DevSecOps: Trivy + Checkov + Hardening
Shift security left — scan, harden, and clean up.
Overview
The top rung of the MVP. The pipeline now scans the Docker image for CVEs with Trivy and the Terraform for misconfigurations with Checkov, fails the build on real problems, hardens GitHub Actions permissions, and ships with a security checklist, runbook, and cleanup guide. This is the difference between 'it deploys' and 'it deploys safely'.
Architecture
The build pipeline gains two gates: Trivy scans the built image and Checkov scans the Terraform. Findings above a threshold fail the run before anything reaches ECR or the instance. Results are uploaded as SARIF for the Security tab.
- 1Checkov scans Terraform for misconfigurations.
- 2The image is built and scanned by Trivy for CVEs.
- 3If either gate fails (HIGH/CRITICAL), the run stops here.
- 4Only clean builds push to ECR and deploy.
A GitHub Actions pipeline builds an image, runs Trivy on it and Checkov on the Terraform; if scans pass it pushes to ECR and deploys, otherwise the build fails.
What you'll understand
- Add automated security scanning to the pipeline (image + IaC).
- Fail builds on real vulnerabilities and misconfigurations — gate, don't just report.
- Apply least-privilege hardening to GitHub Actions and IAM.
- Adopt the operational discipline of checklists, runbooks, and cleanup.
Prerequisites
- Completed Level 4 (ECR + Compose)
- A working build/push pipeline to extend
- Comfort reading scanner output and triaging findings
Generated files
The files this template produces. Copy any of them straight into your project.
3 files
Runs Checkov and Trivy as gating jobs and uploads SARIF results.
name: Security Gates
on:
push:
branches: [main]
pull_request:
permissions:
contents: read
security-events: write # to upload SARIF to the Security tab
jobs:
iac-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkov (Terraform)
uses: bridgecrewio/checkov-action@v12
with:
directory: infra/
framework: terraform
soft_fail: false # fail the build on findings
output_format: sarif
output_file_path: checkov.sarif
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: checkov.sarif
image-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t web:scan .
- name: Trivy (image CVEs)
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: web:scan
severity: HIGH,CRITICAL
exit-code: "1" # fail on HIGH/CRITICAL
format: sarif
output: trivy.sarif
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy.sarifStep-by-step guide
- 1
Add the IaC scan (Checkov)
Point Checkov at your infra/ directory. Start in soft-fail to see findings, then flip to hard-fail so misconfigurations block the build.
checkov -d infra/ --framework terraformRun it locally first to triage before enforcing in CI.
- 2
Add the image scan (Trivy)
Scan the built image for known CVEs. Gate on HIGH and CRITICAL so vulnerable images never reach the registry.
trivy image --severity HIGH,CRITICAL --exit-code 1 web:scanExit code 1 fails the pipeline when serious CVEs are present.
- 3
Harden the pipeline
Set minimal `permissions:` on every workflow, keep OIDC (no static keys), and remove any wildcard IAM actions. Least privilege everywhere.
A pipeline that can do anything is a pipeline an attacker can do anything with.
- 4
Wire results into the Security tab
Upload SARIF from both scanners so findings show up in GitHub's Security tab and on PRs — visible, not buried in logs.
- 5
Adopt the checklist and runbook
Commit SECURITY_CHECKLIST.md and RUNBOOK.md. The real upgrade at this level is operational discipline, not just tools.
AI insight
Ask the assistant to explain, review, or recommend — authored for this template.
What these gates are doing
The pipeline gains two checkpoints before anything ships: Checkov scans the Terraform for misconfigurations and Trivy scans the built image for CVEs. If either finds something serious, the run stops — vulnerable code never reaches ECR or the instance.
- —Checkov → infrastructure misconfigurations.
- —Trivy → image vulnerabilities (CVEs).
- —Results upload as SARIF to the Security tab.
Security notes
Vulnerable images are blocked
InfoTrivy fails the build on HIGH/CRITICAL CVEs, so they never reach ECR or production.
Misconfigured infra is blocked
InfoCheckov catches insecure Terraform (open SGs, unencrypted volumes) before apply.
Least-privilege pipeline + IAM
InfoScoped workflow permissions and OIDC roles shrink the blast radius of a leak.
Scanning is continuous, not one-time
LowNew CVEs appear daily; a clean scan today can fail tomorrow.
Run scheduled scans and keep base images current.
Cost notes
Trivy & Checkov
Both are free and open source; they only spend CI minutes.
Extra CI minutes
Scanning adds 1–3 minutes per run — negligible, but it counts against your Actions quota.
ECR + EC2
Same footprint as Level 4; remember the registry storage and running instance.
Cleanup guide
Tear it down when you're done — the fastest way to avoid a surprise bill.
- 1
terraform destroy the environment when you're done demoing.
Billingterraform destroy - 2
Expire old ECR images via the lifecycle policy.
- 3
Revoke the OIDC role trust and any deploy keys.
Billing - 4
Confirm the Billing dashboard shows nothing running.
Troubleshooting
Where to go next
You've reached the top of the MVP ladder.
Observability, Kubernetes, and GitOps are next on the roadmap.