Initial commit

skills/software-security/rules/codeguard-0-devops-ci-cd-containers.md

@@ -0,0 +1,64 @@
+---
+description: DevOps, CI/CD, and containers (pipeline hardening, artifacts, Docker/K8s images, virtual patching, toolchain)
+languages:
+- docker
+- javascript
+- powershell
+- shell
+- xml
+- yaml
+alwaysApply: false
+---
+
+rule_id: codeguard-0-devops-ci-cd-containers
+
+## DevOps, CI/CD, and Containers
+
+Secure the build, packaging, and deployment supply chain: protect pipelines and artifacts, harden containers, and use virtual patching and toolchain flags when necessary.
+
+### CI/CD Pipeline Security
+- Repos: protected branches; mandatory reviews; signed commits.
+- Secrets: never hardcode; fetch at runtime from vault/KMS; mask in logs.
+- Least privilege: ephemeral, isolated runners with minimal permissions.
+- Security gates in CI: SAST, SCA, DAST, IaC scanning; block on criticals.
+- Dependencies: pin via lockfiles; verify integrity; use private registries.
+- Sign everything: commits and artifacts (containers/jars) and verify prior to deploy; adopt SLSA provenance.
+
+### Docker and Container Hardening
+- User: run as non‑root; set `USER` in Dockerfile
+- Use `--security-opt=no-new-privileges` to prevent privilege escalation.
+- Capabilities: `--cap-drop all` and add only what you need; never `--privileged`.
+- Daemon socket: never mount `/var/run/docker.sock`
+- DO NOT enable TCP Docker daemon socket (`-H tcp://0.0.0.0:XXX`) without TLS.
+- Avoid `- "/var/run/docker.sock:/var/run/docker.sock"` in docker-compose files.
+- Filesystems: read‑only root, tmpfs for temp write; resource limits (CPU/mem).
+- Networks: avoid host network; define custom networks; limit exposed ports.
+- Images: minimal base (distroless/alpine), pin tags and digests; remove package managers and tools from final image; add `HEALTHCHECK`.
+- Secrets: Docker/Kubernetes secrets; never in layers/env; mount via runtime secrets.
+- Scanning: scan images on build and admission; block high‑severity vulns.
+
+### Node.js in Containers
+- Deterministic builds: `npm ci --omit=dev`; pin base image with digest.
+- Production env: `ENV NODE_ENV=production`.
+- Non‑root: copy with correct ownership and drop to `USER node`.
+- Signals: use an init (e.g., `dumb-init`) and implement graceful shutdown handlers.
+- Multi‑stage builds: separate build and runtime; mount secrets via BuildKit; use `.dockerignore`.
+
+### Virtual Patching (Temporary Mitigation)
+- Use WAF/IPS/ModSecurity for immediate protection when code fixes are not yet possible.
+- Prefer positive security rules (allow‑list) for accuracy; avoid exploit‑specific signatures.
+- Process: prepare tooling in advance; analyze CVEs; implement patches in log‑only first, then enforce; track and retire after code fix.
+
+### C/C++ Toolchain Hardening (when applicable)
+- Compiler: `-Wall -Wextra -Wconversion`, `-fstack-protector-all`, PIE (`-fPIE`/`-pie`), `_FORTIFY_SOURCE=2`, CFI (`-fsanitize=cfi` with LTO).
+- Linker: RELRO/now, noexecstack, NX/DEP and ASLR.
+- Debug vs Release: enable sanitizers in debug; enable hardening flags in release; assert in debug only.
+- CI checks: verify flags (`checksec`) and fail builds if protections missing.
+
+### Implementation Checklist
+- Pipeline: secrets in vault; ephemeral runners; security scans; signed artifacts with provenance.
+- Containers: non‑root, least privilege, read‑only FS, resource limits; no daemon socket mounts.
+- Images: minimal, pinned, scanned; healthchecks; `.dockerignore` maintained.
+- Node images: `npm ci`, `NODE_ENV=production`, proper init and shutdown.
+- Virtual patching: defined process; accurate rules; logs; retirement after fix.
+- Native builds: hardening flags enabled and verified in CI.