19-gate security pipeline across 6 layers. Designed for production deployment on AWS EKS.
- Gitleaks / TruffleHog — secret scanning. BLOCKS on any finding.
- Hadolint — Dockerfile lint. BLOCKS on errors.
- Checkov — IaC + K8s manifest scan. BLOCKS on HIGH/CRITICAL.
- TerraSecure — ML-powered Terraform scan (custom tool). BLOCKS on HIGH risk.
- Bandit — SAST for Python. BLOCKS on HIGH severity.
- ESLint security plugin — SAST for TypeScript.
- SonarQube — quality gate. BLOCKS if gate fails.
- Snyk — dependency CVE scan. BLOCKS on HIGH/CRITICAL.
- Syft — SBOM generation in CycloneDX format. Stored as pipeline artifact.
- Docker build
- Trivy — image scan. BLOCKS on HIGH/CRITICAL CVEs.
- Push to AWS ECR.
- ArgoCD sync → EKS staging environment
- OWASP ZAP — DAST against staging. BLOCKS on HIGH alerts.
- OPA — admission control policy check. BLOCKS non-compliant workloads.
- Prometheus smoke test — response time + error rate health check.
- Manual approval gate (or auto-promote if all gates pass)
- ArgoCD promote → EKS production
- Slack/email deployment alert with security summary
| Tool | Reason |
|---|---|
| TerraSecure | Own ML model — catches Terraform misconfigs others miss |
| Syft SBOM | Compliance requirement — proves full software supply chain visibility |
| OWASP ZAP | Only tool that tests the RUNNING application, not just code |
| OPA | Policy as code — security rules enforced at Kubernetes level |
| Gitleaks | Prevents secrets from ever entering git history |