FortressCI is a secure-by-default DevSecOps platform blueprint designed to implement "Shift Left" security, automated pipelines, and infrastructure protection. It integrates best-in-class open source security tools to ensure your code and infrastructure are secure from day one.
Catch issues before they are committed.
- Secrets Detection: TruffleHog scans for hardcoded credentials.
- Code Quality: Standard hooks for trailing whitespace and file integrity.
- IaC Scanning: Checkov runs locally to catch Terraform/CloudFormation issues.
Automated checks on every push and pull request via GitHub Actions.
- Secret Scanning: TruffleHog deep scan on git history.
- SAST (Static Application Security Testing): Semgrep scans source code for vulnerabilities (OWASP Top 10).
- SCA (Software Composition Analysis): Snyk checks dependencies for known CVEs.
Secure your infrastructure and containers.
- IaC Scanning: Checkov scans Terraform, CloudFormation, and Kubernetes manifests.
- Container Security: Trivy scans Docker images for OS and library vulnerabilities.
- pre-commit installed.
- trufflehog installed locally.
- GitHub Repository with Actions enabled.
-
Clone the repository:
git clone https://github.com/your-org/FortressCI.git cd FortressCI -
Install Git Hooks:
pre-commit install
-
Test Locally: Try committing a dummy secret (e.g.,
AWS_ACCESS_KEY_ID=AKIA...) and watch TruffleHog block it.
-
Secrets Configuration: Go to your GitHub Repository > Settings > Secrets and variables > Actions. Add the following secrets:
SNYK_TOKEN: Your Snyk API token (get it from snyk.io).
-
Run the Pipeline: Push code to the
mainbranch or open a Pull Request. TheDevSecOps Pipelineworkflow will automatically run.
.
├── .github/workflows/
│ └── devsecops.yml # Main CI/CD Pipeline definition
├── terraform/
│ └── main.tf # Sample Terraform file (for testing Checkov)
├── Dockerfile # Sample Dockerfile (for testing Trivy)
├── .pre-commit-config.yaml # Local hook configuration
└── README.md # This documentation
| Tool | Type | Configuration Context |
|---|---|---|
| TruffleHog | Secrets | .pre-commit-config.yaml / devsecops.yml |
| Semgrep | SAST | devsecops.yml (auto-config) |
| Snyk | SCA | devsecops.yml (Node/Python/etc.) |
| Checkov | IaC | .pre-commit-config.yaml / devsecops.yml |
| Trivy | Containers | devsecops.yml |
To maximize the effectiveness of this platform, we recommend the following operational configurations:
Enable Branch Protection Rules on main:
- Require status checks to pass before merging: Select
Secret Scan,SAST,SCA,IaC Scan, andContainer Scan. - Require pull request reviews before merging.
- Do not allow bypassing the above settings.
The pipeline is configured to run a Baseline Secret Scan weekly (Sundays at 00:00 UTC). This catches any new vulnerabilities types or historical secrets that might have been added to the scanner rulesets.
- Findings: All findings are output as SARIF and will appear in the GitHub Security > Code Scanning tab (if GitHub Advanced Security is enabled) or as downloadable Artifacts.
- Waivers: If a finding is a false positive, verify it locally, then add an entry to .security/waivers.yml with a justification and expiry date, and submit it for review.
We use Cosign to sign container images, proving they were built by this trusted pipeline.
Setup:
- Run the helper script locally to generate keys:
./scripts/generate_keys.sh
- Add the output of
cosign.keyto GitHub Secrets asCOSIGN_PRIVATE_KEY. - (Optional) Add
COSIGN_PASSWORDif you used a passphrase.
A DAST scan attempts to attack the running application in the CI environment.
- Job:
dast-scan - Tools: OWASP ZAP Baseline Scan.
- Artifacts: HTML Report attached to the workflow run.
This is a blueprint repository. Fork it and adapt the devsecops.yml to fit your specific build requirements (e.g., usually you would build your application before running the container scan).