Home > CI/CD Security > Lab

πŸ§ͺ CI/CD Security Lab

Practice end‑to‑end pipeline security: detect secrets, federate identity with OIDC, automate security testing, and generate attestations.

Advanced

Lab Objectives

Prerequisites

Part 1: Secret Scanning

  1. Enable GitHub Secret Scanning and Dependabot alerts
  2. Run local scans:
# TruffleHog
trufflehog git file://.

# Gitleaks
gitleaks detect -v

Part 2: OIDC Federation

  1. Create a cloud role for GitHub OIDC with restricted policies
  2. Add a workflow using OIDC, scoped to the repo/ref:
# .github/workflows/oidc-deploy.yml
name: OIDC Deploy

on: workflow_dispatch

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GHAOIDCRole
          aws-region: us-east-1
      - run: aws sts get-caller-identity

Part 3: Security Gates

  1. Add SAST with Semgrep/CodeQL, fail on critical
# Semgrep example
semgrep --config p/owasp-top-ten --error
  1. Container scan with Trivy
trivy image --exit-code 1 --severity CRITICAL,HIGH myapp:latest
  1. IaC checks with Checkov
checkov -d . --soft-fail-exit-code 0 --hard-fail-on HIGH,CRITICAL

Part 4: SBOM & Provenance

  1. Generate SBOM with Syft and sign artifacts with Sigstore
syft packages dir:./ -o cyclonedx-json > sbom.json
cosign generate-key-pair
cosign sign-blob --key cosign.key dist/app.tar.gz > app.sig
  1. Create build provenance attestation in CI
- uses: actions/attest-build-provenance@v1
  with:
    subject-path: 'dist/*.tar.gz'

Part 5: Monitoring & IR Drill

  1. Forward GitHub audit logs to SIEM and configure alerts
  2. Simulate a token leak and validate rotation playbook
  3. Document timelines and corrective actions

Related

πŸ”„ CI/CD Security

Pipeline hardening and supply chain defense.

πŸ”§ GitHub Actions Security

Workflow permissions and OIDC.

πŸ”’ DevSecOps

Shift‑left security at scale.
CI/CD Security Lab - Hands-On Exercises - RFS Cyber Roadmap
Home > Roadmap > CI/CD Security > Hands-On Lab Exercises

πŸ§ͺ CI/CD Security Lab

Comprehensive hands-on exercises for securing CI/CD pipelines and implementing DevSecOps practices

Advanced Level 10-14 hours 7 Comprehensive Exercises Built-in Validation

πŸ“š Lab Overview

This comprehensive lab environment provides hands-on experience with CI/CD pipeline security, secrets management, container security, and DevSecOps implementation. You'll work through real-world scenarios that DevSecOps engineers encounter in modern software development environments.

7

Hands-on Exercises

20+

Security Tools

15+

Attack Scenarios

25+

Defense Strategies

🎯 Learning Objectives

By completing this lab, you will be able to:

πŸ”§ Lab Environment Requirements

πŸ’» System Requirements

Minimum Specifications:
  • RAM: 16GB (32GB recommended)
  • Storage: 100GB free space
  • CPU: 8 cores (16 cores recommended)
  • Network: Stable internet connection
  • OS: Linux (Ubuntu 22.04 recommended) or macOS

πŸ”§ Software Requirements

Required Software:
  • Container Runtime: Docker Desktop or Podman
  • Kubernetes: k3s, minikube, or kind
  • CI/CD Platform: Jenkins or GitLab CE
  • Version Control: Git
  • Cloud CLI: AWS CLI, Azure CLI, or gcloud (optional)

πŸ› οΈ Required Tools

Security Tools:
  • Secrets Scanning: TruffleHog, Gitleaks
  • Container Scanning: Trivy, Grype
  • SAST: SonarQube, Semgrep
  • IaC Scanning: Checkov, tfsec
  • Secrets Management: HashiCorp Vault

πŸ§ͺ Lab Exercises

πŸ” Exercise 1: Pipeline Security Audit

90 minutes Intermediate

Objective:

Audit a vulnerable CI/CD pipeline and identify security weaknesses in configuration, permissions, and workflows.

Tasks:
  • Analyze Jenkinsfile/workflow configurations
  • Identify excessive permissions and access controls
  • Review secret handling practices
  • Detect hardcoded credentials
  • Audit third-party integrations
  • Document security findings
Tools Used:
  • TruffleHog for secret scanning
  • Gitleaks for credential detection
  • Manual code review
  • Pipeline configuration analysis
Deliverables:
  • Security audit report
  • Vulnerability classification matrix
  • Remediation recommendations
Start Exercise

πŸ”‘ Exercise 2: Secrets Management Implementation

120 minutes Advanced

Objective:

Implement HashiCorp Vault for secrets management and migrate hardcoded credentials to secure storage.

Tasks:
  • Deploy HashiCorp Vault in dev mode
  • Configure Vault authentication methods
  • Create secret engines (KV v2, database, AWS)
  • Integrate Vault with CI/CD pipeline
  • Implement dynamic secret generation
  • Set up secrets rotation policies
Tools Used:
  • HashiCorp Vault
  • Vault CLI and API
  • Jenkins Vault plugin
  • GitHub Actions Vault action
Deliverables:
  • Vault deployment configuration
  • Secrets migration documentation
  • Pipeline integration code
  • Rotation policy documentation
Start Exercise

🐳 Exercise 3: Container Security Scanning

105 minutes Advanced

Objective:

Implement comprehensive container security scanning and image hardening in the CI/CD pipeline.

Tasks:
  • Scan container images with Trivy
  • Implement multi-stage builds
  • Create distroless container images
  • Configure image signing with Cosign
  • Implement runtime security policies
  • Set up vulnerability quality gates
Tools Used:
  • Trivy for vulnerability scanning
  • Cosign for image signing
  • Docker/Podman for builds
  • Harbor or Quay for registry
Deliverables:
  • Hardened Dockerfile examples
  • Image scanning integration
  • Signing and verification workflow
  • Security policy documentation
Start Exercise

πŸ§ͺ Exercise 4: Security Testing Integration

135 minutes Advanced

Objective:

Integrate SAST, DAST, and SCA security testing into the CI/CD pipeline with automated quality gates.

Tasks:
  • Configure SonarQube for SAST
  • Integrate Semgrep for pattern-based scanning
  • Set up OWASP Dependency-Check
  • Implement OWASP ZAP for DAST
  • Configure security quality gates
  • Create security dashboard
Tools Used:
  • SonarQube for code quality
  • Semgrep for static analysis
  • OWASP Dependency-Check
  • OWASP ZAP for dynamic testing
Deliverables:
  • Security testing pipeline
  • Quality gate configuration
  • Security dashboard setup
  • Automated remediation workflows
Start Exercise

πŸ“œ Exercise 5: Infrastructure as Code Security

120 minutes Advanced

Objective:

Secure Infrastructure as Code with automated scanning, policy enforcement, and compliance validation.

Tasks:
  • Scan Terraform code with Checkov
  • Implement tfsec for Terraform security
  • Configure Open Policy Agent policies
  • Set up IaC security quality gates
  • Implement compliance scanning (CIS benchmarks)
  • Create automated remediation workflows
Tools Used:
  • Checkov for IaC scanning
  • tfsec for Terraform security
  • Open Policy Agent for policy
  • Terraform/CloudFormation
Deliverables:
  • IaC security scanning integration
  • Policy as Code implementation
  • Compliance validation workflow
  • Remediation documentation
Start Exercise

πŸ”— Exercise 6: Supply Chain Security

150 minutes Expert

Objective:

Implement comprehensive supply chain security including SBOM generation, artifact attestation, and provenance verification.

Tasks:
  • Generate SBOM with Syft
  • Implement Sigstore signing with Cosign
  • Configure SLSA provenance generation
  • Set up in-toto attestation
  • Implement dependency pinning
  • Create artifact verification workflows
Tools Used:
  • Syft for SBOM generation
  • Cosign for artifact signing
  • Sigstore for keyless signing
  • in-toto for attestation
Deliverables:
  • SBOM generation pipeline
  • Artifact signing workflow
  • Provenance attestation
  • Verification procedures
Start Exercise

πŸ“Š Exercise 7: Monitoring & Incident Response

120 minutes Advanced

Objective:

Implement comprehensive monitoring, detection, and incident response for CI/CD security events.

Tasks:
  • Configure centralized logging (ELK Stack)
  • Set up real-time alerting
  • Implement anomaly detection
  • Create security dashboards
  • Develop incident response playbooks
  • Test rollback and recovery procedures
Tools Used:
  • Elasticsearch, Logstash, Kibana
  • Prometheus and Grafana
  • Falco for runtime security
  • Custom alerting scripts
Deliverables:
  • Monitoring infrastructure setup
  • Security alerting configuration
  • Incident response procedures
  • Recovery runbooks
Start Exercise

πŸ” Validation Framework

Built-in Assessment System

Each exercise includes comprehensive validation mechanisms to ensure proper understanding and skill development.

βœ… Technical Validation

Automated Checks:
  • Pipeline configuration verification
  • Security tool integration testing
  • Secret scanning validation
  • Container image hardening verification

πŸ“Š Skill Assessment

Competency Evaluation:
  • DevSecOps proficiency measurement
  • Tool mastery assessment
  • Security configuration validation
  • Best practices compliance check

🎯 Progress Tracking

Learning Analytics:
  • Exercise completion tracking
  • Time-to-completion analysis
  • Error pattern identification
  • Skill development monitoring

πŸ† Certification Path

Achievement Recognition:
  • Exercise completion certificates
  • DevSecOps skill badges
  • Progress milestone recognition
  • Expertise level advancement

πŸ› οΈ Essential Tools & Resources

πŸ” Secrets Management

πŸ” Security Scanning

  • Trivy - Comprehensive vulnerability scanner
  • Grype - Vulnerability scanner
  • SonarQube - Code quality and security
  • Semgrep - Static analysis
  • Snyk - Developer security platform

πŸ“œ IaC Security

πŸ”— Supply Chain

  • Sigstore - Artifact signing
  • Syft - SBOM generation
  • in-toto - Supply chain integrity
  • SLSA - Supply chain framework

πŸ“§ Stay Updated with CI/CD Security Labs

Get notified when we add new hands-on exercises and advanced techniques!

← Back to CI/CD Security Roadmap GitHub Actions Security β†’