Zion Boggan
repos/security-portfolio/secure-cicd-pipeline/index.html
zionboggan.com ↗
Code Commits Tags
296 lines · html
History for this file →
1
<!doctype html>
2
<html lang="en">
3
<head>
4
<meta charset="utf-8">
5
<meta name="viewport" content="width=device-width, initial-scale=1.0">
6
<title>Secure CI/CD Pipeline | Zion Boggan</title>
7
<meta name="description" content="A GitHub Actions pipeline that gates every merge on four security checks, SAST, secret scanning, dependency audit, and tests, with custom Semgrep rules and findings routed back to the SOC.">
8
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
9
<style>
10
  :root{
11
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
12
    --line:#222936; --line2:#2c3543;
13
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
14
    --accent:#6cc7b8; --accent-dim:#274b47;
15
    --maxw:1020px;
16
  }
17
  *{box-sizing:border-box;}
18
  html{scroll-behavior:smooth;}
19
  body{margin:0;background:var(--bg);color:var(--ink);
20
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
21
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
22
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
23
  a{color:var(--accent);text-decoration:none;}
24
  a:hover{color:#8fe0d2;}
25
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
26
27
  /* nav */
28
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
29
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
30
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
31
  nav .brand{font-weight:600;letter-spacing:.2px;}
32
  nav .brand .dot{color:var(--accent);}
33
  nav .links{display:flex;gap:26px;font-size:13.5px;}
34
  nav .links a{color:var(--muted);}
35
  nav .links a:hover{color:var(--ink);}
36
  @media(max-width:680px){nav .links{display:none;}}
37
38
  /* hero */
39
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
40
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
41
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
42
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
43
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
44
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
45
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
46
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
47
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
48
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
49
  .hero .lede b{color:var(--ink);font-weight:600;}
50
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
51
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
52
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
53
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
54
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
55
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
56
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
57
  .meta .mono{color:var(--faint);}
58
59
  /* sections */
60
  section{padding:64px 0;border-bottom:1px solid var(--line);}
61
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
62
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
63
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
64
  .shead .rule{flex:1;height:1px;background:var(--line);}
65
66
  /* flagship */
67
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
68
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
69
  .flag .top{padding:30px 32px 8px;}
70
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
71
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
72
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
73
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
74
  .flag p{color:var(--soft);margin:0 0 16px;}
75
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
76
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
77
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
78
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
79
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
80
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
81
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
82
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
83
  .spec li:first-child{border-top:none;}
84
  .spec li span{color:var(--muted);}
85
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
86
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
87
88
  /* lab cards */
89
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
90
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
91
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
92
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
93
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
94
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
95
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
96
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
97
  .card h3{margin:0 0 9px;font-size:17px;}
98
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
99
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
100
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
101
    border-radius:5px;padding:3px 8px;}
102
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
103
  .card .lnk::after{content:" โ†’";}
104
105
  /* research */
106
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
107
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
108
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
109
    padding:18px 22px;border-top:1px solid var(--line);}
110
  .ritem:first-child{border-top:none;}
111
  .ritem:hover{background:var(--panel);}
112
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
113
  .ritem h3{margin:0 0 3px;font-size:16px;}
114
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
115
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
116
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
117
  .progs{margin-top:22px;}
118
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
119
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
120
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
121
    border-radius:6px;padding:4px 10px;}
122
123
  /* credentials */
124
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
125
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
126
  .cred p{color:var(--soft);margin:0 0 14px;}
127
  .cred .role{font-size:14px;color:var(--muted);}
128
  .cred .role b{color:var(--ink);font-weight:600;}
129
  .certs{list-style:none;margin:0;padding:0;}
130
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
131
    display:flex;gap:10px;align-items:baseline;}
132
  .certs li:first-child{border-top:none;}
133
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
134
135
  footer{padding:46px 0 64px;}
136
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
137
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
138
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
139
140
  /* detail pages */
141
  .detail-hero{padding:40px 0 28px;}
142
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:22px;font-family:ui-monospace,Menlo,monospace;}
143
  .back:hover{color:var(--ink);}
144
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
145
  .detail-hero h1{font-size:clamp(28px,5vw,42px);margin:0 0 12px;letter-spacing:-.6px;}
146
  .detail-hero .tagline{font-size:clamp(16px,2.2vw,19px);color:var(--soft);max-width:780px;margin:0 0 18px;}
147
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(148px,1fr));gap:12px;margin-top:24px;}
148
  figure{margin:0;}
149
  .shot{border:1px solid var(--line2);border-radius:12px;overflow:hidden;background:#fff;margin:30px 0 6px;}
150
  .shot img,.shot video{display:block;width:100%;height:auto;}
151
  figcaption{font-size:13px;color:var(--muted);margin:11px 2px 0;}
152
  .content{padding:6px 0 0;}
153
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:44px 0 16px;font-weight:600;border-top:1px solid var(--line);padding-top:30px;}
154
  .content h2.first{border-top:none;padding-top:6px;margin-top:18px;}
155
  .content p{color:var(--soft);margin:0 0 16px;}
156
  .content ul,.content ol{color:var(--soft);margin:0 0 16px;padding-left:22px;}
157
  .content li{margin:6px 0;}
158
  .content strong{color:var(--ink);font-weight:600;}
159
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:13px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
160
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
161
  .content pre code{background:none;border:none;padding:0;font-size:12.5px;color:var(--soft);line-height:1.62;}
162
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.5px;}
163
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
164
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
165
  .content td code{font-size:12px;}
166
  .gallery{margin-top:8px;}
167
  .repo-line{margin:42px 0 0;color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace;}
168
</style>
169
<link rel="canonical" href="https://zionboggan.com/secure-cicd-pipeline/">
170
<meta name="author" content="Zion Boggan">
171
<meta name="robots" content="index, follow, max-image-preview:large">
172
<meta property="og:type" content="article">
173
<meta property="og:site_name" content="Zion Boggan">
174
<meta property="og:title" content="Secure CI/CD Pipeline | Zion Boggan">
175
<meta property="og:description" content="A GitHub Actions pipeline that gates every merge on four security checks, SAST, secret scanning, dependency audit, and tests, with custom Semgrep rules and findings routed back to the SOC.">
176
<meta property="og:url" content="https://zionboggan.com/secure-cicd-pipeline/">
177
<meta property="og:image" content="https://zionboggan.com/assets/secure-cicd-pipeline/01-semgrep-sast.png">
178
<meta name="twitter:card" content="summary_large_image">
179
<meta name="twitter:title" content="Secure CI/CD Pipeline | Zion Boggan">
180
<meta name="twitter:description" content="A GitHub Actions pipeline that gates every merge on four security checks, SAST, secret scanning, dependency audit, and tests, with custom Semgrep rules and findings routed back to the SOC.">
181
<meta name="twitter:image" content="https://zionboggan.com/assets/secure-cicd-pipeline/01-semgrep-sast.png">
182
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Secure CI/CD Pipeline","description":"A GitHub Actions pipeline that gates every merge on four security checks, SAST, secret scanning, dependency audit, and tests, with custom Semgrep rules and findings routed back to the SOC.","url":"https://zionboggan.com/secure-cicd-pipeline/","image":"https://zionboggan.com/assets/secure-cicd-pipeline/01-semgrep-sast.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
183
</head>
184
<body>
185
<nav><div class="wrap">
186
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
187
  <span class="links">
188
    <a href="/#oversight">Oversight</a>
189
    <a href="/#labs">Labs</a>
190
    <a href="/#research">Research</a>
191
    <a href="/#background">Background</a>
192
    <a href="/">Home</a>
193
  </span>
194
</div></nav>
195
<header class="hero detail-hero"><div class="wrap">
196
  <a class="back" href="/#labs">&larr; All work</a>
197
  <div class="kicker">SECURE CI/CD</div>
198
  <h1>Secure CI/CD Pipeline</h1>
199
  <p class="tagline">A GitHub Actions pipeline that gates every merge on four security checks, SAST, secret scanning, dependency audit, and tests, with custom Semgrep rules and findings routed back to the SOC.</p>
200
  <div class="tags"><span>GitHub Actions</span><span>Semgrep</span><span>gitleaks</span><span>pip-audit</span><span>ruff</span><span>pytest</span><span>SARIF</span><span>Flask</span><span>Python</span><span>Shuffle SOAR</span></div>
201
  <div class="facts"><div class="stat"><div class="n">4</div><div class="k">Pre-merge security gates</div></div><div class="stat"><div class="n">4</div><div class="k">Custom Semgrep rules</div></div><div class="stat"><div class="n">5</div><div class="k">Passing pytest tests</div></div><div class="stat"><div class="n">3</div><div class="k">Upstream Semgrep packs (default, python, flask)</div></div><div class="stat"><div class="n">2</div><div class="k">Least-privilege workflow permissions</div></div></div>
202
  <div class="cta" style="margin-top:24px"></div>
203
</div></header>
204
<section><div class="wrap">
205
  <figure class="shot"><img loading="lazy" src="/assets/secure-cicd-pipeline/01-semgrep-sast.png" alt="The four custom Semgrep rules firing on a deliberately vulnerable file - every finding is blocking, so the SAST gate fails the pipeline before merge."></figure><figcaption>The four custom Semgrep rules firing on a deliberately vulnerable file, every finding is blocking, so the SAST gate fails the pipeline before merge.</figcaption>
206
  <div class="content">
207
  <h2>The four gates</h2>
208
<p>A cheap <code>ruff</code> lint runs first as fail-fast. The three security scans then fan out in parallel via <code>needs: lint</code>, the test job waits on all three, and the SOC notification runs last with <code>if: always()</code> so failures are reported too, not just green runs. The workflow holds only <code>contents: read</code> and <code>security-events: write</code>.</p><pre><code>jobs:
209
  lint:
210
    runs-on: ubuntu-latest
211
    steps:
212
      - uses: actions/checkout@v4
213
      - uses: actions/setup-python@v5
214
        with:
215
          python-version: "3.11"
216
      - run: pip install ruff==0.6.9
217
      - run: ruff check .
218
219
  sast:
220
    runs-on: ubuntu-latest
221
    needs: lint
222
    steps:
223
      - uses: actions/checkout@v4
224
      - uses: returntocorp/semgrep-action@v1
225
        with:
226
          config: >-
227
            p/default
228
            p/python
229
            p/flask
230
            .semgrep/rules.yml
231
          generateSarif: "1"</code></pre><table><thead><tr><th>Job</th><th>Tool</th><th>What it stops</th></tr></thead><tbody><tr><td><code>lint</code></td><td>ruff</td><td>Style plus the <code>S</code> security rule set</td></tr><tr><td><code>sast</code></td><td>Semgrep</td><td>OWASP/Flask packs plus four custom rules</td></tr><tr><td><code>secrets</code></td><td>gitleaks</td><td>Committed credentials, full history on PRs</td></tr><tr><td><code>dependencies</code></td><td>pip-audit</td><td>Pinned packages with known advisories</td></tr><tr><td><code>test</code></td><td>pytest</td><td>Regressions, with coverage reported</td></tr></tbody></table>
232
<h2>Custom Semgrep rules</h2>
233
<p>The upstream packs (<code>p/default</code>, <code>p/python</code>, <code>p/flask</code>) catch the common cases; <code>.semgrep/rules.yml</code> adds four rules for patterns that kept slipping through. Three are <code>ERROR</code> severity and block the merge; the <code>0.0.0.0</code> bind is a <code>WARNING</code> nudge to confirm intent.</p><pre><code>rules:
234
  - id: flask-debug-true
235
    languages: [python]
236
    severity: ERROR
237
    message: Running Flask with debug=True exposes the Werkzeug debugger and allows remote code execution.
238
    patterns:
239
      - pattern: $APP.run(..., debug=True, ...)
240
241
  - id: subprocess-shell-true
242
    languages: [python]
243
    severity: ERROR
244
    message: subprocess call with shell=True and a non-literal argument is a command injection risk.
245
    patterns:
246
      - pattern: subprocess.$FN(..., shell=True, ...)
247
      - pattern-not: subprocess.$FN("...", shell=True, ...)</code></pre><p>The <code>subprocess</code> rule uses a <code>pattern-not</code> to exempt fully-literal command strings, so it only fires when an attacker-controllable argument reaches the shell. The fourth rule, <code>jwt-decode-without-verification</code>, matches both <code>verify=False</code> and an <code>options</code> dict that disables <code>verify_signature</code>, the two ways a forged token gets accepted.</p>
248
<h2>Secret + dependency scanning</h2>
249
<p>The <code>secrets</code> job checks out with <code>fetch-depth: 0</code> so gitleaks scans the full history on a pull request, not just the tip commit, and runs against a project config that extends the defaults with a generic API-key rule plus an allowlist for test fixtures and documented placeholders:</p><pre><code>[[rules]]
250
id = "generic-api-key"
251
description = "Generic API key assignment"
252
regex = '''(?i)(api[_-]?key|secret|token)["'\s:=]{1,4}[a-z0-9]{24,}'''
253
keywords = ["api_key", "apikey", "secret", "token"]</code></pre><p>The dependency gate runs <code>pip-audit -r requirements.txt --strict --desc</code> against the pinned manifest. <code>--strict</code> fails the build on any package carrying a known advisory and <code>--desc</code> prints the advisory text into the log, so the diff between a passing and failing run is a single pinned version.</p>
254
<h2>SARIF and the Security tab</h2>
255
<p>Semgrep is invoked with <code>generateSarif: "1"</code> and the SARIF file is uploaded through <code>github/codeql-action/upload-sarif@v3</code> with <code>if: always()</code>, so findings surface under the repository's Security tab and as inline pull-request annotations rather than living only in the job log. Uploading on <code>always()</code> means a failing SAST run still publishes its findings instead of swallowing them when the step exits non-zero.</p>
256
<h2>SOC notifier</h2>
257
<p>The final <code>notify-soc</code> job posts the run outcome, repository, commit, actor, status, and a link back to the run, to a Shuffle webhook, passing <code>PIPELINE_STATUS: ${{ needs.test.result }}</code> so the payload reflects whether the gates actually passed. The notifier in <code>scripts/notify_soc.py</code> uses only the Python standard library, validates the webhook is an http(s) URL, and degrades gracefully: if <code>SHUFFLE_WEBHOOK_URL</code> is unset the job no-ops instead of failing the build.</p><pre><code>def main():
258
    hook = os.environ.get("SHUFFLE_WEBHOOK_URL")
259
    if not hook:
260
        print("SHUFFLE_WEBHOOK_URL not set, skipping SOC notification")
261
        return 0
262
    if not hook.lower().startswith(("https://", "http://")):
263
        print("SHUFFLE_WEBHOOK_URL must be an http(s) URL", file=sys.stderr)
264
        return 1
265
    event = build_event()
266
    body = json.dumps(event).encode("utf-8")
267
    req = request.Request(
268
        hook, data=body, headers={"Content-Type": "application/json"}, method="POST"
269
    )</code></pre><p>A network failure reaching the webhook returns <code>0</code> on purpose, the SOC being unreachable should not flip an otherwise-green build red. In the homelab this webhook feeds a SOC automation lab, so a failed security gate opens a TheHive case the same way a Wazuh alert does.</p>
270
<h2>The sample app + tests</h2>
271
<p>The target is a minimal Flask task API, health, list, create, fetch, and delete endpoints backed by a lock-guarded in-memory store. Five <code>pytest</code> tests cover the happy path plus the edge cases that matter for an API: missing required fields return <code>400</code>, unknown task IDs return <code>404</code>, and deletes return <code>204</code>. The store is reset between tests so each runs against a clean fixture.</p><pre><code>def test_delete(client):
272
    created = client.post("/tasks", json={"title": "temp"}).get_json()["task"]
273
    assert client.delete(f"/tasks/{created['id']}").status_code == 204
274
    assert client.get(f"/tasks/{created['id']}").status_code == 404
275
276
277
def test_missing_task(client):
278
    assert client.get("/tasks/999").status_code == 404</code></pre><p>The app itself binds to <code>127.0.0.1</code> and never sets <code>debug=True</code>, so it passes its own custom Semgrep rules, the rules are written against the mistakes the app deliberately avoids.</p>
279
<h2>What fails the build</h2>
280
<p>Each gate fails the run for a concrete, reproducible reason, and because every gate is its own job the red check names the cause directly:</p><ul><li><code>lint</code>, ruff finds a style violation or an <code>S</code> security-rule hit</li><li><code>sast</code>, any <code>ERROR</code>-severity Semgrep finding, custom or upstream (<code>debug=True</code>, <code>shell=True</code> on non-literal input, <code>jwt.decode</code> without verification)</li><li><code>secrets</code>, gitleaks matches a credential anywhere in PR history that is not allowlisted</li><li><code>dependencies</code>, <code>pip-audit --strict</code> hits a pinned package with a known advisory</li><li><code>test</code>, any of the five pytest tests regresses</li></ul><p>Running <code>make all</code> executes the same chain locally, <code>lint sast secrets deps test</code>, given <code>semgrep</code> and <code>gitleaks</code> on the PATH and the rest pip-installed by <code>make install</code>, so a developer sees the same failure before pushing that the pipeline would surface after.</p>
281
  </div>
282
  <div class="gallery"><figure class="shot"><img loading="lazy" src="/assets/secure-cicd-pipeline/02-pip-audit-deps.png" alt="pip-audit failing the dependency gate on a pinned package with a known advisory."></figure><figcaption>pip-audit failing the dependency gate on a pinned package with a known advisory.</figcaption></div>
283
  <p class="repo-line">Repository &middot; github.com/zionboggan/secure-cicd-pipeline</p>
284
</div></section>
285
<footer><div class="wrap row">
286
  <div class="links">
287
    <a href="/">Portfolio</a>
288
    <a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>
289
    <a href="https://oversightprotocol.dev/">Oversight</a>
290
    <a href="mailto:zionboggan0@gmail.com">Email</a>
291
  </div>
292
  <div class="note">Built and deployed on a self-hosted Proxmox homelab. This page mirrors the
293
  project's documentation and results so the work is fully viewable here.</div>
294
</div></footer>
295
</body>
296
</html>