Skip to content

VisionOra/devsecops-security-framework

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github/workflows
.github/workflows
 
 
config
config
 
 
scripts
scripts
 
 
README.md
README.md
 
 
SECURITY_SCANS_EXPLAINED.md
SECURITY_SCANS_EXPLAINED.md
 
 

Repository files navigation

DevSecOps Security Framework (Generic & Reusable)

🛡️ Purpose

This repository acts as a Centralized Security Hub for all your projects. Instead of copying security scripts and workflows into every single repository, you can manage them here and call them remotely. This ensures that every project in your organization follows the same security standards and gets automatic updates when rules are changed here.

🚀 Key Features (Phase 1)

This framework implements the "Big Four" of early-stage DevSecOps:

  1. SAST (Static Analysis): Uses Semgrep with custom rules to find bugs and vulnerabilities in your code. Results are uploaded to the GitHub Security Tab.
  2. SCA (Software Composition Analysis): Scans third-party libraries for known vulnerabilities based on the language you specify.
  3. Secrets Detection: Uses Gitleaks to prevent API keys, tokens, and passwords from being committed to your history.
  4. Container Security: Uses Trivy to scan Docker images (if a Dockerfile exists) or the repository filesystem for misconfigurations.

🛠️ How to Use This in Your Project

You don't need to copy code. Just create a small workflow file in your project repository.

1. Create the workflow file

In your project repo, create .github/workflows/security-scan.yml.

2. Add the following content:

Replace {OWNER} with your GitHub username or organization name.

name: Security Pipeline

on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]

jobs:
  security-center:
    # Calling the remote framework
    uses: {OWNER}/devsecops-security-framework/.github/workflows/security.yml@main
    with:
      language: 'python' # Specify your language: javascript, python, go, java, etc.

🏗️ Technical Architecture

  • security.yml: The master orchestrator. It expects a language input and triggers all sub-scans.
  • sast.yml: Configured with SARIF output for native GitHub Security integration.
  • dependency.yml: Dynamically installs required tools (safety, govulncheck, etc.) before scanning.
  • container.yml: Smart logic that builds Docker images if a Dockerfile is found, otherwise scans the FS.

⚙️ Prerequisites

For Private Repositories

If your framework or your project is in a Private repository:

  1. Go to the DevSecOps Framework Repository Settings.
  2. Navigate to Actions > General.
  3. Scroll down to Workflow permissions.
  4. Enable "Accessible from repositories in the same organization" or similar cross-repo access settings.

Permissions

The framework automatically requests the following permissions to work:

  • contents: read (to scan code)
  • security-events: write (to post results to the Security Tab)

About

That repo is specially for DevSecOps initial phase 1 implementation having a scanning workflows which use in other projects to do a scanning for SAST, dependency scanning, secrets scanning and image scanning.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages