- Solo founder or Founding Developers who needs guardrails without slowing down.
- Fractional/vCISO who wants a drop-in security baseline for new clients.
- Executive or board member who needs proof of good security hygiene, not just promises.
Outcome:
Fewer breaches from avoidable mistakes, faster compliance mapping, and provable hygiene for your repos — all with one git clone and a few commands.
This starter makes any repo secure-by-default in under 5 minutes:
- Pre-commit guardrails prevent secrets from ever leaving laptops.
CISO’s Take: Secrets are like toothpaste — once they’re out, you can’t put them back.
- CI security scanning (Trivy) blocks merges on HIGH/CRITICAL risks.
CISO’s Take: If you can’t ship clean, don’t ship at all.
- SBOM (SPDX) is produced on every run for asset inventory and vendor due diligence.
CISO’s Take: You can’t protect what you don’t know you have.
- OpenSSF Scorecard reports secure engineering hygiene to stakeholders.
CISO’s Take: External validation beats self-assessment every time.
- Examples show “good vs bad” configurations with a permanent failing demo tag (main stays green).
CISO’s Take: Learn by contrast — green is the goal, red is the warning.
| Control Theme | This Repo Provides | Maps to |
|---|---|---|
| Secrets handling | Pre-commit Gitleaks; blocks tokens pre-push | SOC2 CC6.1/CC6.6, ISO 27001:8.2 |
| Vulnerability mgmt | Trivy CI + fail on HIGH/CRIT | SOC2 CC7.1, ISO 27001:12.6 |
| Asset transparency | SBOM (SPDX) artifact per build | SOC2 CC8.1, ISO 27001:8.1 |
| IaC hygiene | Trivy IaC misconfig scan | SOC2 CC7.2, ISO 27001:14.2 |
- Code scanning alerts: Security → Code scanning alerts
- SBOM downloads: Actions → latest run → Artifacts →
sbom-spdx - Scorecard report: View on OpenSSF
-
Pre-commit secrets scanning using Gitleaks Blocks commits that contain API keys, tokens, passwords, or other sensitive strings. Runs locally for instant feedback before code leaves any machine.
-
CI vulnerability and misconfiguration scanning using Trivy Scans both dependencies and Infrastructure-as-Code files. Fails the build for HIGH/CRITICAL issues. Uploads SARIF results to GitHub's code scanning interface.
-
SBOM generation (SPDX JSON) via Trivy Automatically produced for every build. Downloadable as a workflow artifact.
-
Local parity via Makefile Run the same CI scans locally in Docker, no extra installs needed.
-
Automated dependency updates via Dependabot Weekly PRs for GitHub Actions and Docker base images, labeled
dependencies. -
OpenSSF Scorecard for trust & compliance signals Evaluates branch protection, code review, pinned dependencies, token permissions, and more.
We recommend pipx for isolated installs:
brew install pipx
pipx install pre-commitIf you've never used pipx before, ensure its bin directory is in your PATH (example for zsh):
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.zshrc
source ~/.zshrcpre-commit install
pre-commit autoupdatemkdir -p examples
echo 'ghp_abcdefghijklmnopqrstuvwxyz0123456789' > examples/bad_secret.txt
echo 'AIzaSyD4x5H7K9M1P3R5T7V9X1Z3B5D7F9H1J3' >> examples/bad_secret.txt
git add examples/bad_secret.txt
git commit -m "test: add fake token (should fail)"Expected: the commit fails with a Gitleaks findings report.
Make sure to remove bad example files using
rm examples/bad_secret.txt
-
Vulnerabilities & IaC Findings: Found under Security → Code scanning alerts in the GitHub UI. All pushes are scanned in CI/CD:
-
SBOM (Software Bill of Materials): Downloadable artifact (
sbom-spdx) from the workflow run. Each build publishes an SPDX SBOM Artifact:
-
Executive Summary:
security-summary.mdartifact includes counts of HIGH/CRITICAL issues and SBOM status.
Run the same checks locally (requires Docker):
make hook # Check Pre-commit hooks
make scan # Vulnerability + IaC scan
make sbom # SBOM generation (SPDX JSON)
examples/Dockerfile.good— UID10001, unprivileged port (8080), pinned base image.examples/pod-secure.yaml— drop all caps, read-only root FS, no privilege escalation, CPU/memory limits, non-root UID 10001.examples/terraform/main.good.tf- locked down SGs, no public egress by default unless configured
| Practice | Where | Why it matters |
|---|---|---|
| Run as non-root (UID 10001) | Dockerfile + Pod | Avoids kernel-level privileges; aligns with minimal images. |
| Unprivileged port (8080) | Dockerfile + Pod | Removes need for NET_BIND_SERVICE; simpler RBAC. |
| Drop ALL capabilities | Pod securityContext |
Shrinks kernel attack surface; principle of least privilege. |
| Disable privilege escalation | Pod securityContext |
Blocks setuid/setgid elevation attacks. |
| Read-only root filesystem | Pod securityContext |
Prevents persistence, tampering, and runtime injection. |
| Resource requests/limits | Pod resources |
Prevents noisy-neighbor and DoS from runaway containers. |
| Pinned base image & digest | Dockerfile | Prevents “CVE drift” from :latest; ensures reproducible builds. |
| Pre-commit secret scanning | .pre-commit-config.yaml (Gitleaks) |
Blocks hardcoded secrets before they leave the laptop. |
| CI/CD vulnerability scans | GitHub Actions (Trivy) | Automatic check for CVEs and IaC misconfigs every build. |
| SBOM generation (CycloneDX) | GitHub Actions (Trivy SBOM) | Creates auditable dependency inventory; critical for compliance & trust. |
| Compliance breadcrumbs | README.md, trust/ docs |
Maps controls to SOC2 / ISO 27001, gives early-stage startups proof. |
| Secure IaC examples | examples/terraform/*.good.tf |
Models least-privilege SGs, tagged resources; contrast with insecure defaults. |
| Secure coding examples | examples/* |
Learn “by contrast”: every secure example pairs with a failing demo. |
For executive stakeholders and security reviewers, we maintain a concise Security & Trust Overview page with:
- Latest CI security scan status
- Where to download the most recent SBOM
- Guardrails currently active in the repo
- Policy exception workflow
- Security contact information
Compliance mapping: see docs/compliance-mapping.md Architecture overview: see docs/architecture.md
Completed (v1 baseline): Scaffold, Gitleaks pre-commit, Trivy CI + SBOM, Makefile, Basic secure/insecure examples, OpenSSF Scorecard, compliance mapping & trust artifacts, initial screenshots.
Planned Enhancements:
- Automate Trust Badge updates (CI → shields.io)
- Add IAM/Multicloud examples (secure vs insecure)
- Expand pre-commit hooks (IaC lint, markdownlint)
- Exec-friendly “Trust” page polish (auto-fill scan date)
- More real-world IaC examples (Kubernetes, Terraform modules)
- Demo video / GIF for Quickstart