Stage: security
The security stage is where vulnerabilities and policy violations
surface — and, just as important, where the pipeline generates the evidence
(SARIF reports, SBOMs) that the attest stage
turns into immutable compliance records in the Evidence Vault / Fides. GitLab-managed scanners run in the
test stage; SARC’s own scanners run in security; all are allow_failure: true
so findings are recorded without blocking the demo flow.
Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.
flowchart TD
IMG["Built images + source"]
subgraph APPSCAN["App + dependency"]
direction TB
SAST["semgrep-sast — code SAST (SARIF)"]
SEC["secret_detection — gitleaks (SARIF)"]
DEP["gemnasium — dependency CVEs (SARIF)"]
end
subgraph CONT["Container scans (dual DB)"]
direction TB
TRIVY["container_scanning — Trivy<br/>portal + podtato x6"]
GRYPE["security:grype — Grype<br/>portal + podtato x6"]
end
subgraph IAC["IaC + manifests"]
direction TB
KICS["kics-iac-sast — tfsec/kubesec (SARIF)"]
CKV["security:checkov:infra — aws/azure/gcp (SARIF)"]
KCF["security:kubeconform — k8s schema"]
end
subgraph SBOMG["SBOM — CycloneDX (Syft)"]
direction TB
SBI["images: portal + podtato x6"]
SBC["charts: portal + podtato"]
end
IMG --> APPSCAN
IMG --> CONT
IMG --> IAC
IMG --> SBOMG
class SAST,SEC,DEP,TRIVY,GRYPE,KICS,CKV,KCF scan
class SBI,SBC sbom
class IMG io
classDef scan fill:#cf222e,stroke:#82071e,color:#ffffff
classDef sbom fill:#2da44e,stroke:#116329,color:#ffffff
classDef io fill:#57606a,stroke:#32383f,color:#ffffff
Jobs in this stage
Section titled “Jobs in this stage”| Job | Tool / output | Why |
|---|---|---|
semgrep-sast | Semgrep SAST → SARIF | Injection, unsafe patterns, hardcoded secrets in source. |
secret_detection | gitleaks → SARIF | Prevents committed credentials (AWS keys, PATs); excludes test fixtures. |
gemnasium-dependency_scanning | Gemnasium → SARIF | Known-vulnerable npm/yarn dependencies (supply chain). |
container_scanning (+ :podtato:* ×6) | Trivy → JSON | Base-image and layer CVEs, by immutable digest. |
security:grype (+ :podtato ×6) | Grype → SARIF + JSON | Second vulnerability DB — cross-validates Trivy’s findings. |
kics-iac-sast | KICS → SARIF | Misconfigured IAM, ingress, RBAC, unencrypted storage in Terraform + k8s. |
security:checkov:infra (aws/azure/gcp) | Checkov → SARIF | Cloud-specific policy violations; broader rule library than KICS, per cloud. |
security:kubeconform | Kubeconform → text | Rendered Helm manifests validated against k8s schemas (catches deprecated APIs). |
sbom:portal:image, sbom:podtato:image ×6 | Syft → CycloneDX | Per-image bill of materials for attestation + license/vuln correlation. |
sbom:karc-portal:chart, sbom:podtato:chart | Syft → CycloneDX | Chart-level dependency attestation (subchart versions). |
Container, SBOM, and Grype jobs fan out per artifact — the portal plus the six podtato-head microservices each scanned independently. Checkov fans out per cloud.
Why this stage exists
Section titled “Why this stage exists”Two reasons at once. First, defence in depth: source, dependencies, containers (scanned by two engines), IaC, and manifests are all checked. Second, and uniquely to SARC, the scan outputs are not discarded — every SARIF report and CycloneDX SBOM becomes an attestation on the evidence trail in the next stage, which is what makes “prove this build was scanned” a query rather than a manual hunt.
Stages: build → security → attest · all stages