Security & Compliance Pipelines (CircleCI)

Automated nightly and on-demand security assessments for organizations running workloads in regulated or high-security environments (e.g., FedRAMP, IL5, GovCloud, Enterprise Zero-Trust).

This repository provides a modular CircleCI pipeline that performs:

• AWS Inspector2 vulnerability exports for container images (multi-environment).
• Trivy image and filesystem scans.
• OpenSCAP CIS benchmark scans using Podman + OpenSCAP on a machine executor.

Default Region: us-gov-west-1
Example Reporting Bucket: security-compliance-reports (KMS-encrypted, prefixed by reports/<tool>/<env>/…)
Cluster Targets: Update environment details in the scripts depending on your staging/production clusters.

---

Repository Layout

.circleci/config.yml       # CircleCI jobs & workflow definitions (cron + manual triggers)
scripts/
  ├─ inspector-prod.sh     # Inspector2 export + monthly summary for production targets
  ├─ staging-inspector.sh  # Inspector2 export for staging (EKS or similar compute targets)
  ├─ trivy.sh              # Trivy scanning wrapper
  ├─ staging-oscap.sh      # OpenSCAP scan for staging (machine executor)
  └─ oscap-prod.sh         # OpenSCAP scan for production

Ensure all scripts are executable:
chmod +x ./scripts/*

---

CircleCI Workflow Overview

The workflow security-scans runs:

1. lint-circleci-config
2. run-prod-inspec-scan
3. run-staging-inspec-scan
4. run-trivy-scan
5. run-oscap-scan

Key Pipeline Parameters

parameters:
  workflow:
    type: string
    default: "security-scans"
  AWS_REGION:
    type: string
    default: "us-gov-west-1"

---

When to Update This Repository

Kubernetes / EKS

• Add/retire namespaces, deployments, or clusters
• Update image repositories or tags
• Modify IAM/IRSA roles

ECS

• Add/remove services
• Update task definitions
• Introduce new ECR repositories

S3 / KMS / Inspector2

• Bucket or prefix changes
• Enabling/disabling Inspector2 for ECR
• Report filter updates

IAM & RBAC

• Changes to CI principal permissions
• Updates to role trust or aws-auth mappings

Where to Edit

• scripts/staging-inspector.sh
• scripts/inspector-prod.sh
• scripts/trivy.sh
• .circleci/config.yml

---

AWS / IAM Requirements

Inspector2

• Must be enabled for ECR
• Requires inspector2:CreateFindingsReport

S3 / KMS

• Write permissions to s3://<bucket>/reports/*
• kms:Encrypt if bucket uses KMS

ECR

• ecr:DescribeImages for digest retrieval

EKS

• Valid aws-auth RBAC mapping
• eks:DescribeCluster access

CircleCI Credentials

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AWS_SESSION_TOKEN (optional)
• AWS_REGION

---

Script Inputs & Outputs

Inputs

• AWS region
• AWS credentials
• Target image lists (per script)

Outputs — Inspector2

• Per-image CSVs
• Monthly summary CSVs

Outputs — Trivy

• Standard output or saved file

Outputs — OpenSCAP

• ARF + HTML reports

---

Running Locally

export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_REGION=us-gov-west-1

bash scripts/inspector-prod.sh
bash scripts/staging-inspector.sh
bash scripts/trivy.sh
sudo bash scripts/oscap.sh

---

What This Pipeline Provides

• Automated continuous monitoring aligned to FedRAMP/IL5
• Digest-aware container security insights
• Machine-level CIS compliance scans
• Artifact storage in S3 + KMS
• Modular, auditable workflows for secure environments