A drop-in DevSecOps toolkit that bakes security into a repository from the first commit. It bundles
pre-commit hooks, secret scanning, container scanning, and Infrastructure-as-Code scanning, all
wired into a single GitHub Actions pipeline so problems are caught before they reach main.
Copy these files into any project to get a baseline security posture in minutes.
| Tool | Catches | Runs |
|---|---|---|
| pre-commit | Formatting, trailing whitespace, large files, bad merges | Locally on commit + in CI |
| gitleaks | Committed secrets (keys, tokens, passwords) | pre-commit + CI |
| Trivy | Vulns in container images, filesystems, dependencies | CI |
| tfsec | Insecure Terraform (open SGs, unencrypted storage) | pre-commit + CI |
| checkov | IaC misconfig across Terraform/CloudFormation/K8s | CI |
| hadolint | Dockerfile anti-patterns | pre-commit + CI |
# 1. Copy the configs into your repo
cp .pre-commit-config.yaml .gitleaks.toml .checkov.yaml /path/to/your/repo/
cp -r .github/workflows/devsecops.yml /path/to/your/repo/.github/workflows/
# 2. Install and enable pre-commit
pip install pre-commit
pre-commit install
# 3. Run against all files once
pre-commit run --all-filesFrom then on, the hooks run automatically on every commit, and the devsecops.yml workflow runs the
full scan suite on every push and pull request.
pre-commit (local) ──► push / PR ──► ┌─ gitleaks (secrets)
├─ tfsec + checkov (IaC)
├─ hadolint (Dockerfiles)
└─ trivy (fs + image vulns)
Any finding fails the build, so insecure code can't be merged silently.
.
├── .pre-commit-config.yaml # Hook definitions
├── .gitleaks.toml # Secret-scanning rules/allowlist
├── .checkov.yaml # Checkov config (skips, framework selection)
├── .hadolint.yaml # Dockerfile lint rules
└── .github/workflows/
└── devsecops.yml # Full CI security suite
- Add false-positive secret patterns to the
allowlistin.gitleaks.toml. - Suppress specific checks via
skip-checkin.checkov.yamlor inline#tfsec:ignore:comments. - Pin tool versions in CI for reproducible results.
MIT