{"product_id":"compliance-as-code-opa-sentinel","title":"Compliance as Code OPA + Sentinel","description":"\u003ch3\u003eCompliance as Code OPA + Sentinel\u003c\/h3\u003e\n\u003cp\u003eSecurity scanning bolted onto the end of a pipeline is theater. I learned this at Lockheed Martin, where a scan running after deployment means vulnerabilities are already in production by the time the report appears in someone's inbox three days later. At Cigna, a dependency vulnerability in a healthcare data pipeline went unpatched for 4 months because the security scan was an optional, non-blocking step that developers skipped when they were behind on sprint deadlines. This template makes security a blocking gate at every stage — not a post-mortem checkbox.\u003c\/p\u003e\n\n\u003cp\u003eThis GitHub Actions workflow implements a full DevSecOps pipeline with security scanning at five distinct points: code commit, dependency resolution, container build, infrastructure template, and runtime configuration.\u003c\/p\u003e\n\n\u003ch3\u003ePipeline Stages\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003esecret-detection\u003c\/strong\u003e — \u003ccode\u003etrufflesecurity\/trufflehog@v3.63.0\u003c\/code\u003e scans the full git history (not just the diff) for API keys, database passwords, JWT secrets, and cloud credentials. Runs first because leaked secrets invalidate everything else.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003esast\u003c\/strong\u003e — \u003ccode\u003egithub\/codeql-action\/analyze@v3\u003c\/code\u003e for CodeQL analysis across JavaScript, Python, Go, Java, and C#. Custom query packs add rules for OWASP Top 10: SQL injection, XSS, SSRF, path traversal, insecure deserialization.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003edependency-scan\u003c\/strong\u003e — \u003ccode\u003eactions\/dependency-review-action@v4\u003c\/code\u003e checks new dependencies added in PRs against the GitHub Advisory Database. Blocks PRs that introduce known-vulnerable packages. \u003ccode\u003eossf\/scorecard-action@v2.3.1\u003c\/code\u003e evaluates dependency health.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eiac-scan\u003c\/strong\u003e — \u003ccode\u003ebridgecrewio\/checkov-action@v12\u003c\/code\u003e scans Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles. Over 1,000 built-in policies covering AWS, Azure, and GCP misconfigurations.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003econtainer-scan\u003c\/strong\u003e — \u003ccode\u003eaquasecurity\/trivy-action@0.24.0\u003c\/code\u003e scans built images for OS and application vulnerabilities. Severity gate blocks on CRITICAL and HIGH. SARIF output feeds GitHub Security tab.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003elicense-compliance\u003c\/strong\u003e — \u003ccode\u003efossas\/fossa-action@v1\u003c\/code\u003e checks dependency licenses against an approved list. Blocks copyleft licenses (GPL, AGPL) in commercial projects. Generates attribution document for legal.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003edast\u003c\/strong\u003e — \u003ccode\u003ezaproxy\/action-full-scan@v0.10.0\u003c\/code\u003e runs OWASP ZAP against the deployed staging environment. Finds XSS, CSRF, insecure headers, and authentication bypasses that static analysis cannot detect.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003ereport-aggregate\u003c\/strong\u003e — Consolidates all scan results into a single GitHub issue with severity counts, affected files, and remediation links. Tags the security team for CRITICAL findings.\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003ch3\u003eWhat Each Gate Catches\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003eTruffleHog\u003c\/strong\u003e — AWS access keys, GCP service account JSON, Stripe API keys, database connection strings, SSH private keys, Slack webhooks.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCodeQL\u003c\/strong\u003e — SQL injection via string concatenation, XSS via unsanitized output, SSRF via user-controlled URLs, path traversal via unsanitized file paths.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eCheckov\u003c\/strong\u003e — Public S3 buckets, security groups with 0.0.0.0\/0 ingress, unencrypted EBS volumes, IAM policies with \u003ccode\u003e*\u003c\/code\u003e resources, missing CloudTrail logging.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eTrivy\u003c\/strong\u003e — CVE-2024-class vulnerabilities in base image OS packages, outdated npm\/pip dependencies with known exploits, embedded credentials in image layers.\u003c\/li\u003e\n\u003c\/ul\u003e\n\n\u003ch3\u003eEnvironment Matrix\u003c\/h3\u003e\n\u003cp\u003eEvery scan runs on every PR — no exceptions, no skip labels. SAST and secret detection run in parallel to minimize pipeline duration. Container scanning runs after build. DAST runs against staging after deployment. Production deployment is gated on zero CRITICAL findings across all scanners.\u003c\/p\u003e\n\n\u003ch3\u003eCommon Failures\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cstrong\u003eCodeQL timeout on large repositories\u003c\/strong\u003e — Repositories with 500K+ lines of code exceed the 2-hour CodeQL analysis limit. Fix: configure \u003ccode\u003epaths\u003c\/code\u003e and \u003ccode\u003epaths-ignore\u003c\/code\u003e in the CodeQL config to exclude generated code, vendor directories, and test fixtures.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eTrivy false positives on distroless images\u003c\/strong\u003e — Distroless base images report vulnerabilities in packages that are not actually installed (only metadata remains). Fix: use \u003ccode\u003e--ignore-unfixed\u003c\/code\u003e flag and maintain a \u003ccode\u003e.trivyignore\u003c\/code\u003e file reviewed monthly.\u003c\/li\u003e\n\u003cli\u003e\n\u003cstrong\u003eZAP scan hitting rate limits\u003c\/strong\u003e — The DAST scan sends thousands of requests that trigger WAF rate limiting, causing false positive connection errors. Fix: configure ZAP's request-per-second limit and whitelist the scanner's IP in the WAF rules for the staging environment only.\u003c\/li\u003e\n\u003c\/ul\u003e","brand":"Citadel Cloud Management","offers":[{"title":"Default Title","offer_id":54890412802339,"sku":"CCM-DEV-038","price":49.0,"currency_code":"USD","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0979\/8539\/7027\/files\/citadel-devops-product_ddae0a43-0b24-4d87-a568-76809b6da689.jpg?v=1775137937","url":"https:\/\/www.citadelcloudmanagement.com\/products\/compliance-as-code-opa-sentinel","provider":"Citadel Cloud Management","version":"1.0","type":"link"}