Skip to content

v1.0.0 — Tested open-source GitHub Actions security pipeline

Latest

Choose a tag to compare

@rezmoss rezmoss released this 17 Jul 01:13
v1.0.0
66303a5

This first tested release turns Awesome Security Pipeline from a tool catalog into a runnable security-pipeline reference with reproducible evidence.

Added

  • A copyable GitHub Actions baseline using Gitleaks, Semgrep, OSV-Scanner, Trivy, Syft, and keyless Cosign.
  • Parallel secrets, SAST, dependency, and configuration gates followed by one immutable image build, package analysis, and trusted-event signing.
  • Per-job least-privilege permissions, pinned action revisions, checksum-verified tool downloads where upstream checksums are available, and native report retention.
  • Safe synthetic fixtures for reproducing secret, SAST, dependency, container, and Kubernetes findings without shipping the fixtures in the demo image.
  • A 10-minute quick start, project-type selection matrix, reference-stack rationale, and detailed implementation article.
  • Open-source GitHub Actions security-tool and SBOM-generator comparisons with explicit methodology and limitations.
  • A weekly SBOM compatibility benchmark with normalized monthly history, raw evidence retention, and regression checks.
  • Weekly repository-maintenance classification with public active, stale, unmaintained, and archived definitions.

Verified release evidence

  • The v1.0.0 tag run passed all seven jobs: Gitleaks, Semgrep, OSV-Scanner, Trivy configuration, immutable image build, SBOM/image analysis, and keyless Cosign signing.
  • Cosign verified the attached image against the GitHub Actions OIDC issuer and the exact certificate identity security-baseline.yml@refs/tags/v1.0.0.
  • The attached release evidence includes the exported image, immutable digest, CycloneDX SBOM, Trivy image SARIF, and Sigstore bundle. GitHub's recorded SHA-256 digests match the tag-run artifacts.
  • The Sigstore bundle contains one transparency-log entry and SHA-256 signature material.
  • The SBOM compatibility report preserves exact tool versions, tested fixtures, normalized results, and interpretation limits.

Start here

Important limits

A passing pipeline is not proof that an application is secure or compliant. The demo is not a detection-rate benchmark, and an SBOM component count is not a completeness or quality score. Fork permissions, organization policy, application languages, artifact formats, vulnerability thresholds, and evidence-retention requirements must be evaluated before adapting the baseline to production.