List of best practices and standard End-to-End DevSecOps Pipeline
-
Build
-
Test
-
SonarCloud
-
Package: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
-
Dockerize
-
CodeQL (Best to run on all commits to any branch and PRs)
-
Dependency Review
-
OpenSSF Security Scorecard
-
Step Security for Actions and Harden Runner: https://app.stepsecurity.io/
-
OpenSSF Best Practices: https://www.bestpractices.dev/en
-
Pre-Commits
-
Eslint
-
Prettier
-
License
-
Security Insights provided by GitHub natively like CodeQL, Dependabot, etc.
-
RenovateBot
-
Security Policies
-
Up-to-Date Documentation
-
Protected Branches
-
GitHub Community Standards (Insights Tab)
-
Signed Releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
-
SBOM with Syft: https://github.com/anchore/syft