🚀 DevSecOps intro elective — 10 hands-on labs + 2 bonus hardening OWASP Juice Shop: threat modeling (STRIDE/Threagile), signed commits & secret scanning, SBOM/SCA, SAST + DAST, IaC security (Checkov/KICS), container & supply-chain hardening (Trivy, Cosign), runtime detection with Falco, and DefectDojo vuln management.

A hands-on lab toolkit for container security, from CIS-benchmark fundamentals to architectural trust governance. 12 production-grade labs covering image hardening, signing, supply chain attestation, admission control, and runtime debugging. Built from real Fortune 500 cluster experience.

This GitHub Action use kaniko and Amazon Linux container with nitro-cli to build a reproducible AWS Nitro Enclaves EIF file and its information.

AWS CLI v2 + kubectl on Ubuntu 24.04. Multi-arch, cosign-signed, SBOM + SLSA attested. Non-root by default. 725K+ pulls.

Convert any DevOps Pipeline into 8-gate DevSecOps Pipeline with just 10 lines of YAML code - secrets, SAST, SBOM, signing. 100% OSS, free.

A simple CircleCI orb used to install Cosign and sign container images

Cosign CircleCI orb. To learn more about cosign visit the GitHub repo

End-to-end secure software supply chain reference implementation: hadolint + gitleaks lint, Trivy CVE scan + SARIF, CycloneDX SBOM, Cosign keyless signing + SBOM attestation, gated before GHCR push, runtime enforcement via Kyverno admission control. Self-proving on every push.

Reference workflows, scripts, and templates for hardening CI/CD pipelines with Sigstore, SLSA, and SBOMs.

Reusable GitHub Actions workflow for signed AI commit attestations with cosign keyless signing.

SZL local build environment: kind + Istio ambient mesh + OpenTelemetry Collector + 5-organ stack with cosign verification gate. <10 min quickstart for SZL engineers.

Snapshot releases of dhi-debian-dev docker images for reproducible build environments.

Auto-rotating SSL/TLS certificate client for game server hosts. Pulls renewed wildcard certs from the auto-certs server, verifies signatures, atomically installs, and runs a CP-supplied reload hook. POSIX sh; CentOS 6+ / Ubuntu 16+; zero external runtime dependencies.

Reference DevSecOps supply-chain pipeline: gosec + govulncheck + Trivy, cosign keyless signing, syft SBOM attestation, Kyverno admission verification

Official Brik runner images for fast, signed, scanned, multi-platform CI jobs.

Production ready WordPress Docker image, Bedrock + FrankenPHP + Acorn, rootless and lightweight. Multi-arch (amd64/arm64), Trivy-scanned, Cosign-signed, with SBOM attestation.

Native arm64 (aarch64) rebuilds of BioContainers — unofficial community project by Playground Logic

DevSecOps reference — scripts, how-to guides, and templates for security scanning, CI/CD, Kubernetes, Terraform, and observability.

Production-like DevSecOps platform on local Kubernetes (k3d, 3 clusters): GitOps, progressive delivery, policy-as-code, secure supply chain, Vault/ESO secrets, Step-CA PKI, and SLO-driven observability.

☕ Streamline JVM workloads with hardened OCI images preinstalled with Temurin JDK 25 and JDK 26, ensuring security and performance for your applications.