Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,48 @@
# Standards and Compliance Reference
## OWASP DevSecOps Pipeline Maturity Model
| Level | SAST | DAST | SCA | Container | Secrets | License |
|-------|------|------|-----|-----------|---------|---------|
| Level 1 (Basic) | Manual runs | None | Manual dependency check | None | Pre-commit hooks | None |
| Level 2 (Integrated) | CI-triggered on MR | Scheduled scans | CI-triggered | Image scan on build | CI scan on commits | CI-triggered |
| Level 3 (Enforced) | Required for merge | Gate before deploy | Block on critical CVE | Block vulnerable images | Push protection | Policy enforcement |
| Level 4 (Optimized) | Custom rules, tuned FP | Authenticated full scan | Auto-remediation PRs | Signed images only | Auto-rotation | SBOM generation |
## NIST SP 800-218 (SSDF) Mapping
| SSDF Practice | GitLab Feature | Pipeline Stage |
|---------------|----------------|----------------|
| PO.1 Define security requirements | Security policies | Policy configuration |
| PW.1 Design software securely | Threat modeling integration | Pre-build |
| PW.4 Reuse well-secured software | Dependency scanning | Security stage |
| PW.5 Create source code securely | SAST, secret detection | Security stage |
| PW.7 Review and test code | MR security widget | Merge request |
| PW.8 Test executable code | DAST | Post-deploy staging |
| PW.9 Configure software securely | Container scanning | Security stage |
| RV.1 Identify vulnerabilities | Vulnerability report | Dashboard |
| RV.2 Assess and prioritize | Severity classification | Triage workflow |
| RV.3 Remediate vulnerabilities | Issue tracking integration | Sprint planning |
## CIS Software Supply Chain Security
- **SCS-1**: Secure source code management with protected branches and signed commits
- **SCS-2**: Secure build pipelines with pinned template versions and runner isolation
- **SCS-3**: Verified dependencies through dependency scanning and license compliance
- **SCS-4**: Secure artifacts with container scanning and signed images
- **SCS-5**: Deployment security with manual gates and environment approvals
## GitLab Scanner Coverage Matrix
| Vulnerability Type | Primary Scanner | Secondary Scanner |
|--------------------|-----------------|-------------------|
| SQL Injection | SAST (Semgrep) | DAST |
| XSS | SAST | DAST |
| SSRF | SAST | DAST |
| Command Injection | SAST | DAST |
| Insecure Deserialization | SAST | N/A |
| Known CVE in dependency | Dependency Scanning | Container Scanning |
| Hardcoded credentials | Secret Detection | SAST |
| License violation | License Scanning | N/A |
| OS-level CVE in image | Container Scanning | N/A |
| Authentication flaws | DAST | SAST |
@@ -0,0 +1,84 @@
# GitLab DevSecOps Pipeline Workflows
## Workflow 1: Merge Request Security Review
```
Developer creates merge request
|
Pipeline triggers security scanners in parallel:
[SAST] [Secret Detection] [Dependency Scanning] [License Scanning]
|
MR Security Widget displays results:
- New vulnerabilities introduced
- Existing vulnerabilities fixed
- Comparison with target branch
|
[No Critical/High] --> Reviewers can approve and merge
[Critical/High found] --> MR blocked by approval policy
|
Security team reviews findings
|
[Confirmed] --> Developer remediates and re-pushes
[False Positive] --> Dismissed with documented reason
|
All findings resolved --> MR eligible for merge
```
## Workflow 2: Container Image Security Gate
```
Docker image built in CI
|
Container scanning (Trivy) analyzes image layers
|
Findings categorized by severity
|
[Below threshold] --> Image pushed to registry with metadata
[Above threshold] --> Pipeline fails, image not pushed
|
Registry stores scan results as artifact
|
Deployment pulls only scanned/approved images
```
## Workflow 3: DAST Against Staging Environment
```
Application deployed to staging
|
DAST browser scan initiated against staging URL
|
Authenticated scan crawls application pages
|
Active testing for XSS, SQLi, CSRF, etc.
|
Results added to vulnerability report
|
[Pass] --> Manual deploy-to-production gate enabled
[Fail on critical] --> Staging deployment rolled back
|
Production deploy requires manual approval
```
## Workflow 4: Vulnerability Lifecycle Management
```
Scanner detects vulnerability
|
Status: "Detected" in vulnerability report
|
Security analyst triages finding
|
[Confirmed vulnerability] [False positive]
| |
Status: "Confirmed" Status: "Dismissed"
Issue created automatically Reason documented
|
Developer assigned fix
|
Fix merged, scanner re-runs
|
Vulnerability no longer detected
|
Status: "Resolved"
```