Skip to content

obsTR/cicd-cloud-security-checklist

BranchesTags

Repository files navigation

CI/CD Cloud Security Checklist

License: MIT Security: Hardened DevSecOps

Comprehensive security design review checklist for Jenkins, GitHub Actions, AWS, and Azure pipelines. This repository helps teams audit software supply chain controls and cloud hardening posture before production releases.

Table of Contents

What it does

This repository offers a structured checklist to audit CI/CD pipeline security and cloud security configuration. It standardizes design reviews with explicit control IDs, priorities, and expected evidence.

Who it is for

  • DevOps Engineers hardening build servers and deployment paths.
  • Cloud Security Architects conducting design and threat reviews.
  • Release Managers validating deployment gates and risk acceptance.

Repository Structure

cicd-cloud-security-checklist/
|-- .github/
|   |-- ISSUE_TEMPLATE/
|   |   |-- security_gap_report.md
|-- docs/
|   |-- scoring-model.md
|-- examples/
|   |-- aws_s3_bucket_policy.json
|   |-- github_actions_secrets.yaml
|-- templates/
|   |-- assessment-template.yaml
|-- checklist.yaml
|-- CHANGELOG.md
|-- CONTRIBUTING.md
|-- LICENSE
|-- README.md
|-- SECURITY.md

Install

Clone the repository to integrate the checklist into your review process.

git clone https://github.com/obsTR/cicd-cloud-security-checklist.git

Quick Start

  1. Use checklist.yaml as the control baseline.
  2. Copy templates/assessment-template.yaml for each pipeline/system under review.
  3. Mark each control as PASS, FAIL, or WAIVED with evidence links.
  4. Calculate score using docs/scoring-model.md.
  5. Track unresolved gaps as issues using .github/ISSUE_TEMPLATE/security_gap_report.md.

Scoring Model

The default weighted model is documented in docs/scoring-model.md and aligned with control priority (Critical, High, Medium, Low).

Examples

  • AWS S3 verification: explicit deny controls and TLS enforcement (examples/aws_s3_bucket_policy.json).
  • GitHub Actions hardening: least-privilege permissions and OIDC usage (examples/github_actions_secrets.yaml).

Limitations

  • This is a design-review and governance tool.
  • It does not replace automated SAST, DAST, IaC scanning, or runtime detection tooling.

Roadmap

  • Automate checklist validation with OPA (Open Policy Agent).
  • Add GCP (Google Cloud Platform) specific controls and examples.
  • Publish a CLI for automated control scoring and trend tracking.

Security

Please report vulnerabilities via SECURITY.md.

License

Distributed under the MIT License.

About

A comprehensive security design review checklist for hardening Jenkins, GitHub Actions, AWS, and Azure pipelines. Audit your software supply chain before production.

Topics

aws-security cloud-security supply-chain-security cicd-security devops-checklist

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors