We have created a number of modules for running common tasks in CodePipeline.
These modules use scripts from a public container image gdscyber/cyber-security-cd-base-image
The code for the image is here: https://github.com/alphagov/cyber-security-concourse-base-image
The image does things like installing common requirements like pyenv and tfenv.
It also has some helper scripts for doing common tasks like assuming a role into an AWS account.
The modules allow you to specify a different container image but if you do this you will need the dependencies and helper scripts to use the modules so you would need to do a multi-stage container build to pull in the bin directory and install the same dependencies.
If something like terraform needs to retrieve a module from a private repository this allows you to setup an SSH config file with a readonly deploy key to use when retrieving the module source.
These modules allow you to query the changed files from a recently merged PR so that you can decide whether tasks in the pipeline are required.
A role implementing the AWS SecurityAudit managed policy along with a few
additions which trusts an intermediary role in the organization account.