DevSecOps Supply Chain Security | Lisandro Fernández Rocha

DevSecOps Supply Chain Security

Published: December 20, 2024
devsecopssupply-chain-securitykubernetesterraformsbom

DevSecOps Supply Chain Security

Four open-source projects demonstrating practical supply chain security across AWS Lambda, Terraform modules, local development, and Kubernetes.

The problem

Modern infrastructure relies on:

  • Third-party dependencies (pip, npm, helm charts)
  • Pre-built container images
  • Infrastructure-as-Code modules
  • Serverless artifacts

Each represents a trust boundary. Without verification:

  • You don’t know what’s actually running
  • You can’t prove what was deployed
  • No audit trail for compliance
  • Tampering goes undetected

Solution: Verifiable infrastructure

Signed artifacts, generated SBOMs, automated vulnerability scanning, reproducible builds.

Project 1: Lambda Secure Project

Repository: gitlab.com/lf3/lambda-secure-project

Automates secure build and deployment of AWS Lambda functions.

What terraform apply does:

  1. Discovers Lambda source directories
  2. Builds each function in isolated venv
  3. Produces deterministic ZIP
  4. Generates SBOM for dependencies
  5. Computes SHA256 checksums
  6. Signs artifacts with OpenSSL
  7. Verifies signatures before deployment
  8. Runs vulnerability scans (Safety + Grype)
  9. Generates coverage/metrics reports
  10. Deploys to AWS Lambda

Tech stack

  • Terraform for orchestration
  • Bash scripts for build/sign/scan pipeline
  • OpenSSL for cryptographic operations
  • Syft/CycloneDX for SBOM generation
  • Safety and Grype for vulnerability scanning
  • LocalStack for local AWS emulation

Project 2: Terraform AWS Lambdas Guard

Repository: gitlab.com/lf3/terraform-aws-lambdas-guard

Reusable Terraform module wrapping the Lambda security pipeline.

Usage

module "lambdas_guard" {
  source       = "git::https://gitlab.com/lf3/terraform-aws-lambdas-guard.git"
  bucket_name  = "my-secure-artifacts"
  lambda_dirs  = ["function1", "function2"]
  kms_key_id   = "alias/lambda-signing-key"
}

Scripts (all defensive with set -euo pipefail)

  • build_lambda.sh - deterministic ZIP packaging
  • sbom.sh - SBOM generation
  • sign.sh - OpenSSL artifact signing
  • verify.sh - signature verification (blocks deployment on failure)
  • deps_scan.sh - vulnerability scanning
  • deps_coverage.sh - enforce coverage thresholds
  • test_local.sh - run Lambdas locally in Docker

Project 3: IAC InfoSec DevEnv

Repository: gitlab.com/lf3/iac-infosec-devenv

Local IaC development environment for security validation. Entirely offline using LocalStack.

What it provides

  • IAM roles, policies, delegation flows
  • S3 encryption and access control
  • Secrets Manager integration
  • KMS key management
  • gRPC-based access control microservices

Use cases

  • Prototype security configs before cloud deployment
  • Train engineers on AWS security without risk
  • Validate IaC meets compliance requirements (GDPR, HIPAA)
  • Develop access control microservices with gRPC
  • Test integration with dummy credentials

Testing flow

./scripts/start.sh       # Start LocalStack + Terraform apply
./checks/check_s3.sh     # Verify S3 access controls
./checks/check_iam.sh    # Verify IAM policies
python grpc/client.py    # Test gRPC access validation
./scripts/clean.sh       # Tear down

Project 4: Helm Auditor

Repository: gitlab.com/lf3/helm-auditor

Kubernetes-native Helm supply chain auditor. Generates SBOM, vulnerability reports, and provenance data.

What it does

  1. Pulls and renders Helm charts
  2. Scans rendered manifests for misconfigurations (Trivy)
  3. Extracts container images from manifests
  4. Runs per-image Kubernetes Jobs for vulnerability scanning, SBOM generation, provenance verification
  5. Aggregates results into policy-aware audit reports

Pipeline stages

Init containers: helm pull, helm template, Trivy config scan
Auditor container: Parse templates, extract images, dispatch K8s Jobs
Analysis stage: Aggregate SBOM/vulnerability/provenance data, enforce policy rules

Running locally

./make.sh  # Builds image, loads to Minikube, deploys auditor

Requires Minikube. Chart config via ConfigMap.

Common themes

Shift-left security: Sign before deploy, scan before push, generate SBOM automatically
Verifiable artifacts: Every artifact has signature, SBOM, hash, scan results
Reproducible builds: Same source → same artifact
Local-first development: LocalStack for AWS, Minikube for Kubernetes
Infrastructure as Code: Version-controlled, declarative, testable, reproducible

Technical decisions

OpenSSL for signing: Ubiquitous, simple RSA signing, verifiable in CI/CD
Syft + Grype: Open source, fast (Go), accurate vulnerability database, CycloneDX support
LocalStack: Offline development, no cloud costs, realistic AWS API emulation
Kubernetes Jobs: Parallel scanning, isolation per Pod, native K8s primitives

Connection to other work

  • COP: Each tool is a focused routine with explicit interfaces
  • UNIX Philosophy: Small, single-purpose scripts composing into pipelines
  • yml2mid: Text-based representation, version-controlled, reproducible outputs