Practice & Assessment
Test your understanding of Secrets Management, Dependencies, and Security in CI/CD
Multiple Choice Questions
6You accidentally commit an AWS access key to a public GitHub repository. You delete the commit and force-push. Is the key safe?
What is a dependency confusion attack in the context of npm packages?
Why should you use `npm ci` instead of `npm install` in CI/CD pipelines?
What is the security risk of running a Docker container as root?
What does SAST (Static Application Security Testing) analyze compared to DAST (Dynamic Application Security Testing)?
A Dockerfile contains `ENV DB_PASSWORD=supersecret`. An attacker obtains the built Docker image. Can they see the password?
Coding Challenges
1Build a GitHub Actions Security Workflow
Create a GitHub Actions workflow file (`.github/workflows/security.yml`) that runs on every push and pull request to the main branch. The workflow must include four jobs: (1) secret-scan — use the gitleaks/gitleaks-action to scan the repository for committed secrets and fail the build if any are found; (2) dependency-audit — run `npm audit --audit-level=high` and fail if high or critical vulnerabilities are found; (3) sast — install and run Semgrep with the `p/nodejs` ruleset on the src/ directory; (4) container-scan — build the Docker image from the repo's Dockerfile and scan it with aquasecurity/trivy-action, failing on HIGH or CRITICAL CVEs. Each job should have a descriptive name. The workflow should cache node_modules using actions/cache to speed up subsequent runs. Time estimate: 20–25 minutes.
Mini Project
Hardened Express API with Full Security Pipeline
Combine everything from this module into a production-ready Express application: (1) Secrets: use dotenv for development, add a startup check that throws if JWT_SECRET, DB_URL, or API_KEY are missing; write a validation function that ensures JWT_SECRET is at least 32 characters. (2) Dependencies: run npm audit, document any findings, add `npm ci` to your package.json scripts for CI. (3) Docker: write a multi-stage Dockerfile that uses node:20-alpine as base, creates a non-root user, uses .dockerignore to exclude .env and .git, and passes secrets via environment variables at runtime (not baked in). (4) CI/CD: write a complete GitHub Actions workflow (security.yml) with jobs for: secret scanning (gitleaks), npm audit, Semgrep SAST, and Trivy image scanning. (5) Include a SECURITY.md in your repo documenting how to report vulnerabilities. Deliverable: the complete repository structure with Dockerfile, .dockerignore, .github/workflows/security.yml, and a README explaining how to run the security checks locally.