A working engineer's DevSecOps reference — scripts, how-to guides, runbooks, and templates for infrastructure automation, security scanning, CI/CD, and observability.
Last commit Files Shell Markdown Terraform
A curated collection of production-ready shell scripts, how-to guides, runbooks, snippets, and templates covering the tools and practices a practising DevSecOps engineer reaches for daily. Every entry is version-specific, scenario-grounded, and designed to be adapted for real infrastructure work.
The kit spans Kubernetes, Terraform, CI/CD pipelines, observability stacks, Linux system administration, container registries, and security scanning (Trivy, Semgrep, Checkov, TruffleHog, Syft, Grype, CodeQL, ZAP, Falco, Cosign) with CVE-specific remediation guidance.
| Tool | Scripts | Docs | Snippets | Templates | More |
|---|---|---|---|---|---|
| Linux | 50 | 39 | 2 | 14 | — |
| Kubernetes | 17 | 13 | 1 | 3 | — |
| Kafka | 17 | 3 | 2 | — | — |
| Terraform | 15 | 17 | 1 | 12 | modules:7, environments:12 |
| Jenkins | 4 | 13 | 4 | 1 | — |
| Ansible | 11 | 7 | 1 | — | — |
| CI/CD | 17 | 11 | 1 | — | ArgoCD, Flux |
| Observability | 14 | 3 | 1 | — | — |
| OCI / Container Registries | 11 | 7 | 1 | — | — |
| Docker | 7 | 5 | 1 | — | — |
| Vault | 7 | 6 | 1 | — | notes:3 |
| Git | 8 | 24 | 1 | — | — |
| Helm | 3 | 2 | — | — | — |
| Checkov | 6 | 2 | 4 | 5 | notes:4, configs:2, policies, notebooks |
| Semgrep | 4 | 3 | 2 | — | notes:3, configs, notebooks, Dockerfiles |
| Trivy | 7 | 2 | 1 | 6 | notes:3, configs:2, notebooks, Dockerfiles |
| TruffleHog | 5 | 1 | 2 | 6 | notes:3, configs:2 |
| Syft | 3 | 1 | 1 | — | notes:4, configs |
| Grype | 4 | — | 2 | — | notes:4 |
| CodeQL | 2 | — | 2 | — | notes:2, configs |
| ZAP | 3 | 1 | 3 | — | notes:4 |
| Falco | — | — | — | — | notes:2, configs:2 |
| Cosign | 1 | — | — | — | notes:2 |
| OPA | 1 | — | 2 | — | notes:2 |
| GitGuardian | 2 | — | 2 | — | notes:3, configs |
| Snyk | 1 | — | 1 | — | notes:3 |
- Cosign — sign and verify container images — Install Cosign, sign an image, and verify signatures
- Falco — runtime security primer — First-day primer on Falco runtime security
- ZAP — spider scan against a test app — Run a ZAP spider scan against a test application
- GitGuardian — ggshield quickstart trip-ups — Quickstart walkthrough and common pitfalls
- ZAP — authenticated scan with context — Authenticated scanning using ZAP context
00_index/— Navigation: topic index, quick links, glossary.github/— PR template, CODEOWNERS, workflow READMEcheckov//semgrep//trivy//trufflehog//syft/— Security scanner notes, scripts, configsgrype//codeql//zap//snyk//gitguardian//falco//cosign/— Vulnerability scanner and security tool contentopa/— OPA/Gatekeeper policies and snippetsvault/— HashiCorp Vault primers and notesdocs/— How-to guides, concepts, reference, runbooks, security docs, troubleshooting, setup guidesenvironments/— Terraform environment configs (dev / staging / prod)lab/— Mini-projects and sandboxesscripts/— Shell scripts organized by tool (bash toolkit directories)snippets/— Copy-paste ready one-liners and cheatsheetstemplates/— Starter configs for Kubernetes, Terraform, Docker, Linux automation, Jenkins, Logstash, syslog-ngterraform/— Terraform modules (EventBridge Lambda, networking)
Actively maintained with weekly additions. Current focus areas: OWASP ZAP DAST scanning primers, Cosign container image signing, Falco runtime security rules, Kubernetes security CVEs, Terraform provisioning patterns, and CI/CD pipeline integration scripts.
Last updated: 2026年06月13日