Skill UI

This comprehensive guide details how to design and implement an end-to-end DevSecOps pipeline leveraging GitLab CI/CD. It integrates crucial automated security checks—such as SAST, DAST, container scanning, dependency scanning, and secret detection—directly into the development workflow. By adopting this approach, teams can effectively 'shift left' security, identifying and mitigating vulnerabilities early in the development lifecycle to ensure compliance and robust application security.

A comprehensive solution for identifying and preventing the accidental commitment of exposed AWS credentials, API keys, and session tokens within source code, configuration files, and git history. It integrates TruffleHog and git-secrets into CI/CD pipelines and pre-commit hooks, providing critical protection against credential theft and unauthorized cloud access in a DevSecOps environment. Essential for security auditing and compliance.

This guide details how to implement comprehensive API security testing using the 42Crunch platform. It performs static audits of OpenAPI specifications (API Audit) and dynamic vulnerability scanning (Conformance Scan) against live APIs. Supports integration into CI/CD pipelines to proactively discover OWASP API Top 10 vulnerabilities, enabling a Shift-Left security approach.

Learn how to implement robust container security by integrating the open-source Trivy scanner (from Aqua Security) into your CI/CD pipelines. This guide covers scanning container images, Kubernetes manifests, IaC files, and code repositories to detect critical vulnerabilities, misconfigurations, secrets, and generating Software Bill of Materials (SBOM) for comprehensive supply chain security.

A comprehensive guide for integrating DevSecOps practices into CI/CD pipelines. It automates security testing by incorporating Static Application Security Testing (SAST), Dependency/IaC Scanning (SCA), Secrets Detection, and Dynamic Application Security Testing (DAST). Use this workflow to shift security left, enforce compliance, and establish security gates that block vulnerable deployments.

This skill guides the implementation of automated security scanning for Infrastructure as Code (IaC) templates using industry-leading tools like Checkov and tfsec. It focuses on integrating security checks into CI/CD pipelines to detect misconfigurations (e.g., public buckets, open ports) in Terraform, CloudFormation, and Kubernetes manifests before they reach production, thereby enforcing policy-based governance and securing the development lifecycle.

This skill covers implementing Open Policy Agent (OPA) and Gatekeeper for robust policy-as-code enforcement. Learn to write complex Rego policies, deploy OPA Gatekeeper as a Kubernetes admission controller, and integrate policy evaluation into CI/CD pipelines to enforce security and compliance across clusters.

This skill guides the integration of gitleaks and trufflehog into CI/CD pipelines. It automates the detection of hardcoded secrets, such as API keys, passwords, and tokens, preventing their accidental deployment. By integrating scans as a mandatory pre-deployment gate, organizations enforce strong security policies and maintain compliance.

In-toto is a CNCF standard project used to verify the integrity of software supply chains. It generates cryptographically signed attestations (link metadata) at every stage of the CI/CD pipeline, proving exactly what artifacts were produced and who authorized the process. This is crucial for securing container builds and ensuring compliance against tampering.

This skill guides the integration of OWASP ZAP for Dynamic Application Security Testing (DAST) directly into CI/CD pipelines. Learn how to perform baseline, full, and API scans against running applications, interpret complex security findings, tune scan policies, and establish automated security quality gates in modern CI/CD platforms like GitHub Actions and GitLab CI. Essential for DevSecOps practices.

This skill guides developers through integrating Static Application Security Testing (SAST) tools like CodeQL and Semgrep into GitHub Actions CI/CD pipelines. It covers automating code scanning on pull requests and pushes, tuning rules to reduce false positives, uploading SARIF results, and establishing quality gates to prevent vulnerable code from merging into production.

Automates the static security analysis of Android APK/AAB files using the Mobile Security Framework (MobSF). This skill identifies critical vulnerabilities such as hardcoded secrets, insecure permissions, weak cryptography, and structural flaws (mapping to OWASP Mobile Top 10) without requiring application execution. It is essential for integrating security gates into CI/CD pipelines, performing pre-release quality assurance, and enhancing penetration testing coverage.