Currently, the main branch of devops-projects is the only supported version.

If you discover a security vulnerability within this repository, please do not disclose it publicly.

Instead, please send an email to the repository owner or open a private security advisory via GitHub. We will address the issue as promptly as possible.

This repository serves as a learning resource and implements modern DevSecOps practices. We heavily feature the following free security tools that students can use in their own projects:

• TruffleHog: Scans for exposed secrets, passwords, and API keys.
• Trivy: A comprehensive and versatile security scanner for containers, Infrastructure as Code (IaC), and software dependencies.
• SonarQube Community: Used for static application security testing (SAST) and code quality analysis.
• Checkov: Static code analysis tool for infrastructure-as-code.
• Super-Linter: GitHub's versatile linting framework.

Use the repo-local gate for fast checks that do not require cloud accounts:

python3 -m pip install -r tools/requirements.txt
python3 -m tools.quality_gate .

The gate flags tracked ignored files, common credential patterns, YAML/shell/Python syntax issues, and practical Node lockfile problems. Secret scanner fixtures and templated training files are excluded deliberately so real findings stay visible.

Before changing infrastructure, containers, pipelines, or secret-handling examples, use the reusable checklists in docs/security-baselines/:

• Kubernetes baseline
• Terraform baseline
• Dockerfile baseline
• CI/CD baseline
• Secrets baseline