CI/CD Security
OIDC Authentication
- No long-lived AWS credentials in GitHub
- Role assumed via OIDC token exchange
- Role-based access per workflow
Security Scanning
| Scan | Tool | Fails On |
|---|---|---|
| Dependency audit | npm audit | HIGH+ |
| Code scanning | ESLint security rules | Any |
| Filesystem scan | Trivy | CRITICAL, HIGH |
| Docker image scan | Trivy | CRITICAL, HIGH |
| Secret detection | Gitleaks | Any |
| IaC scan | tfsec, Checkov | Configurable |
Approval Gates
Infrastructure changes require manual approval before terraform apply.