CI/CD Hardening
You can use Spectral to secure your CI/CD (continuous integration and continuous delivery/deployment) pipeline. A robust CI/CD pipeline helps to ensure that your software is delivered to your users in a timely and consistent manner, and for your developers to get immediate and fast feedback. By taking steps to harden your CI/CD pipeline with Spectral, you can help to reduce the risk of security breaches and improve the overall quality of your software while also keeping fast and efficient scans in check.
Spectral's CI/CD Hardening feature includes:
-
Fast scans (keeping your pipeline fast)
-
Full coverage of CI/CD steps, security rules, and guidelines. For example: locking a specific version for an Action on Github Action, other SLSA based (Supply-chain Levles for Software Artifacts) practices.
-
Zero trust / fully airgapped scan: no additional permission requested and no data is sent out of your CI/CD pipeline
When you run Spectral in CI/CD hardening mode, Spectral securely fetches Github pipeline settings and security posture to your local computer. Spectral then merges this data with local Github pipeline settings and scans for issues. No traffic leaves your local computer.
Running Spectral in CI/CD Hardening Mode
To run Spectral in CI/CD hardening mode on a repository:
$HOME/.spectral/spectral discover github -k repo [YOUR_REPO]To run Spectral in CI/CD hardening mode for a user:
$HOME/.spectral/spectral discover github -k user [YOUR_USER]To run Spectral in CI/CD hardening mode for an organization:
$HOME/.spectral/spectral discover github -k org [YOUR_ORGANIZATION]To run a Spectral CI/CD scan in your CI (continuous integration) or in the current project:
$HOME/.spectral/spectral discover github --kind repo .