farhanashrafdev
diff --git a/‎.config/.markdown-lint.yml‎
Lines changed: 30 additions & 0 deletions b/‎.config/.markdown-lint.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/master.yml‎
Lines changed: 43 additions & 0 deletions b/‎.github/workflows/master.yml‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 77 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎LICENSE.md‎
Lines changed: 4 additions & 4 deletions b/‎LICENSE.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 55 additions & 42 deletions b/‎README.md‎
Lines changed: 55 additions & 42 deletions
@@ -0,0 +1,30 @@
+---
+default: true
+MD004:
+  style: dash
+MD007:
+  indent: 2
+  start_indented: false
+MD013:
+  code_block_line_length: 80
+  heading_line_length: 99
+  line_length: 1600
+  code_blocks: false
+  headings: true
+  stern: false
+  strict: false
+  tables: false
+MD025:
+  level: 1
+  front_matter_title: ""
+MD033:
+  allowed_elements: [a, br, p, img]
+MD041:
+  level: 1
+  front_matter_title: ""
+MD044:
+  code_blocks: false
+MD046:
+  style: fenced
+MD048:
+  style: backtick
@@ -0,0 +1,43 @@
+---
+name: CI - Master
+
+on: # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+
+  pre-commit:
+    name: Run pre-commit
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: '3.13'
+
+      - name: Set python environment variable
+        run: |
+          echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
+
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit | ${{ env.PY }} | ${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Run pre-commit
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
@@ -2,4 +2,4 @@
 .DS_Store
 ._.DS_Store
 **/.DS_Store
-**/._.DS_Store
+**/._.DS_Store
@@ -0,0 +1,77 @@
+---
+# pre-commit install --allow-missing-config &&  pre-commit autoupdate && pre-commit run --all-files --color auto
+exclude: |
+  (?x)^(
+    old-versions/.*
+  )
+fail_fast: true
+default_stages:
+  - pre-commit
+default_language_version:
+  python: python3.13
+default_install_hook_types:
+  - commit-msg
+  - pre-commit
+ci:
+  autoupdate_schedule: monthly
+repos:
+  - repo: meta
+    hooks:
+      - id: identity
+        name: "meta | pre-commit hooks"
+        stages:
+          - manual
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+        name: "git | block large files"
+        args: [--maxkb=2048]
+      - id: check-json
+        name: "general | check JSON files"
+      - id: check-toml
+        name: "general | check TOML files"
+      - id: check-xml
+        name: "general | check XML files"
+      - id: check-yaml
+        name: "general | check YAML files"
+      - id: end-of-file-fixer
+        name: "general | fix end of file"
+      - id: forbid-new-submodules
+        name: "git | forbid new submodules"
+      - id: forbid-submodules
+        name: "git | forbid submodules usage"
+      - id: mixed-line-ending
+        name: "general | fix line ending"
+        args:
+          - --fix=auto
+      - id: pretty-format-json
+        name: "general | prettify JSON files"
+        args:
+          - --autofix
+          - --no-ensure-ascii
+      - id: trailing-whitespace
+        name: "general | remove trailing whitespace"
+  - repo: local
+    hooks:
+      - id: pin-github-action
+        name: "gh-action | lint: pinned sha"
+        files: ^\.github/workflows/[^/]+\.ya?ml$
+        entry: "pin-github-action ."
+        language: node
+        additional_dependencies:
+          - pin-github-action@3.4.0
+        stages:
+          - manual
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.45.0
+    hooks:
+      - id: markdownlint
+        name: "md | lint: run markdownlint-cli"
+        args:
+          - --config
+          - .config/.markdown-lint.yml
+        exclude: |
+          (?x)^(
+            doc-utilities/scripts/toc.md
+          )
@@ -2,12 +2,12 @@
 
 This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 
-## You are free to:
+## You are free to
 
 - **Share** — copy and redistribute the material in any medium or format
 - **Adapt** — remix, transform, and build upon the material for any purpose, even commercially.
 
-## Under the following terms:
+## Under the following terms
 
 - **Attribution** — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
 
@@ -17,10 +17,10 @@ This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 Intern
 
 - You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
 
-## Notices:
+## Notices
 
 You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.
 
 No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may need to be obtained before you use the material.
 
-For more details, see the [full text](https://creativecommons.org/licenses/by-sa/4.0/legalcode) of the license.
+For more details, see the [full text](https://creativecommons.org/licenses/by-sa/4.0/legalcode) of the license.
@@ -1,33 +1,37 @@
 # OWASP DevSecOps Guideline
-The OWASP DevSecOps Guideline explains how we can implement a secure pipeline and use best practices and introduce tools that we can use in this matter. Also, the project is trying to help us promote the shift-left security culture in our development process.  
+
+The OWASP DevSecOps Guideline explains how we can implement a secure pipeline and use best practices and introduce tools that we can use in this matter. Also, the project is trying to help us promote the shift-left security culture in our development process.
 This project helps any companies of each size that have a development pipeline or, in other words, have a DevOps pipeline.
-We try to draw a perspective of a secure DevOps pipeline during this project and then improve it based on our customized requirements.  
+We try to draw a perspective of a secure DevOps pipeline during this project and then improve it based on our customized requirements.
 
 The Ideal goal is **"detect security issues (by design or application vulnerability) as early as possible."**
 
 ## Initial steps
+
 DevSecOps is all about putting security into DevOps. But to keep up with the pace of CI/CD, security has to be injected early into software writing and testing.
 
 ![DevSecOps cycle](/assets/images/DevSecOps-cycle.png)
 
-[OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) lists the top 10 security controls every developer has to implement while coding any application. Consider this set as the starting point when you have to design, write or test code in the DevSecOps cycle. 
+[OWASP Proactive Controls](https://owasp.org/www-project-proactive-controls/) lists the top 10 security controls every developer has to implement while coding any application. Consider this set as the starting point when you have to design, write or test code in the DevSecOps cycle.
 
 You can also follow the [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/model/) to establish what to consider for security requirements (and more) according to your maturity level.
 
 ## What to add in a pipeline
+
 ![DevSecOps pipeline](/assets/images/DevSecOps-pipeline.png)
 At first, we consider implementing the following steps in a basic pipeline:
-* Scan git repositories for finding potential credentials leakage. 
-* SCA (Software Composition Analysis)
-* SAST (Static Application Security Test)
-* IaC Scanning (Scanning Terraform, HelmChart code to find misconfiguration)
-* IAST (Interactive Application Security Testing)
-* API Security
-* DAST (Dynamic Application Security Test)
-* CNAPP (Cloud Native Application Protection)
-* Infrastructure scanning
-* Continuous Scanning from other tools
-* Compliance check
+
+- Scan git repositories for finding potential credentials leakage.
+- SCA (Software Composition Analysis)
+- SAST (Static Application Security Test)
+- IaC Scanning (Scanning Terraform, HelmChart code to find misconfiguration)
+- IAST (Interactive Application Security Testing)
+- API Security
+- DAST (Dynamic Application Security Test)
+- CNAPP (Cloud Native Application Protection)
+- Infrastructure scanning
+- Continuous Scanning from other tools
+- Compliance check
 
 We can customize the steps of our pipeline according to our Software Development Life Cycle (SDLC) or software architecture and add automation progressively if we are starting.
 For instance, we can switch from SAST/DAST to a regular test suite with built-in security controls or add an audit script checking for known vulnerable dependencies.
@@ -36,7 +40,9 @@ CI/CD is an advantage for SecOps, a privileged entry point for security measures
 However, when using CI/CD tools to provide automation, keep in mind that the tools themselves often expand your attack surface, so put security controls on building, deployment, and automation software.
 
 ---
-## Table of Contents:
+
+## Table of Contents
+
 - [0-Intro](current-version/0-Intro)
   - [0-1-Intro](current-version/0-Intro/0-1-Intro.md)
   - [0-2-Overview](current-version/0-Intro/0-2-Overview.md)
@@ -49,32 +55,39 @@ However, when using CI/CD tools to provide automation, keep in mind that the too
 - [2-Process](current-version/2-Process)
   - [2-1-Design](current-version/2-Process/2-1-Design)
     - [2-1-1-Threat-modeling](current-version/2-Process/2-1-Design/2-1-1-Threat-modeling.md)
-  - [2-2-Code](current-version/2-Process/2-2-Code)
-    - [2-2-3-Interactive-Application-Security-Testing](current-version/2-Process/2-2-Code/2-2-3-Interactive-Application-Security-Testing.md)
-    - [2-2-1-Pre-commit](current-version/2-Process/2-2-Code/2-2-1-Pre-commit)
-      - [2-2-1-1-Pre-commit](current-version/2-Process/2-2-Code/2-2-1-Pre-commit/2-2-1-1-Pre-commit.md)
-      - [2-2-1-2-Secrets-Management](current-version/2-Process/2-2-Code/2-2-1-Pre-commit/2-2-1-2-Secrets-Management.md)
-      - [2-2-1-3-Linting-code](current-version/2-Process/2-2-Code/2-2-1-Pre-commit/2-2-1-3-Linting-code.md)
-      - [2-2-1-4-Repository-Hardening](current-version/2-Process/2-2-Code/2-2-1-Pre-commit/2-2-1-4-Repository-Hardening.md)
-    - [2-2-2-Static-Analysis](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis)
-      - [2-2-2-1-Static-Application-Security-Testing](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis/2-2-2-1-Static-Application-Security-Testing.md)
-      - [2-2-2-2-Software-Composition-Analysis](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis/2-2-2-2-Software-Composition-Analysis.md)
-      - [2-2-2-3-Infastructure-as-Code-Scanning](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis/2-2-2-3-Infastructure-as-Code-Scanning.md)
-      - [2-2-2-4-Container-Security](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis/2-2-2-4-Container-Security)
-        - [2-2-2-4-1-Container-Scanning](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis/2-2-2-4-Container-Security/2-2-2-4-1-Container-Scanning.md)
-        - [2-2-2-4-2-Container-Hardening](current-version/2-Process/2-2-Code/2-2-2-Static-Analysis/2-2-2-4-Container-Security/2-2-2-4-2-Container-Hardening.md)
+  - [2-2-Develop](current-version/2-Process/2-2-Develop)
+    - [2-2-1-Pre-commit](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit)
+      - [2-2-1-1-Pre-commit](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-1-Pre-commit.md)
+      - [2-2-1-2-Secrets-Management](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-2-Secrets-Management.md)
+      - [2-2-1-3-Linting-code](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-3-Linting-code.md)
+      - [2-2-1-4-Repository-Hardening](current-version/2-Process/2-2-Develop/2-2-1-Pre-commit/2-2-1-4-Repository-Hardening.md)
   - [2-3-Build](current-version/2-Process/2-3-Build)
-    - [2-3-1-Dynamic-Application-Security-Testing](current-version/2-Process/2-3-Build/2-3-1-Dynamic-Application-Security-Testing.md)
-    - [2-3-2-Mobile-Application-Security-Test](current-version/2-Process/2-3-Build/2-3-2-Mobile-Application-Security-Test.md)
-    - [2-3-3-API-Security](current-version/2-Process/2-3-Build/2-3-3-API-Security.md)
-    - [2-3-4-Miss-Configuration-Check](current-version/2-Process/2-3-Build/2-3-4-Miss-Configuration-Check.md)
-  - [2-4-Operation](current-version/2-Process/2-4-Operation)
-    - [2-4-1-Cloud-Native-Security](current-version/2-Process/2-4-Operation/2-4-1-Cloud-Native-Security.md)
-    - [2-4-2-Logging-and-Monitoring](current-version/2-Process/2-4-Operation/2-4-2-Logging-and-Monitoring.md)
-    - [2-4-3-Pentest](current-version/2-Process/2-4-Operation/2-4-3-Pentest.md)
-    - [2-4-4-Vulnerability-Management](current-version/2-Process/2-4-Operation/2-4-4-Vulnerability-Management.md)
-    - [2-4-5-VDP|Bug-bounty](current-version/2-Process/2-4-Operation/2-4-5-VDP|Bug-bounty.md)
-    - [2-4-6-Breach-and-attack-simulation](current-version/2-Process/2-4-Operation/2-4-6-Breach-and-attack-simulation.md)
+    - [2-3-5-Security-Gates](current-version/2-Process/2-3-Build/2-3-5-Security-Gates.md)
+    - [2-3-1-Static-Analysis](current-version/2-Process/2-3-Build/2-3-1-Static-Analysis)
+      - [2-3-1-1-Static-Application-Security-Testing](current-version/2-Process/2-3-Build/2-3-1-Static-Analysis/2-3-1-1-Static-Application-Security-Testing.md)
+    - [2-3-2-Software Composition Analysis](current-version/2-Process/2-3-Build/2-3-2-Software Composition Analysis)
+      - [2-3-2-1-Software-Composition-Analysis](current-version/2-Process/2-3-Build/2-3-2-Software Composition Analysis/2-3-2-1-Software-Composition-Analysis.md)
+    - [2-3-3-Container-Security](current-version/2-Process/2-3-Build/2-3-3-Container-Security)
+      - [2-3-3-1-Container-Scanning](current-version/2-Process/2-3-Build/2-3-3-Container-Security/2-3-3-1-Container-Scanning.md)
+      - [2-3-3-2-Container-Hardening](current-version/2-Process/2-3-Build/2-3-3-Container-Security/2-3-3-2-Container-Hardening.md)
+    - [2-3-4-Infrastructure as Code Security](current-version/2-Process/2-3-Build/2-3-4-Infrastructure as Code Security)
+      - [2-3-1-3-Infastructure-as-Code-Scanning](current-version/2-Process/2-3-Build/2-3-4-Infrastructure as Code Security/2-3-1-3-Infastructure-as-Code-Scanning.md)
+  - [2-4-Test](current-version/2-Process/2-4-Test)
+    - [2-4-1-Interactive-Application-Security-Testing](current-version/2-Process/2-4-Test/2-4-1-Interactive-Application-Security-Testing.md)
+    - [2-4-2-Dynamic-Application-Security-Testing](current-version/2-Process/2-4-Test/2-4-2-Dynamic-Application-Security-Testing.md)
+    - [2-4-3-Mobile-Application-Security-Test](current-version/2-Process/2-4-Test/2-4-3-Mobile-Application-Security-Test.md)
+    - [2-4-4-API-Security](current-version/2-Process/2-4-Test/2-4-4-API-Security.md)
+    - [2-4-5-Misconfiguration-Check](current-version/2-Process/2-4-Test/2-4-5-Misconfiguration-Check.md)
+  - [2-5-Release](current-version/2-Process/2-5-Release)
+    - [2-5-1-Release](current-version/2-Process/2-5-Release/2-5-1-Release.md)
+  - [2-6-Deploy](current-version/2-Process/2-6-Deploy)
+    - [2-6-1-Deploy](current-version/2-Process/2-6-Deploy/2-6-1-Deploy.md)
+  - [2-7-Operate](current-version/2-Process/2-7-Operate)
+    - [2-7-1-Cloud-Native-Security](current-version/2-Process/2-7-Operate/2-7-1-Cloud-Native-Security.md)
+    - [2-7-2-Logging-and-Monitoring](current-version/2-Process/2-7-Operate/2-7-2-Logging-and-Monitoring.md)
+    - [2-7-3-Pentest](current-version/2-Process/2-7-Operate/2-7-3-Pentest.md)
+    - [2-7-4-Vulnerability-Management](current-version/2-Process/2-7-Operate/2-7-4-Vulnerability-Management.md)
+    - [2-7-6-Breach-and-attack-simulation](current-version/2-Process/2-7-Operate/2-7-6-Breach-and-attack-simulation.md)
 - [3-Governance](current-version/3-Governance)
   - [3-2-Data-protection](current-version/3-Governance/3-2-Data-protection.md)
   - [3-1-Compliance-Auditing](current-version/3-Governance/3-1-Compliance-Auditing)
@@ -85,6 +98,6 @@ However, when using CI/CD tools to provide automation, keep in mind that the too
     - [3-3-1-Tracking-maturities](current-version/3-Governance/3-3-Reporting/3-3-1-Tracking-maturities.md)
     - [3-3-2-Central-vulnerability-management-dashboard](current-version/3-Governance/3-3-Reporting/3-3-2-Central-vulnerability-management-dashboard.md)
 
-
 ---
-The project page on the OWASP website is [here](https://owasp.org/www-project-devsecops-guideline/)
+
+The project page on the OWASP website is available at [OWASP DevSecOps Guideline Project](https://owasp.org/www-project-devsecops-guideline/)