Aller au contenu principal
Retour au blog
DevSecOps ResearchShift-LeftRuntime Security

Shift-Left vs Runtime : Le Faux Dilemme de la Cloud Security

Analyse quantitative de 3,400 pipelines CI/CD : pourquoi 67% des vulnérabilités échappent aux scanners IaC et nécessitent une détection runtime.

C
Cyvex Research Lab
28 Décembre 2024
25 min
Code source

TL;DR

Notre étude de 3,400 pipelines CI/CD révèle que le shift-left détecte 72% des misconfigurations IaCmais manque 67% des menaces réelles (drift, zero-days, runtime attacks). La corrélation shift-left + runtime réduit les faux positifs de 83% et accélère le MTTR de 4.2x. Cet article présente une architecture unifiée avec code de détection pour les deux approches.

72%

IaC issues détectés

67%

Menaces manquées

83%

Réduction faux positifs

4.2x

MTTR improvement

3,400

Pipelines analysés

CI/CD en production

72%

Shift-Left efficacité

Sur IaC misconfigs

67%

Gap de détection

Menaces runtime

91%

Drift non détecté

Sans monitoring

1Introduction : Le Débat Éternel

L'industrie de la sécurité cloud est divisée en deux camps : les partisans du "shift-left" (tout détecter avant déploiement) et ceux du "runtime-first" (seul le comportement réel compte). Notre recherche démontre que ce débat est un faux dilemme.

Camp Shift-Left

"Trouvez les vulnérabilités avant qu'elles n'atteignent la production"

  • • Coût de fix 100x moins cher
  • • Intégration DevOps native
  • • Prévention vs réaction

Camp Runtime

"Seul le comportement en production révèle les vraies menaces"

  • • Contexte d'exécution réel
  • • Détection zero-days
  • • Drift et shadow IT

Le Security Gap

Notre analyse révèle un gap de 67% entre ce que shift-left détecte et les menaces réelles en production. Les raisons :

  • Configuration drift : 91% des environnements dérivent de l'IaC
  • Shadow resources : créés hors pipeline (console, CLI)
  • Zero-day exploits : inconnus au moment du scan
  • Runtime context : données sensibles, charge, connexions
T1190|Exploit Public-FacingT1562|Impair DefensesT1496|Resource HijackingT1059|Command Execution

2Shift-Left Security en Profondeur

Le shift-left couvre 4 phases du pipeline de développement. Voici la couverture de détection mesurée sur notre dataset :

Security Pipeline Coverage
Shift-Left
Runtime
CodeIDE + Pre-commit

23%

detection rate

BuildCI/CD Pipeline

31%

detection rate

RegistryImage Scanning

18%

detection rate

DeployAdmission Control

12%

detection rate

RuntimeCWPP + CSPM

16%

detection rate

2.1 Configuration IaC Scanner

Configuration Checkov optimisée pour une détection maximale :

.checkov.ymlyaml
1# .checkov.yml - IaC Security Scanning Configuration
2framework:
3  - terraform
4  - cloudformation
5  - kubernetes
6  - dockerfile
7  - helm
8
9# Severity thresholds
10soft-fail: false
11hard-fail-on:
12  - HIGH
13  - CRITICAL
14
15# Custom policies
16external-checks-dir:
17  - ./custom-policies
18
19# Skip specific checks with justification
20skip-check:
21  - CKV_AWS_18  # S3 access logging (handled by centralized logging)
22  - CKV_AWS_21  # S3 versioning (not needed for temp buckets)
23
24# Output configuration
25output:
26  - cli
27  - json
28  - sarif
29
30# Integration settings
31repo-id: org/infrastructure
32branch: main
33
34# Suppression comments
35enable-secret-scan-all-files: true
36secrets-history-timeout: 12h

2.2 Terraform Vulnérable Type

Exemple de code Terraform avec 7 vulnérabilités détectables par tfsec/Checkov :

main.tfhcl
1# main.tf - Vulnerable Terraform Configuration
2# tfsec will catch these misconfigurations
3
4# VULN #1: S3 bucket without encryption
5resource "aws_s3_bucket" "data" {
6  bucket = "company-sensitive-data"
7  # Missing: server_side_encryption_configuration
8}
9
10# VULN #2: Security group with 0.0.0.0/0
11resource "aws_security_group" "web" {
12  name = "web-sg"
13
14  ingress {
15    from_port   = 22
16    to_port     = 22
17    protocol    = "tcp"
18    cidr_blocks = ["0.0.0.0/0"]  # tfsec:ignore:aws-ec2-no-public-ingress-sgr
19  }
20
21  ingress {
22    from_port   = 3389
23    to_port     = 3389
24    protocol    = "tcp"
25    cidr_blocks = ["0.0.0.0/0"]  # RDP open to world!
26  }
27}
28
29# VULN #3: EC2 without IMDSv2
30resource "aws_instance" "app" {
31  ami           = "ami-0123456789"
32  instance_type = "t3.medium"
33  # Missing: metadata_options with http_tokens = "required"
34
35  # VULN #4: EBS not encrypted
36  root_block_device {
37    volume_size = 100
38    encrypted   = false  # Should be true
39  }
40}
41
42# VULN #5: RDS without encryption
43resource "aws_db_instance" "database" {
44  identifier     = "production-db"
45  engine         = "postgres"
46  instance_class = "db.t3.medium"
47
48  storage_encrypted = false  # CRITICAL: PII at rest unencrypted
49  publicly_accessible = true # CRITICAL: DB exposed to internet
50
51  # VULN #6: No deletion protection
52  deletion_protection = false
53}
54
55# VULN #7: IAM policy with wildcard
56resource "aws_iam_policy" "admin" {
57  name = "developer-policy"
58
59  policy = jsonencode({
60    Version = "2012-10-17"
61    Statement = [
62      {
63        Effect   = "Allow"
64        Action   = ["s3:*", "ec2:*"]  # Over-privileged
65        Resource = "*"
66      }
67    ]
68  })
69}

Forces du Shift-Left

Détection avant déploiement (coût 100x moindre)
Intégration native CI/CD (PR blocking)
Couverture complète du code IaC
Traçabilité git (qui, quand, pourquoi)
Standards enforcement (CIS, SOC2)
Developer feedback immédiat

3Runtime Security : Ce que Shift-Left Ne Voit Pas

La sécurité runtime détecte les menaces invisibles au moment du build : comportements malveillants, drift, zero-days, et attaques actives.

3.1 Falco Rules : Détection Runtime

Règles Falco pour détecter les menaces que le shift-left ne peut pas voir :

falco_rules.yamlyaml
1# falco_rules.yaml - Runtime Threat Detection
2# Detect active threats that shift-left cannot catch
3
4# Rule 1: Container escape attempt
5- rule: Container Escape via hostPID
6  desc: Detect attempt to access host PID namespace
7  condition: >
8    spawned_process and
9    container and
10    proc.name in (nsenter, unshare) and
11    proc.args contains "--target 1"
12  output: >
13    Container escape attempt detected
14    (user=%user.name command=%proc.cmdline container=%container.name
15    image=%container.image.repository k8s.pod=%k8s.pod.name)
16  priority: CRITICAL
17  tags: [container, escape, mitre_privilege_escalation]
18
19# Rule 2: Cryptominer detection
20- rule: Detect Cryptomining Activity
21  desc: Detect processes connecting to mining pools
22  condition: >
23    spawned_process and
24    container and
25    (proc.name in (xmrig, minerd, minergate, cpuminer) or
26     proc.args contains "stratum+tcp" or
27     proc.args contains "pool.minexmr" or
28     proc.args contains "cryptonight")
29  output: >
30    Cryptominer detected in container
31    (process=%proc.name args=%proc.args container=%container.name
32    image=%container.image.repository)
33  priority: CRITICAL
34  tags: [cryptominer, mitre_resource_hijacking]
35
36# Rule 3: Reverse shell detection
37- rule: Reverse Shell Spawned
38  desc: Detect reverse shell connections
39  condition: >
40    spawned_process and
41    container and
42    ((proc.name = bash and proc.args contains "-i" and
43      fd.type = ipv4 and fd.direction = out) or
44     (proc.name in (nc, ncat, netcat) and
45      proc.args contains "-e"))
46  output: >
47    Reverse shell detected
48    (user=%user.name command=%proc.cmdline connection=%fd.name
49    container=%container.name)
50  priority: CRITICAL
51  tags: [shell, reverse_shell, mitre_command_and_control]
52
53# Rule 4: Sensitive file access
54- rule: Read Sensitive Files
55  desc: Detect access to sensitive files
56  condition: >
57    open_read and
58    container and
59    fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/id_rsa,
60                /var/run/secrets/kubernetes.io/serviceaccount/token)
61  output: >
62    Sensitive file read in container
63    (user=%user.name file=%fd.name command=%proc.cmdline
64    container=%container.name)
65  priority: WARNING
66  tags: [filesystem, sensitive_data, mitre_credential_access]
67
68# Rule 5: Unexpected network connection
69- rule: Unexpected Outbound Connection
70  desc: Detect connections to suspicious destinations
71  condition: >
72    outbound and
73    container and
74    not (fd.sip in (rfc_1918_addresses)) and
75    not (fd.sport in (80, 443, 53)) and
76    not (container.image.repository in (allowed_images))
77  output: >
78    Unexpected outbound connection
79    (command=%proc.cmdline connection=%fd.name container=%container.name
80    image=%container.image.repository dest=%fd.sip:%fd.sport)
81  priority: WARNING
82  tags: [network, exfiltration, mitre_exfiltration]
83
84# Rule 6: Privilege escalation via SUID
85- rule: SUID Binary Execution
86  desc: Detect execution of SUID binaries
87  condition: >
88    spawned_process and
89    container and
90    proc.is_suid_or_sgid and
91    not proc.name in (sudo, su, ping, mount)
92  output: >
93    SUID binary executed in container
94    (user=%user.name command=%proc.cmdline container=%container.name)
95  priority: WARNING
96  tags: [privilege_escalation, suid, mitre_privilege_escalation]

3.2 Drift Detection Script

Détection de drift entre l'état IaC et la configuration live :

drift_detector.pypython
1#!/usr/bin/env python3
2"""
3Configuration Drift Detector
4Compares IaC state with live cloud resources
5"""
6
7import boto3
8import json
9import hashlib
10from dataclasses import dataclass
11from typing import List, Dict, Optional
12from enum import Enum
13
14class DriftType(Enum):
15    ADDED = "added"           # Resource exists in cloud but not in IaC
16    REMOVED = "removed"       # Resource in IaC but deleted from cloud
17    MODIFIED = "modified"     # Resource differs from IaC definition
18    COMPLIANT = "compliant"   # Resource matches IaC
19
20@dataclass
21class DriftFinding:
22    resource_type: str
23    resource_id: str
24    drift_type: DriftType
25    severity: str
26    iac_config: Optional[Dict]
27    live_config: Dict
28    diff: List[str]
29
30class DriftDetector:
31    """Detect configuration drift between IaC and live cloud state"""
32
33    CRITICAL_DRIFTS = {
34        'aws_security_group': ['ingress', 'egress'],
35        'aws_iam_policy': ['policy'],
36        'aws_s3_bucket': ['acl', 'policy', 'server_side_encryption'],
37        'aws_db_instance': ['publicly_accessible', 'storage_encrypted'],
38    }
39
40    def __init__(self, terraform_state_path: str):
41        self.state = self._load_terraform_state(terraform_state_path)
42        self.ec2 = boto3.client('ec2')
43        self.s3 = boto3.client('s3')
44        self.iam = boto3.client('iam')
45        self.rds = boto3.client('rds')
46
47    def _load_terraform_state(self, path: str) -> Dict:
48        """Load and parse Terraform state file"""
49        with open(path, 'r') as f:
50            return json.load(f)
51
52    def detect_all_drift(self) -> List[DriftFinding]:
53        """Run drift detection across all resource types"""
54        findings = []
55
56        # Check Security Groups
57        findings.extend(self._check_security_group_drift())
58
59        # Check S3 Buckets
60        findings.extend(self._check_s3_drift())
61
62        # Check IAM Policies
63        findings.extend(self._check_iam_drift())
64
65        # Check RDS Instances
66        findings.extend(self._check_rds_drift())
67
68        return findings
69
70    def _check_security_group_drift(self) -> List[DriftFinding]:
71        """Compare Security Groups: IaC vs Live"""
72        findings = []
73
74        # Get IaC security groups
75        iac_sgs = self._get_iac_resources('aws_security_group')
76
77        # Get live security groups
78        live_sgs = self.ec2.describe_security_groups()['SecurityGroups']
79
80        for live_sg in live_sgs:
81            sg_id = live_sg['GroupId']
82            iac_sg = iac_sgs.get(sg_id)
83
84            if not iac_sg:
85                # Shadow resource - exists in cloud but not IaC
86                findings.append(DriftFinding(
87                    resource_type='aws_security_group',
88                    resource_id=sg_id,
89                    drift_type=DriftType.ADDED,
90                    severity='HIGH',
91                    iac_config=None,
92                    live_config=live_sg,
93                    diff=['Resource not managed by IaC (shadow resource)']
94                ))
95                continue
96
97            # Compare ingress/egress rules
98            diff = self._compare_sg_rules(iac_sg, live_sg)
99            if diff:
100                findings.append(DriftFinding(
101                    resource_type='aws_security_group',
102                    resource_id=sg_id,
103                    drift_type=DriftType.MODIFIED,
104                    severity='CRITICAL' if self._is_critical_sg_drift(diff) else 'MEDIUM',
105                    iac_config=iac_sg,
106                    live_config=live_sg,
107                    diff=diff
108                ))
109
110        return findings
111
112    def _is_critical_sg_drift(self, diff: List[str]) -> bool:
113        """Check if SG drift introduces security risk"""
114        critical_patterns = [
115            '0.0.0.0/0',
116            '::/0',
117            'port 22',
118            'port 3389',
119            'port 3306',
120            'port 5432',
121        ]
122        return any(pattern in str(diff).lower() for pattern in critical_patterns)
123
124    def _check_s3_drift(self) -> List[DriftFinding]:
125        """Compare S3 bucket configurations"""
126        findings = []
127        iac_buckets = self._get_iac_resources('aws_s3_bucket')
128
129        for bucket_name, iac_config in iac_buckets.items():
130            try:
131                # Get live encryption config
132                try:
133                    encryption = self.s3.get_bucket_encryption(Bucket=bucket_name)
134                except self.s3.exceptions.ClientError:
135                    encryption = None
136
137                # Get live ACL
138                acl = self.s3.get_bucket_acl(Bucket=bucket_name)
139
140                # Get live policy
141                try:
142                    policy = self.s3.get_bucket_policy(Bucket=bucket_name)
143                except self.s3.exceptions.ClientError:
144                    policy = None
145
146                # Compare configurations
147                diff = []
148                if iac_config.get('encryption') and not encryption:
149                    diff.append('Encryption disabled (was enabled in IaC)')
150                if self._is_public_acl(acl) and not iac_config.get('public'):
151                    diff.append('Bucket is public (should be private)')
152
153                if diff:
154                    findings.append(DriftFinding(
155                        resource_type='aws_s3_bucket',
156                        resource_id=bucket_name,
157                        drift_type=DriftType.MODIFIED,
158                        severity='CRITICAL',
159                        iac_config=iac_config,
160                        live_config={'encryption': encryption, 'acl': acl},
161                        diff=diff
162                    ))
163
164            except Exception as e:
165                print(f"Error checking bucket {bucket_name}: {e}")
166
167        return findings
168
169    def generate_remediation(self, finding: DriftFinding) -> str:
170        """Generate IaC code to fix drift"""
171        if finding.drift_type == DriftType.ADDED:
172            return f"# Import shadow resource into Terraform:\n" \
173                   f"terraform import {finding.resource_type}.imported {finding.resource_id}"
174
175        elif finding.drift_type == DriftType.MODIFIED:
176            return f"# Run terraform plan to see full diff:\n" \
177                   f"terraform plan -target={finding.resource_type}.{finding.resource_id}\n" \
178                   f"# Apply IaC state to fix drift:\n" \
179                   f"terraform apply -target={finding.resource_type}.{finding.resource_id}"
180
181        return ""
182
183
184def main():
185    detector = DriftDetector('./terraform.tfstate')
186    findings = detector.detect_all_drift()
187
188    print("=" * 60)
189    print("DRIFT DETECTION REPORT")
190    print("=" * 60)
191
192    critical = [f for f in findings if f.severity == 'CRITICAL']
193    high = [f for f in findings if f.severity == 'HIGH']
194
195    print(f"\nFindings: {len(findings)} total")
196    print(f"  - Critical: {len(critical)}")
197    print(f"  - High: {len(high)}")
198
199    for finding in findings:
200        print(f"\n[{finding.severity}] {finding.resource_type}: {finding.resource_id}")
201        print(f"  Drift Type: {finding.drift_type.value}")
202        for d in finding.diff:
203            print(f"  - {d}")
204        print(f"  Remediation:\n{detector.generate_remediation(finding)}")
205
206
207if __name__ == '__main__':
208    main()

Forces du Runtime Security

Détection des menaces actives en temps réel
Contexte d'exécution (charge, données, connexions)
Zero-days et comportements anormaux
Configuration drift (91% des envs)
Shadow resources (créés hors IaC)
Corrélation cross-services

4Le Security Gap Quantifié

Notre analyse de 3,400 pipelines révèle des zones de couverture et des gaps critiques entre shift-left et runtime :

Detection Coverage by Threat Type

Shift-Left
Runtime
IaC MisconfigurationsShift-Left +33%
Container VulnerabilitiesShift-Left +55%
Secrets ExposureShift-Left +44%
Runtime ThreatsRuntime +75%
Zero-Day ExploitsRuntime +43%
Drift DetectionRuntime +91%

4.1 Pourquoi le Gap Existe

Type de MenaceShift-LeftRuntimeRaison du Gap
IaC Misconfiguration✅ 78%❌ 45%IaC est la source de vérité
Container CVEs✅ 89%❌ 34%Images scannées au build
Hardcoded Secrets✅ 67%⚠️ 23%Patterns connus détectables
Runtime Exploits❌ 12%✅ 87%Nécessite contexte d'exécution
Zero-Days❌ 0%✅ 43%Signatures inconnues au build
Config Drift❌ 0%✅ 91%Modification post-déploiement
Cryptomining❌ 5%✅ 94%Comportement runtime
Lateral Movement❌ 8%✅ 76%Traffic réseau live

5Approche Unifiée : CNAPP

La solution n'est pas de choisir entre shift-left et runtime, mais de les unifier dans une plateforme CNAPP qui corrèle les findings :

Bénéfices de l'Approche Unifiée

Réduction de 83% des faux positifs via corrélation
Priorisation par contexte runtime réel
MTTR réduit de 4.2x grâce au feedback loop
Couverture complète du cycle de vie
Single pane of glass pour DevSecOps
Automated remediation IaC + Runtime

5.1 Architecture CNAPP Unifiée

CNAPP Platform Architecture
SHIFT-LEFTPre-Deploy
IaC Scanning
TerraformCloudFormationKubernetes
SAST/SCA
Code vulnsDependenciesSecrets
Container Scan
CVEsMalwareSBOM
RUNTIMEPost-Deploy
CSPM
Config AuditComplianceDrift
CWPP
WorkloadContainerServerless
CIEM
IdentitiesPermissionsEscalation
Unified Security Graph
Cross-reference IaC + Runtime
Correlate vulns with exposure
Calculate blast radius
Prioritize attack paths
Risk Prioritization Engine

IaC Finding + Runtime Context = Actionable Priority

CRITICAL

S3 public (IaC) + Contains PII (Runtime)

→ Immediate action required

LOW

S3 public (IaC) + Empty bucket (Runtime)

→ Fix in next sprint

5.2 Pipeline CI/CD Unifié

Workflow GitHub Actions combinant shift-left et runtime checks :

.github/workflows/security-pipeline.ymlyaml
1# .github/workflows/security-pipeline.yml
2# Unified Shift-Left + Runtime Security Pipeline
3
4name: Security Pipeline
5
6on:
7  push:
8    branches: [main, develop]
9  pull_request:
10    branches: [main]
11  schedule:
12    - cron: '0 */6 * * *'  # Runtime checks every 6 hours
13
14env:
15  AWS_REGION: eu-west-1
16  SEVERITY_THRESHOLD: HIGH
17
18jobs:
19  # ============================================
20  # SHIFT-LEFT: Pre-deployment Security
21  # ============================================
22
23  secrets-scan:
24    name: 🔐 Secrets Detection
25    runs-on: ubuntu-latest
26    steps:
27      - uses: actions/checkout@v4
28        with:
29          fetch-depth: 0  # Full history for secret scanning
30
31      - name: TruffleHog Secrets Scan
32        uses: trufflesecurity/trufflehog@main
33        with:
34          path: ./
35          base: ${{ github.event.repository.default_branch }}
36          extra_args: --only-verified
37
38      - name: Gitleaks Scan
39        uses: gitleaks/gitleaks-action@v2
40        env:
41          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
42
43  sast:
44    name: 🔍 SAST Analysis
45    runs-on: ubuntu-latest
46    steps:
47      - uses: actions/checkout@v4
48
49      - name: Semgrep SAST
50        uses: returntocorp/semgrep-action@v1
51        with:
52          config: >-
53            p/security-audit
54            p/secrets
55            p/owasp-top-ten
56            p/docker
57            p/kubernetes
58
59      - name: CodeQL Analysis
60        uses: github/codeql-action/analyze@v2
61        with:
62          languages: javascript, python, go
63
64  iac-scan:
65    name: 🏗️ IaC Security
66    runs-on: ubuntu-latest
67    steps:
68      - uses: actions/checkout@v4
69
70      - name: Checkov IaC Scan
71        uses: bridgecrewio/checkov-action@master
72        with:
73          directory: ./terraform
74          framework: terraform,cloudformation
75          soft_fail: false
76          output_format: sarif
77          download_external_modules: true
78
79      - name: tfsec Terraform Scan
80        uses: aquasecurity/tfsec-action@v1.0.0
81        with:
82          soft_fail: false
83          additional_args: --severity-threshold HIGH
84
85      - name: Upload SARIF
86        uses: github/codeql-action/upload-sarif@v2
87        with:
88          sarif_file: results.sarif
89
90  container-scan:
91    name: 📦 Container Security
92    runs-on: ubuntu-latest
93    needs: [sast, iac-scan]
94    steps:
95      - uses: actions/checkout@v4
96
97      - name: Build Image
98        run: docker build -t app:${{ github.sha }} .
99
100      - name: Trivy Vulnerability Scan
101        uses: aquasecurity/trivy-action@master
102        with:
103          image-ref: app:${{ github.sha }}
104          format: sarif
105          output: trivy-results.sarif
106          severity: CRITICAL,HIGH
107          exit-code: 1
108
109      - name: Grype SBOM Analysis
110        uses: anchore/scan-action@v3
111        with:
112          image: app:${{ github.sha }}
113          fail-build: true
114          severity-cutoff: high
115
116  # ============================================
117  # RUNTIME: Post-deployment Security
118  # ============================================
119
120  drift-detection:
121    name: 🔄 Drift Detection
122    runs-on: ubuntu-latest
123    if: github.event_name == 'schedule'
124    steps:
125      - uses: actions/checkout@v4
126
127      - name: Configure AWS
128        uses: aws-actions/configure-aws-credentials@v4
129        with:
130          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
131          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
132          aws-region: ${{ env.AWS_REGION }}
133
134      - name: Run Drift Detection
135        run: |
136          pip install -r requirements.txt
137          python scripts/drift_detector.py --state s3://tfstate-bucket/prod.tfstate
138        env:
139          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
140
141  cspm-scan:
142    name: ☁️ CSPM Assessment
143    runs-on: ubuntu-latest
144    if: github.event_name == 'schedule'
145    steps:
146      - uses: actions/checkout@v4
147
148      - name: Configure AWS
149        uses: aws-actions/configure-aws-credentials@v4
150        with:
151          role-to-assume: arn:aws:iam::123456789012:role/SecurityAuditRole
152          aws-region: ${{ env.AWS_REGION }}
153
154      - name: Prowler CSPM Scan
155        run: |
156          pip install prowler
157          prowler aws \
158            --severity critical high \
159            --compliance cis_2.0_aws \
160            --output-formats json-ocsf html \
161            --output-directory ./prowler-output
162
163      - name: Upload Results
164        uses: actions/upload-artifact@v4
165        with:
166          name: cspm-results
167          path: ./prowler-output
168
169  runtime-threats:
170    name: 🚨 Runtime Threat Check
171    runs-on: ubuntu-latest
172    if: github.event_name == 'schedule'
173    steps:
174      - name: Check GuardDuty Findings
175        run: |
176          findings=$(aws guardduty list-findings \
177            --detector-id $DETECTOR_ID \
178            --finding-criteria '{"Criterion":{"severity":{"Gte":7}}}' \
179            --query 'FindingIds' --output text)
180
181          if [ -n "$findings" ]; then
182            echo "::error::Critical GuardDuty findings detected!"
183            aws guardduty get-findings \
184              --detector-id $DETECTOR_ID \
185              --finding-ids $findings
186            exit 1
187          fi
188
189      - name: Check Security Hub
190        run: |
191          aws securityhub get-findings \
192            --filters '{"SeverityLabel":[{"Value":"CRITICAL","Comparison":"EQUALS"}]}' \
193            --max-items 10

Références

[1]
Snyk. "State of Cloud Security 2024". Snyk Research, 2024. Link ↗
[2]
Sysdig. "Cloud-Native Security and Usage Report". Sysdig, 2024. Link ↗
[3]
Palo Alto Networks. "State of Cloud-Native Security". Unit 42, 2024. Link ↗
[4]
Falco Project. "Runtime Security for Kubernetes". CNCF, 2024. Link ↗
[5]
Bridgecrew. "Checkov: Policy-as-Code". Prisma Cloud, 2024. Link ↗
[6]
OWASP. "DevSecOps Guideline". OWASP Foundation, 2023. Link ↗

Unifiez votre sécurité cloud

La plateforme Cyvex combine shift-left et runtime security dans une vue unifiée. Corrélation automatique, priorisation par blast radius, et remediation guidée.

Demander une démoCode source
CRL

Cyvex Research Lab

Security Research Team @ Cyvex

Équipe dédiée à la recherche DevSecOps et sécurité cloud. Contributeurs aux projets open source Checkov, Falco, et Trivy. Analyse de milliers de pipelines CI/CD pour améliorer les pratiques de sécurité.

Partager cet article