Pipeline Rules (R01-R45)
45 rules for GitLab CI and GitHub Actions YAML files. Deducts from the Security Score.
SEC — Secret Management (R01-R07)
| ID | Sev | Pts | Description | Fix |
|---|
| R01 | CRIT | 3 | No secret scanning stage | Add gitleaks scanning stage |
| R02 | HIGH | 2 | Secret scanning allows failure | Set allow_failure: false on secret scanning job |
| R03 | CRIT | 5 | Hardcoded secret or credential in pipeline | Move to CI/CD variables with masked + protected flags |
| R04 | MED | 2 | No pre-commit hook for secrets | Add pre-commit hook with gitleaks |
| R05 | HIGH | 2 | No Vault or external secret manager integration | Integrate HashiCorp Vault for secret management |
| R06 | MED | 1 | Secrets not masked in CI/CD variables | Enable masked + protected flags on CI/CD variables |
| R07 | LOW | 1 | No secret rotation policy mentioned | Implement secret rotation with Vault dynamic secrets |
SAS — Static Analysis / SAST (R08-R14)
| ID | Sev | Pts | Description | Fix |
|---|
| R08 | CRIT | 3 | No SAST scanning stage | Add Semgrep SAST scanning stage |
| R09 | HIGH | 2 | SAST scanning allows failure | Set allow_failure: false on SAST job |
| R10 | MED | 2 | No custom SAST rules or configuration | Add custom Semgrep rules for your tech stack |
| R11 | MED | 2 | No SAST output in machine-readable format | Add --sarif or --json flag to SAST command |
| R12 | HIGH | 2 | No linting stage | Add linting stage with appropriate linter |
| R13 | MED | 2 | No quality gate or threshold for SAST | Add quality gate: fail on critical/high severity |
| R14 | LOW | 2 | No IaC scanning for Terraform/CloudFormation | Add Checkov or tfsec for IaC scanning |
SCA — Supply Chain Security (R15-R23)
| ID | Sev | Pts | Description | Fix |
|---|
| R15 | CRIT | 3 | No dependency vulnerability scanning | Add dependency scanning with Trivy or Snyk |
| R16 | HIGH | 2 | Dependency scanning allows failure | Set allow_failure: false on dependency scanning |
| R17 | HIGH | 2 | No container image scanning | Add Trivy container image scanning stage |
| R18 | MED | 2 | No SBOM generation | Add SBOM generation with Syft in CycloneDX format |
| R19 | MED | 2 | No image signing or verification | Sign images with Cosign and verify in deployment |
| R20 | HIGH | 2 | Using npm install instead of npm ci | Replace npm install with npm ci |
| R21 | MED | 2 | No private registry for container images | Use private registry (Harbor, ECR, GCR) |
| R22 | MED | 2 | No license compliance scanning | Add license scanning with FOSSA or license-finder |
| R23 | HIGH | 3 | No lockfile integrity check | Use npm ci / yarn --frozen-lockfile / pip --require-hashes |
DST — Dynamic Testing / DAST (R24-R27)
| ID | Sev | Pts | Description | Fix |
|---|
| R24 | HIGH | 3 | No DAST scanning stage | Add OWASP ZAP baseline scan in staging |
| R25 | MED | 2 | DAST not running against staging environment | Target DAST at staging/preview environment URL |
| R26 | MED | 3 | No API security testing | Add API security testing with ZAP API scan |
| R27 | LOW | 2 | No fuzz testing | Add fuzz testing for critical input parsers |
DEP — Deployment Security (R28-R36)
| ID | Sev | Pts | Description | Fix |
|---|
| R28 | CRIT | 3 | No manual approval for production deployment | Add when: manual gate before production deploy |
| R29 | HIGH | 2 | No rollback strategy defined | Add rollback job or use ArgoCD for auto rollback |
| R30 | HIGH | 2 | No smoke tests after deployment | Add post-deploy smoke test: curl health endpoint |
| R31 | MED | 2 | No GitOps deployment approach | Adopt ArgoCD or Flux for declarative GitOps |
| R32 | HIGH | 2 | Deployment uses kubectl with hardcoded credentials | Use service accounts or OIDC for kubectl auth |
| R33 | MED | 2 | No environment separation in pipeline | Define separate environment stages: dev, staging, prod |
| R34 | MED | 2 | No deployment notifications | Add Slack/Teams notification on deploy status |
| R35 | MED | 2 | No progressive delivery strategy | Use canary or blue-green with Argo Rollouts |
| R36 | HIGH | 3 | Deploying unscanned images | Add image scanning stage before deployment |
GOV — Governance & Compliance (R37-R45)
| ID | Sev | Pts | Description | Fix |
|---|
| R37 | HIGH | 3 | No security results aggregation platform | Integrate DefectDojo for centralized vuln management |
| R38 | MED | 2 | No test coverage reporting | Add coverage reporting with codecov |
| R39 | MED | 2 | No merge request / PR pipeline trigger | Add merge_request / pull_request trigger |
| R40 | MED | 2 | No pipeline timeout configured | Add global timeout: 60 minutes |
| R41 | MED | 2 | No artifact archiving for audit trail | Archive scan reports as pipeline artifacts |
| R42 | HIGH | 2 | Security scans not in dedicated stage | Create dedicated security stage in pipeline |
| R43 | LOW | 2 | No compliance as code framework | Add OPA/Conftest policy checks in pipeline |
| R44 | MED | 2 | No branch protection enforcement in pipeline | Restrict deployment to protected branches only |
| R45 | MED | 3 | No unit/integration test stage | Add test stage with appropriate test framework |
Total: 45 rules across 6 categories. Maximum deduction: 100 points (Security Score).