Welcome to the DevSecOps Bootcamp - a hands-on training ground where you harden code, pipelines, and infrastructure one task at a time.
Everything you need is here: task folders, trackers, CI/CD guard-rails, data-driven PR evaluations, and step-by-step guides.
| ID | Folder | Theme (🔑 focus) | Difficulty |
|---|---|---|---|
| T01 | T01-Enforce-IaC-Policies |
Terraform + OPA / Sentinel | ⚙️⚙️⚙️⚙️ |
| T02 | T02-K8s-Runtime-Threat-Detection |
Falco / Tracee, eBPF | ⚙️⚙️⚙️⚙️ |
| T03 | T03-Secrets-Management-Rotation |
Vault, CSI driver, rotation scripts | ⚙️⚙️⚙️⚙️ |
| T04 | T04-Compliance-Audit-CICD |
Semgrep, Trivy, Docker Bench | ⚙️⚙️⚙️⚙️ |
| T06 | T06-Chaos-Security-Testing |
Chaos Toolkit / LitmusChaos | ⚙️⚙️⚙️⚙️⚙️ |
| T13 | T13-Secure-Supply-Chain |
SLSA, Cosign, in-toto | ⚙️⚙️⚙️⚙️ |
| T14 | T14-Threat-Modeling-Code |
ThreatSpec, PlantUML | ⚙️⚙️⚙️ |
| T15 | T15-AI-PR-Security-Review |
DeepCode / Snyk Code | ⚙️⚙️⚙️⚙️ |
| T16 | T16-Cloud-Honeypot |
DVWA + Falco + ELK | ⚙️⚙️⚙️⚙️⚙️ |
| T17 | T17-CVE-Triage-Automation |
SBOM + Grype + Jira | ⚙️⚙️⚙️⚙️ |
| T18 | T18-Kubernetes-Policy-Enforcement |
Kyverno Policy-as-Code | ⚙️⚙️⚙️⚙️ |
| T19 | T19-ZeroTrust-GHA |
Zero-Trust GitHub Actions (OIDC federation) | ⚙️⚙️⚙️⚙️ |
| T20 | T20-eBPF-Runtime-Detection |
Runtime exploit detection with eBPF | ⚙️⚙️⚙️⚙️⚙️ |
| T21 | T21-Secrets-Canarying |
Honeytokens & secrets exfiltration detection | ⚙️⚙️⚙️⚙️ |
| T22 | T22-Red-vs-Blue-Pipeline |
Red-team vs Blue-team CI/CD defense | ⚙️⚙️⚙️⚙️⚙️ |
| T23 | T23-MultiCloud-Policy-Drift |
Cross-cloud IAM policy drift guard | ⚙️⚙️⚙️⚙️ |
| T24 | T24-AI-Log-Correlation |
AI-driven log correlation & threat hunting | ⚙️⚙️⚙️⚙️⚙️ |
- Git ≥ 2.30
- Docker / Podman for local container work
- Python 3.9+ (helper scripts)
- A personal GitHub account & SSH key
- Tool accounts required by your task (e.g., Vault, Snyk, Jira, etc.)
- Cloud creds (e.g., AWS) if the task calls for them
-
Fork this repo (or create a feature branch in the org if instructed).
-
Clone your fork:
git clone git@github.com:<your-user>/devsecops-bootcamp.git cd devsecops-bootcamp
-
Pick a task from the tracker.
-
Create a feature branch named
<your-github-username>/Txx, e.g.:git checkout -b <your-github-username>/T01
-
Create your personal sub-folder inside the task directory (keeps merges conflict-free):
T01/ └─ <your-github-username>/ # all your code, docs, screenshots, configs T13/ └─ <your-github-username>/ # same pattern for every task📌 Rule: work only in
Txx/<your-github-username>/… -
Open the task’s
README.mdfor exact steps, implement, and commit regularly. -
Run
python auto-progress-checker.pyfrom repo root anytime to spot missing files. -
Push your branch and open a Pull Request (PR) to
final-submission-4302. -
CI/CD runs only the checks for the folders you changed. All required checks must be ✅ before merge.
-
Request mentor review; once approved and merged, move to the next task
▶️ .
We run two complementary pipelines on every PR:
- Where:
/.github/workflows/validate-task.yml - What: Executes each task’s own checks from
Txx/.github/workflows/ci.yml(linters, scans, tests). - Gate: Branch protection requires these checks to pass.
-
Where:
/.github/workflows/pr-evaluation.yml -
What happens:
- Static checks (safe, deterministic):
Inventories files you changed and compares them to per-task expectations (
_expectations.yml). No secrets, no code execution. - AI rubric review (data-driven):
Uses the task rubric + static evidence + diffs to generate consolidated scores & feedback.
The model is configurable via repo variable
OPENAI_MODEL(default:gpt-4o-mini).
- Static checks (safe, deterministic):
Inventories files you changed and compares them to per-task expectations (
-
Output: A comment on your PR like:
📝 AI Rubric Evaluation for T03-Secrets-Management-Rotation (Consolidated)with a table of scores (General + Task-Specific) and actionable notes.
🔒 Security note: The evaluator does not execute your code. It only reads files, diffs, and configuration.
Each task folder contains an _expectations.yml that defines what “done” looks like (required files, allowed file types, and key concepts). Example:
# T03-Secrets-Management-Rotation/_expectations.yml
task_id: T03
required_files:
- "README.md"
- ".github/workflows/ci.yml"
- "vault/**/*.hcl"
- "k8s/**/*.yaml"
- "scripts/rotate*.py"
required_concepts:
- "vault"
- "rotation"
- "dynamic"
- "csi"
allowed_extensions: [ .hcl, .yaml, .yml, .json, .md, .py, .sh ]
rubric_path: "../../shared/templates/rubric.md"I’ve added tailored _expectations.yml to all shipped tasks:
T01-Enforce-IaC-Policies/_expectations.ymlT02-K8s-Runtime-Threat-Detection/_expectations.ymlT03-Secrets-Management-Rotation/_expectations.ymlT04-Compliance-Audit-CICD/_expectations.ymlT06-Chaos-Security-Testing/_expectations.ymlT13-Secure-Supply-Chain/_expectations.ymlT14-Threat-Modeling-Code/_expectations.ymlT15-AI-PR-Security-Review/_expectations.ymlT16-Cloud-Honeypot/_expectations.ymlT17-CVE-Triage-Automation/_expectations.ymlT18-Kubernetes-Policy-Enforcement/_expectations.yml
A default is also available at shared/templates/_expectations.yml (used if a task doesn’t override it).
-
Static evidence shows which required files were found/missing and which concepts were detected in your diffs.
-
Scores are based on
/shared/templates/rubric.mdplus the evidence above. -
Actionable notes call out where to improve (e.g., add rotation job, sign image, tighten Kyverno rule).
-
If feedback seems off:
- Ensure all work is under
Txx/<your-github-username>/… - Make sure file names/paths match the expectations (e.g.,
README.md,ci.yml, etc.) - Push a small update; the evaluation reruns automatically.
- Ensure all work is under
- Secrets:
OPENAI_API_KEY(Settings → Secrets → Actions) - Variables (optional):
OPENAI_MODEL(e.g.,gpt-4o/gpt-4o-mini) - Reviewer bot: The workflow auto-adds
github-copilot[bot]as a reviewer (if available). - Safety:
pull_request_targetis used only to read files and post comments; static checks run with the PR head but do not execute arbitrary code.
- Self-check:
auto-progress-checker.py+ CSV/Excel tracker - Mentor rubric:
/shared/rubric.md - Weekly sync: PRs are reviewed every Friday; you’ll get feedback & the next assignment
-
Discussions (NEW!) – Use the GitHub → Discussions tab to:
- ask questions,
- propose new advanced tasks,
- share lessons learned. Global contributors are welcome!
-
Teams channel:
#4302-Arena— post quick questions & screenshots -
Templates & examples: see
/shared/templates/for starter code and CI snippets
Happy hardening & shipping secure software! 💪