Contact Us

Basic DevSecOps with GitHub Actions

DevOps

COURSE OVERVIEW


This 3-day intensive course, DevSecOps with GitHub Actions, is designed to help professionals integrate security seamlessly into the automated software development lifecycle.

 

The program focuses on the "shift-left" security philosophy, moving security practices earlier in the development process to create a secure software supply chain. Participants will learn to navigate the GitHub platform and leverage GitHub Actions for CI/CD and workflow automation. The curriculum covers building secure pipelines that incorporate automated Static Application Security Testing (SAST), dependency scanning, and container image scanning. Through hands-on exercises, learners will manage secrets securely and enforce compliance policies before concluding with a Capstone Project that builds a complete, end-to-end DevSecOps pipeline.


Learning Objectives

By the end of this course, participants will be able to:

·      Apply DevSecOps Principles: Understand the core tenets of DevOps and how to integrate security into every stage of the lifecycle.

·      Master GitHub Actions Architecture: Configure workflows, events, jobs, and runners to automate complex CI/CD processes.

·      Implement Automated Security Scanning: Utilize tools like CodeQL and Trivy to perform static analysis, dependency checks, and container scanning.

·      Manage Secrets Securely: Effectively use GitHub Secrets and integrate external managers like HashiCorp Vault to prevent credential leaks.

·      Enforce Compliance as Code: Establish branch protection rules, mandatory reviews, and automated policy checks to maintain governance.

·      Orchestrate Secure Deployments: Build automated deployment pipelines to cloud platforms like AWS and Azure and secure Kubernetes environments.

·      Monitor and Respond: Set up security logs and alerts for continuous monitoring and automated incident remediation.

 

Target Audience

This course is specifically designed for:

·      DevOps Engineers who want to specialize in security automation and secure pipeline design.

·      Security Professionals looking to integrate their testing protocols into modern CI/CD workflows.

·      Software Developers aiming to build more secure applications by mastering "shift-left" techniques.

·      Technical Leads and Architects responsible for overseeing the security of an organization's software supply chain.


Prerequisite

Participants should have a good understanding of DevOps before enrolling in this course.

COURSE OUTLINE


1. Introduction to DevSecOps

1.1 What is DevOps

·      DevOps principles

·      DevOps lifecycle

·      Continuous Integration

·      Continuous Delivery

1.2 What is DevSecOps

·      Security in DevOps

·      Shift-left security

·      Secure software supply chain

1.3 DevSecOps Benefits

·      Faster secure releases

·      Automated security testing

·      Continuous compliance

 

2. Introduction to GitHub Platform

2.1 Overview of GitHub

·      What is GitHub

·      GitHub architecture

·      GitHub workflow

2.2 GitHub Repositories

·      Creating repositories

·      Repository structure

·      Repository permissions

2.3 Branching and Collaboration

·      Branching strategies

·      Pull requests

·      Code reviews

·      Branch protection rules

 

3. Introduction to GitHub Actions

3.1 What is GitHub Actions

·      CI/CD automation with GitHub Actions

·      Workflow automation

·      GitHub Actions architecture

3.2 Components of GitHub Actions

·      Workflows

·      Events

·      Jobs

·      Steps

·      Actions

·      Runners

3.3 GitHub Workflow Files

Location:

.github/workflows/ Example workflow:

name: CI Pipeline on: push

 

jobs:

build:

runs-on: ubuntu-latest steps:

- run: echo "Hello DevOps"

 

4. Creating CI Pipelines with GitHub Actions

4.1 Triggering Workflows

Events:

·      push

·      pull_request

·      schedule

·      workflow_dispatch

4.2 Workflow Execution

·      Job execution

·      Step execution

·      Parallel jobs

·      Job dependencies

4.3 Pipeline Visualization

·      Workflow dashboard

·      Job logs

·      Debugging workflows

 

5. Build Automation

5.1 Build Pipelines

·      Compile code

·      Build artifacts

·      Package applications

5.2 Artifact Management

·      Upload artifacts

·      Download artifacts Example:

actions/upload-artifact

 

6. Automated Testing in CI

6.1 Unit Testing

·      Running test frameworks

·      Test reports

6.2 Integration Testing

·      Service testing

·      API testing

6.3 Code Coverage

 

7. Security Fundamentals for DevSecOps

7.1 Secure Development Lifecycle

·      Secure coding practices

·      Vulnerability management

7.2 Threat Modeling

·      Identifying attack surfaces

·      Risk assessment

7.3 DevSecOps Pipeline Architecture

 

8. Static Application Security Testing (SAST)

8.1 What is SAST

·      Source code vulnerability scanning

·      Early security detection

8.2 SAST Tools in GitHub

Using:

·      CodeQL

·      SonarQube

8.3 Implementing SAST in GitHub Actions

Example workflow:

·      Scan code automatically

·      Generate vulnerability reports


9. Dependency Security Scanning

9.1 Open Source Security Risks

·      Dependency vulnerabilities

·      Supply chain attacks

9.2 GitHub Dependency Scanning

Using:

·      Dependabot

9.3 Automated Dependency Updates

·      Security alerts

·      Automated pull requests

 

10.     Container Security

10.1     Container Security Fundamentals

·      Image vulnerabilities

·      Secure container builds

10.2     Container Image Scanning

Using:

·      Trivy

10.3     Secure Docker Pipelines

Working with:

·      Docker

 

11.     Infrastructure Security

11.1     Infrastructure as Code Security

·      IaC vulnerabilities

·      Configuration scanning

11.2     IaC Security Tools

Using:

·      Checkov

·      Terraform

 

12.     Secrets Management

12.1     Managing Secrets in Pipelines

·      Storing secrets securely

·      Avoiding credential leaks

12.2     GitHub Secrets

Using:

·      GitHub Secrets

12.3     Integrating External Secret Managers

Example:

·      HashiCorp Vault

 

13.     Compliance and Policy Enforcement

13.1     Security Policies

·      Branch protection rules

·      Mandatory reviews

13.2     Policy as Code

·      Automated compliance checks

13.3     Audit and Compliance Reporting

 

14.     Deployment Pipelines

14.1     Continuous Deployment

·      Deployment automation

·      Environment promotion

14.2     Cloud Deployment Pipelines

Platforms:

·      Amazon Web Services

·      Microsoft Azure

 

15.     Kubernetes Security in Pipelines

15.1     Secure Kubernetes Deployments

·      Cluster security

·      Deployment security Working with:

·      Kubernetes

 

16.     Monitoring and Incident Response

16.1     Security Monitoring

·      Security logs

·      Alerts

16.2     Incident Response

·      Automated remediation

·      Security playbooks

 

17.     Advanced GitHub Actions Features

17.1     Reusable Workflows

17.2     Composite Actions

17.3     Workflow Templates

17.4     Matrix Builds


18.     DevSecOps Governance

18.1     Security Governance

18.2     DevSecOps Maturity Models

18.3     Secure Pipeline Design

 

19.     DevSecOps Best Practices

·      Least privilege access

·      Secure pipeline design

·      Automated security testing

·      Continuous monitoring

 

20.     DevSecOps Capstone Project

Build a complete DevSecOps pipeline: Pipeline stages:

1.      Code commit

2.      Build pipeline

3.      Unit testing

4.      Static security scanning

5.      Dependency scanning

6.      Container image scanning

7.      Infrastructure scanning

8.      Deployment to cloud

9.     Security monitoring Using tools:

·      GitHub Actions

·      CodeQL

·      Trivy

·      Terraform

REGISTER NOW