A production-ready CI/CD pipeline template with integrated security scanning,
infrastructure as code, and policy enforcement.
Quick Start • Architecture • Features • Customization • Contributing
The Secure Pipeline Template provides a hardened, opinionated foundation for deploying containerized services. Security gates are embedded directly into the CI/CD pipeline so that vulnerabilities, misconfigurations, and secrets are caught before they reach production.
Every commit is scanned with six independent security tools. Infrastructure is defined as code and validated against custom OPA policies. Deployments target either a local Docker Compose stack or AWS ECS Fargate with minimal configuration changes.
Supported environments: AWS, on-premise, or local — out of the box.
- Overview
- Architecture
- Features
- Prerequisites
- Quick Start
- Running Security Scans Locally
- Pipeline Stages
- Security Scanning Thresholds
- Repository Structure
- Technology Stack
- Customizing for Your Project
- Contributing
- Security Disclosure
- License
graph LR
A[Developer Push] --> B[Lint & SAST]
B --> C[SCA & Secrets]
C --> D[Build & Image Scan]
D --> E[Policy Check]
E --> F[Deploy Staging]
F --> G[Deploy Production]
subgraph Security Gates
B
C
D
E
end
subgraph Runtime
H[Nginx TLS Proxy]
I[Flask App]
J[(ALB / ECS)]
end
F --> J
G --> J
H --> I
- Nginx handles TLS termination, HTTP-to-HTTPS redirection, rate limiting, and security headers.
- Flask application runs as a non-root user inside a read-only container.
- AWS infrastructure uses private subnets, VPC flow logs, encrypted S3 buckets, and IAM roles with least privilege.
| Layer | Tools | Purpose |
|---|---|---|
| SAST | Semgrep | Static analysis on every push |
| SCA | Trivy | Dependency vulnerability scanning |
| Container | Trivy, Hadolint | Image scanning + Dockerfile linting |
| Secrets | Gitleaks | Pre-commit and CI secret detection |
| IaC | Checkov, Trivy | Terraform misconfiguration scanning |
| Policy | OPA / Conftest | Custom Rego policy enforcement |
| Infrastructure | Terraform | AWS ECS Fargate (optional) |
| Local / On-prem | Docker Compose + Nginx | TLS, rate limiting, hardened containers |
| Monitoring | CloudWatch or stdout logs | Security alerts and audit logging |
- Docker — for local and on-premise deployments
- Terraform >= 1.5 — for AWS deployments
- AWS CLI — for AWS deployments
# 1. Generate self-signed TLS certificates (or bring your own)
./scripts/generate-certs.sh
# 2. Build and start the stack
docker compose up -d --build
# 3. Verify the deployment
curl -k https://localhost/healthzNginx handles TLS termination, HTTP-to-HTTPS redirect, rate limiting, and security headers. The app container runs as non-root with a read-only filesystem.
# 1. Configure Terraform variables
cp terraform/environments/dev/terraform.tfvars.example terraform/environments/dev/terraform.tfvars
# Edit terraform.tfvars with your AWS account details
# 2. Initialize and deploy
cd terraform/environments/dev
terraform init && terraform plan && terraform apply# Install pre-commit hooks (secret detection, linting)
./scripts/setup-hooks.sh
# Run all scans (SAST, SCA, container, IaC, policy)
./scripts/scan.shThe scan script auto-skips tools that are not installed and reports which checks ran.
push → lint → SAST → SCA → build → image-scan → policy-check → deploy-staging → deploy-prod
Every stage acts as a gate — a failure in any security stage blocks deployment.
Configured in .github/workflows/ci.yml:
| Severity | Behavior |
|---|---|
| CRITICAL / HIGH | Pipeline fails; deployment is blocked |
| MEDIUM | Warning; logged to SARIF report |
| LOW / INFO | Logged only; does not block deployment |
├── .github/workflows/ CI/CD pipeline definitions
├── app/ Sample application (Python/Flask)
├── docker/
│ ├── Dockerfile Multi-stage, non-root, read-only
│ └── nginx.conf TLS, rate limiting, security headers
├── docker-compose.yml Local / on-premise deployment
├── terraform/
│ ├── modules/ Reusable infrastructure modules (VPC, ECS, ALB)
│ └── environments/ Per-environment configurations
├── policies/
│ ├── opa/ Rego policies for infrastructure
│ └── conftest/ Dockerfile and container policies
└── scripts/
├── scan.sh Run all security scans locally
├── setup-hooks.sh Install git pre-commit hooks
├── generate-certs.sh Generate self-signed TLS certificates
└── deploy.sh Deploy to local, staging, or production
- Runtime: Python 3, Flask, Gunicorn
- Proxy: Nginx
- Containerization: Docker, Docker Compose
- Cloud: AWS (ECS Fargate, ALB, VPC, S3, CloudWatch)
- IaC: Terraform
- Security: Semgrep, Trivy, Hadolint, Gitleaks, Checkov, Conftest, OPA
- CI/CD: GitHub Actions
- Replace the sample app in
app/with your service. - Update
docker/Dockerfilefor your runtime. - Adjust the Nginx configuration in
docker/nginx.conffor your domain. - Add project-specific policies in
policies/. - Tune Semgrep rules in
.semgrep.ymlfor your stack. - (Optional) Configure
terraform/environments/for AWS.
Contributions are welcome. Please open an issue to discuss significant changes before submitting a pull request.
- Fork the repository.
- Create a short-lived feature branch from
main:git checkout -b feature/my-change main
- Commit your changes.
- Push to your fork.
- Open a pull request against the
mainbranch.
All contributions must pass the security pipeline.
If you discover a security vulnerability in this project, please open a private security advisory via GitHub rather than a public issue. We take security seriously and will respond promptly.
This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0).
Copyright (C) 2026 secure-pipeline-template contributors
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.