input.tasks[_]
task.include_vars
not task.no_log == true
msg := "CVE-2024-8775: include_vars without no_log may expose vault secrets"
}This is a research project. To contribute:
- Add new CVE test cases to
vulnerable-configs/ - Create corresponding OPA policies in
policies/ - Update
cve_tracking.csvwith new CVE metadata - Document findings and update feasibility scores
This project is for research and educational purposes. All CVE data is sourced from public databases (NVD, GitHub Security Advisories, vendor disclosures).
- β Setup Complete - Project structure ready
- π Build Container - Run
./docker-quickstart.sh(option 1) - π Add More CVEs - Expand vulnerable-configs with remaining 25+ CVEs
- π Run Tests - Use
./docker-quickstart.sh(option 3) or run scans interactively - π Analyze Results - Populate
cve_tracking.csvwith findings - π Final Report - Generate feasibility assessment and recommendations
- β Setup Complete - Project structure and initial tools configured
- π Install Tools - Run
./scripts/verify_tools.shand install missing tools - π Add More CVEs - Expand vulnerable-configs with remaining 25+ CVEs
- π Run Tests - Execute
./scripts/run_all_stages.sh - π Analyze Results - Populate
cve_tracking.csvwith findings - π Final Report - Generate feasibility assessment and recommendations
Project Status: ποΈ Initial framework complete. Ready for tool installation and CVE expansion.
Last Updated: 2026-01-30