https://powoftech.github.io/secure-container-pipeline-workshop/
A comprehensive hands-on workshop for building secure container pipelines with vulnerability scanning, policy enforcement, and runtime threat detection on AWS.
This workshop teaches you how to implement a complete secure container supply chain using modern DevSecOps practices. You'll learn to secure every stage of the container lifecycle - from build to runtime - using industry-standard tools and AWS services.
- 🏗️ Secure CI/CD Pipeline with automated vulnerability scanning
- 🔒 Policy Enforcement using Kyverno admission controllers
- 👀 Runtime Threat Detection with Falco monitoring
- 📦 Container Registry Security with Amazon ECR enhanced scanning
- ☸️ Kubernetes Security Policies preventing misconfigurations
By completing this workshop, you will:
- ✅ Understand container security risks and mitigation strategies
- ✅ Implement automated vulnerability scanning in CI/CD pipelines
- ✅ Configure policy-as-code for Kubernetes admission control
- ✅ Deploy runtime security monitoring and threat detection
- ✅ Apply security best practices for containerized applications
- ✅ Create secure, scalable deployment workflows
- Application: Simple Node.js web server demonstrating secure containerization practices
- ECR + Inspector: Automated vulnerability scanning and registry security
- Kyverno: Policy engine for Kubernetes admission control and governance
- Falco: Runtime security monitoring and threat detection
- GitHub Actions: Secure CI/CD pipeline with automated security gates
- AWS Account with appropriate permissions for ECR, EKS, and EC2
- kubectl (version 1.27+) - Installation Guide
- AWS CLI (version 2.x) - Installation Guide
- Docker - Installation Guide
- GitHub Account for CI/CD workflow
- Node.js (version 16+) for local development
Your AWS account/IAM user needs permissions for:
- Amazon ECR (create repositories, push/pull images)
- Amazon EKS (create/manage clusters)
- Amazon EC2 (for EKS worker nodes)
- Amazon IAM (for service accounts and roles)
- Amazon Inspector (for enhanced container scanning)
- Basic understanding of containers and Docker
- Familiarity with Kubernetes concepts
- AWS services fundamentals
- Git and GitHub workflow
git clone https://github.com/your-username/secure-container-pipeline-workshop.git
cd secure-container-pipeline-workshop# Navigate to the app directory
cd app
# Run the application
node app.js
# Test in another terminal
curl http://localhost:8080
# Expected output: Hello, FCJ-ers!# Build the Docker image
docker build -t secure-app:latest .
# Run the container
docker run -p 8080:8080 secure-app:latest
# Test the containerized app
curl http://localhost:8080Follow the detailed workshop modules below to set up your complete secure container pipeline environment.
This workshop is structured in progressive modules that build upon each other:
Duration: 30-45 minutes
- Set up Amazon ECR repository
- Provision Amazon EKS cluster
- Configure enhanced vulnerability scanning
- Set up local development environment
Files involved:
k8s/cluster.yaml- EKS cluster configuration
Duration: 45-60 minutes
- Create secure GitHub Actions workflow
- Implement automated vulnerability scanning
- Configure image signing and attestation
- Set up promotion gates and deployment automation
Files involved:
.github/workflows/ci.yaml- CI/CD pipeline (to be created)app/Dockerfile- Secure container configuration
Duration: 60-75 minutes
- Install and configure Kyverno
- Implement admission control policies
- Test policy enforcement scenarios
- Create custom security policies
Files involved:
k8s/policy-disallow-latest-tag.yaml- Prevent latest tag usagek8s/policy-require-non-root.yaml- Enforce non-root containersk8s/test-*.yaml- Policy validation tests
Duration: 45-60 minutes
- Deploy Falco for runtime monitoring
- Configure security rules and alerts
- Test threat detection scenarios
- Set up log aggregation and alerting
Duration: 30-45 minutes
- Deploy the secure application
- Validate all security controls
- Test end-to-end security pipeline
- Monitor and troubleshoot
Files involved:
k8s/deployment.yaml- Application deploymentk8s/service.yaml- Service configuration
Duration: 30 minutes
- Set up comprehensive logging
- Configure security dashboards
- Implement alerting strategies
- Review audit trails
- Multi-stage builds with minimal attack surface
- Non-root user execution for reduced privilege
- Distroless/slim base images to minimize vulnerabilities
- Immutable image tags for consistent deployments
- Automated vulnerability scanning with Amazon Inspector
- Enhanced scanning results with CVE details
- Image lifecycle policies for artifact management
- Registry access controls with IAM integration
- Block latest tags - Prevent mutable image references
- Require non-root - Enforce security contexts
- Resource limits - Prevent resource exhaustion
- Security contexts - Enforce pod security standards
- System call monitoring with Falco
- Kubernetes audit logging for cluster events
- Anomaly detection for suspicious activities
- Real-time alerting for security incidents
.
├── app/ # Application source code
│ ├── app.js # Node.js application
│ └── Dockerfile # Secure multi-stage Dockerfile
├── k8s/ # Kubernetes manifests and policies
│ ├── cluster.yaml # EKS cluster configuration
│ ├── deployment.yaml # Application deployment
│ ├── service.yaml # Service configuration
│ ├── policy-disallow-latest-tag.yaml # Kyverno policy
│ ├── policy-require-non-root.yaml # Kyverno policy
│ └── test-*.yaml # Policy validation manifests
├── .github/workflows/ # CI/CD pipeline (to be created)
├── LICENSE # MIT License
└── README.md # This file
-
Configure AWS CLI
aws configure # Enter your AWS Access Key ID, Secret Access Key, region, and output format -
Verify Prerequisites
# Check versions docker --version kubectl version --client aws --version node --version
-
Create ECR Repository
aws ecr create-repository --repository-name secure-container-workshop
-
Set up EKS Cluster
# Use eksctl or Terraform - detailed instructions in Module 1 eksctl create cluster --config-file=k8s/cluster.yaml
-
Build Application Image
cd app docker build -t secure-app:v1.0.0 .
-
Push to ECR
# Get ECR login token aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com # Tag and push docker tag secure-app:v1.0.0 <account-id>.dkr.ecr.<region>.amazonaws.com/secure-container-workshop:v1.0.0 docker push <account-id>.dkr.ecr.<region>.amazonaws.com/secure-container-workshop:v1.0.0
-
Install Kyverno
kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
-
Apply Security Policies
kubectl apply -f k8s/policy-disallow-latest-tag.yaml kubectl apply -f k8s/policy-require-non-root.yaml
-
Install Falco
helm repo add falcosecurity https://falcosecurity.github.io/charts helm repo update helm install falco falcosecurity/falco
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yamlTest your Kyverno policies with the provided test manifests:
# This should be REJECTED (uses latest tag)
kubectl apply -f k8s/test-root-pod.yaml
# This should be ACCEPTED (non-root user)
kubectl apply -f k8s/test-non-root-pod-level.yaml
# This should be ACCEPTED (non-root container level)
kubectl apply -f k8s/test-non-root-container-level.yamlCheck ECR scan results:
aws ecr describe-image-scan-findings --repository-name secure-container-workshop --image-id imageTag=v1.0.0Simulate security events to test Falco:
# Access the application pod
kubectl exec -it <pod-name> -- /bin/sh
# Trigger Falco alerts (inside the pod)
touch /tmp/suspicious-file
curl http://suspicious-domain.com# Re-authenticate to ECR
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com# Check policy status
kubectl get cpol
kubectl describe cpol disallow-latest-tag
# Verify Kyverno is running
kubectl get pods -n kyverno# Update kubeconfig
aws eks update-kubeconfig --region <region> --name <cluster-name>
# Verify connection
kubectl get nodes# Check application logs
kubectl logs -f deployment/secure-app
# Check Kyverno logs
kubectl logs -n kyverno deployment/kyverno-admission-controller
# Check Falco logs
kubectl logs daemonset/falcoWe welcome contributions to improve this workshop! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/improvement) - Commit your changes (
git commit -am 'Add improvement') - Push to the branch (
git push origin feature/improvement) - Open a Pull Request
- Additional security policies
- More comprehensive test scenarios
- Integration with other security tools
- Documentation improvements
- Performance optimizations
This project is licensed under the MIT License - see the LICENSE file for details.
- Review the detailed project proposal for comprehensive technical details
- Check the troubleshooting section above
- Open an issue for bugs or questions
- Complete all workshop modules in order
- Practice with your own applications
- Extend with additional security tools
- Share your experience with the community
Happy Learning! 🎓 Build secure, deploy confidently! 🚀