Was ist eine sichere CI/CD-Pipeline?

Eine sichere CI/CD-Pipeline integriert automatisierte Security-Checks in jeden Build: SAST (Static Code Analysis), DAST (Dynamic Testing), Dependency-Scanning, Container-Image-Scanning und Secrets-Detection — bevor Code in Produktion geht.

Was ist der Unterschied zwischen SAST und DAST?

SAST (Static Application Security Testing) analysiert Quellcode ohne Ausführung. DAST (Dynamic Application Security Testing) testet laufende Anwendungen auf Schwachstellen. Beide sind notwendig für vollständige CI/CD Security Coverage.

Wie schütze ich Secrets in CI/CD-Pipelines?

Secrets nie in Code oder Umgebungsvariablen hardcoden. Nutze GitLab CI/CD Variables (masked), HashiCorp Vault, oder AWS Secrets Manager. Automatisiertes Secret-Scanning (Gitleaks, GitGuardian) in Pre-Commit-Hooks und Pipeline-Steps.

Welche Tools empfiehlt OpenClaw für CI/CD Security?

OpenClaw empfiehlt: Trivy für Container-Scanning, Semgrep/Bandit für SAST, OWASP ZAP für DAST, Gitleaks für Secret-Detection, Renovate für Dependency-Updates — alle integrierbar in GitLab CI, GitHub Actions und Jenkins.

Was ist eine sichere CI/CD-Pipeline für OpenClaw?

Eine DevSecOps-Pipeline integriert SAST, DAST, Container-Scanning, Secret-Detection und Signierung in jeden Build — Security-Gates stoppen fehlerhafte Deployments automatisch.

Welche SAST-Tools eignen sich für OpenClaw?

Semgrep (kostenlos, schnell), Bandit (Python), ESLint-Security (JS/TS). Für Containers: Trivy und Grype. Alle lassen sich in GitHub Actions, GitLab CI und Jenkins integrieren.

Wie verhindere ich Secret-Leaks in der Pipeline?

git-secrets oder truffleHog als Pre-Commit-Hook. GitLeaks in CI-Pipeline. Niemals Secrets in Umgebungsvariablen im Klartext — immer über Vault oder CI/CD-Secret-Store.

"Not a Pentest" Hinweis: Dieser Guide dient der Absicherung eigener CI/CD-Pipelines. Kein Angriffs-Tool.

CI/CD Security Pipeline: GitLab DevSecOps Setup

Vollständige DevSecOps-Pipeline mit automatisierten Security-Tests, Secrets Management und Compliance-Checks — für jedes Commit.

Pipeline Security Grundlagen

Security Stages

Pre-Commit Hooks und lokale Validierung
Static Application Security Testing (SAST)
Dependency Scanning und Schwachstellen-Checks
Container-Image Security Scanning
Dynamic Application Security Testing (DAST)
Infrastructure-as-Code Security Testing

GitLab CI/CD Security-Konfiguration

# .gitlab-ci.yml - Complete Security Pipeline
stages:
  - pre-build
  - build
  - test
  - security
  - deploy

variables:
  SECURE_LOG_LEVEL: "info"
  SAST_ANALYZER_IMAGE_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
  DAST_ANALYZER_IMAGE_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"

# Pre-build security checks
pre-commit-security:
  stage: pre-build
  script:
    - echo "Running pre-commit security checks"
    - git secrets --scan
    - pre-commit run --all-files
  rules:
    - if: '$CI_PIPELINE_SOURCE == "push"'

# SAST - Static Application Security Testing
sast:
  stage: security
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

# Dependency Scanning
dependency-scanning:
  stage: security
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

# Container Scanning
container-scanning:
  stage: security
  variables:
    GIT_STRATEGY: none
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      exists:
        - Dockerfile

# Secret Detection
secret-detection:
  stage: security
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

Erweiterte Security Pipeline

# Advanced security scanning with custom tools
advanced-security:
  stage: security
  image: python:3.11
  before_script:
    - pip install bandit semgrep safety
  script:
    # Python security scanning
    - bandit -r . -f json -o bandit-report.json
    - semgrep --config=auto --json --output=semgrep-report.json .
    - safety check --json --output=safety-report.json
    
    # Infrastructure security scanning
    - pip install tfsec-checkov
    - checkov --framework terraform --output json --output-file checkov-report.json .
    
    # Container security scanning
    - docker build -t temp-image .
    - trivy image --format json --output trivy-report.json temp-image
  artifacts:
    reports:
      sast: bandit-report.json
    paths:
      - semgrep-report.json
      - safety-report.json
      - checkov-report.json
      - trivy-report.json
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

# DAST - Dynamic Application Security Testing
dast:
  stage: security
  variables:
    DAST_WEBSITE: "https://$CI_ENVIRONMENT_URL"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_BROWSER_SCAN: "true"
  artifacts:
    reports:
      dast: gl-dast-report.json
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      when: manual

Security Policy Configuration

# .gitlab/security-policy.yml
# Security policy for vulnerability management
security_policy:
  vulnerability_management:
    enabled: true
    cadence: "monthly"
    auto_resolve: false
    
    # Critical vulnerabilities require immediate action
    critical_vulnerabilities:
      auto_create_issue: true
      due_in: "7 days"
      
    # High vulnerabilities
    high_vulnerabilities:
      auto_create_issue: true
      due_in: "30 days"
      
    # Medium vulnerabilities
    medium_vulnerabilities:
      auto_create_issue: false
      due_in: "90 days"

# Approval policies for security
approval_policies:
  security_approvals:
    enabled: true
    rules:
      - name: "Security team approval for critical changes"
        conditions:
          - when: "critical_security_change"
            approvals_required: 2
            eligible_approvers: ["security-team"]