This first tested release turns Awesome Security Pipeline from a tool catalog into a runnable security-pipeline reference with reproducible evidence.
Added
- A copyable GitHub Actions baseline using Gitleaks, Semgrep, OSV-Scanner, Trivy, Syft, and keyless Cosign.
- Parallel secrets, SAST, dependency, and configuration gates followed by one immutable image build, package analysis, and trusted-event signing.
- Per-job least-privilege permissions, pinned action revisions, checksum-verified tool downloads where upstream checksums are available, and native report retention.
- Safe synthetic fixtures for reproducing secret, SAST, dependency, container, and Kubernetes findings without shipping the fixtures in the demo image.
- A 10-minute quick start, project-type selection matrix, reference-stack rationale, and detailed implementation article.
- Open-source GitHub Actions security-tool and SBOM-generator comparisons with explicit methodology and limitations.
- A weekly SBOM compatibility benchmark with normalized monthly history, raw evidence retention, and regression checks.
- Weekly repository-maintenance classification with public active, stale, unmaintained, and archived definitions.
Verified release evidence
- The
v1.0.0tag run passed all seven jobs: Gitleaks, Semgrep, OSV-Scanner, Trivy configuration, immutable image build, SBOM/image analysis, and keyless Cosign signing. - Cosign verified the attached image against the GitHub Actions OIDC issuer and the exact certificate identity
security-baseline.yml@refs/tags/v1.0.0. - The attached release evidence includes the exported image, immutable digest, CycloneDX SBOM, Trivy image SARIF, and Sigstore bundle. GitHub's recorded SHA-256 digests match the tag-run artifacts.
- The Sigstore bundle contains one transparency-log entry and SHA-256 signature material.
- The SBOM compatibility report preserves exact tool versions, tested fixtures, normalized results, and interpretation limits.
Start here
- Run the 10-minute quick start
- Read the measured implementation
- Inspect the GitHub Actions tool comparison
- Inspect the SBOM tool comparison
Important limits
A passing pipeline is not proof that an application is secure or compliant. The demo is not a detection-rate benchmark, and an SBOM component count is not a completeness or quality score. Fork permissions, organization policy, application languages, artifact formats, vulnerability thresholds, and evidence-retention requirements must be evaluated before adapting the baseline to production.