Skip to content

Stage: security

The security stage is where vulnerabilities and policy violations surface — and, just as important, where the pipeline generates the evidence (SARIF reports, SBOMs) that the attest stage turns into immutable compliance records in the Evidence Vault / Fides. GitLab-managed scanners run in the test stage; SARC’s own scanners run in security; all are allow_failure: true so findings are recorded without blocking the demo flow.

Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.

flowchart TD
  IMG["Built images + source"]

  subgraph APPSCAN["App + dependency"]
    direction TB
    SAST["semgrep-sast — code SAST (SARIF)"]
    SEC["secret_detection — gitleaks (SARIF)"]
    DEP["gemnasium — dependency CVEs (SARIF)"]
  end

  subgraph CONT["Container scans (dual DB)"]
    direction TB
    TRIVY["container_scanning — Trivy<br/>portal + podtato x6"]
    GRYPE["security:grype — Grype<br/>portal + podtato x6"]
  end

  subgraph IAC["IaC + manifests"]
    direction TB
    KICS["kics-iac-sast — tfsec/kubesec (SARIF)"]
    CKV["security:checkov:infra — aws/azure/gcp (SARIF)"]
    KCF["security:kubeconform — k8s schema"]
  end

  subgraph SBOMG["SBOM — CycloneDX (Syft)"]
    direction TB
    SBI["images: portal + podtato x6"]
    SBC["charts: portal + podtato"]
  end

  IMG --> APPSCAN
  IMG --> CONT
  IMG --> IAC
  IMG --> SBOMG

  class SAST,SEC,DEP,TRIVY,GRYPE,KICS,CKV,KCF scan
  class SBI,SBC sbom
  class IMG io
  classDef scan fill:#cf222e,stroke:#82071e,color:#ffffff
  classDef sbom fill:#2da44e,stroke:#116329,color:#ffffff
  classDef io fill:#57606a,stroke:#32383f,color:#ffffff
JobTool / outputWhy
semgrep-sastSemgrep SAST → SARIFInjection, unsafe patterns, hardcoded secrets in source.
secret_detectiongitleaks → SARIFPrevents committed credentials (AWS keys, PATs); excludes test fixtures.
gemnasium-dependency_scanningGemnasium → SARIFKnown-vulnerable npm/yarn dependencies (supply chain).
container_scanning (+ :podtato:* ×6)Trivy → JSONBase-image and layer CVEs, by immutable digest.
security:grype (+ :podtato ×6)Grype → SARIF + JSONSecond vulnerability DB — cross-validates Trivy’s findings.
kics-iac-sastKICS → SARIFMisconfigured IAM, ingress, RBAC, unencrypted storage in Terraform + k8s.
security:checkov:infra (aws/azure/gcp)Checkov → SARIFCloud-specific policy violations; broader rule library than KICS, per cloud.
security:kubeconformKubeconform → textRendered Helm manifests validated against k8s schemas (catches deprecated APIs).
sbom:portal:image, sbom:podtato:image ×6Syft → CycloneDXPer-image bill of materials for attestation + license/vuln correlation.
sbom:karc-portal:chart, sbom:podtato:chartSyft → CycloneDXChart-level dependency attestation (subchart versions).

Container, SBOM, and Grype jobs fan out per artifact — the portal plus the six podtato-head microservices each scanned independently. Checkov fans out per cloud.

Two reasons at once. First, defence in depth: source, dependencies, containers (scanned by two engines), IaC, and manifests are all checked. Second, and uniquely to SARC, the scan outputs are not discarded — every SARIF report and CycloneDX SBOM becomes an attestation on the evidence trail in the next stage, which is what makes “prove this build was scanned” a query rather than a manual hunt.


Stages: buildsecurityattest · all stages