Open Source · Self-Hosted · Production Ready

ZeroTrustOps
Platform

A self-hosted DevSecOps platform that automatically scans repositories for security misconfigurations on every push — with a custom static analysis engine, secrets detection, and a real-time dashboard.

Go 1.21+ Python 3.11 Apache 2.0 Docker Compose PostgreSQL 16 Kyverno SARIF
0
Built-in Security Rules
0
Scan Target Types
0
Output Formats
0
Command Setup
sectl — Security Enforcement CLI
01

How It Works

ZeroTrustOps integrates seamlessly into your Git workflow. Every push triggers an automated security scan with detailed findings routed to the dashboard.

01
🔀
Developer pushes code to a connected GitHub repository
02
🔔
GitHub fires a webhook to the ZeroTrustOps platform API
03
📦
API clones the repository into an isolated workspace container
04
🔍
SecTL scans Kubernetes manifests, Terraform, and Helm charts with 70+ rules
05
🔐
Gitleaks scans for hardcoded secrets, credentials, and API keys
06
🗄️
Findings stored in PostgreSQL, security gate decision computed (PASS/FAIL)
07
📊
Dashboard displays PASS or FAIL with full finding detail and remediation
02

Architecture

CLI Engine
SecTL
Go 1.21+
Custom static analysis engine. Scans K8s, Terraform, Helm, and container images with 70+ built-in rules. Outputs table, JSON, and SARIF.
Backend API
Platform API
Python / FastAPI
Receives GitHub webhooks, orchestrates background scans, stores results, and exposes a full REST API for the dashboard.
:8000
Frontend
Dashboard
React + Vite + Nginx
Real-time scan results, repository management, finding detail view, and interactive webhook setup guide.
:3000
GitHub push event webhook POST Platform API FastAPI + Python :8000 orchestrates scans exec SecTL CLI Go · 70+ rules K8s · TF · Helm PostgreSQL :5433 exec Gitleaks secrets detection credentials · keys Dashboard React + Nginx :3000 zerotrust-net (bridge)

All three services are orchestrated via Docker Compose and communicate over an internal bridge network (zerotrust-net). PostgreSQL persists all scan state.

03

Platform Screenshots

Below are representative views of the ZeroTrustOps dashboard built with React + Vite, displaying live scan data from the PostgreSQL backend.

ZeroTrustOps Dashboard 12 TOTAL SCANS 8 PASSED 4 FAILED 23 FINDINGS RECENT SCANS PASS myapp/infra main@a3f4c2e 2m ago FAIL platform/k8s dev@b1e9d3f 14m ago PASS terraform/aws main@cc22ab1 1h ago API healthy · http://localhost:8000
Dashboard Overview — Scan stats & recent activity
ZeroTrustOps Scan Detail SCAN #047 · platform/k8s · dev@b1e9d3f FAILED 3 critical · 2 high · 1 medium CRITICAL K8S-020 — RBAC wildcard apiGroups (*) deployment.yaml:14 CRITICAL K8S-004 — Privileged container enabled deployment.yaml:32 CRITICAL K8S-031 — Hardcoded secret in env var deployment.yaml:47 HIGH K8S-005 — allowPrivilegeEscalation not false Scanned 14 manifests · 6 findings · 2.3s
Scan Detail — Findings with severity & location
ZeroTrustOps Repositories + Add Repo REPOSITORY LAST SCAN STATUS Debasish-87/ZeroTrustOps-Platform 2m ago PASS myorg/platform-infra 14m ago FAIL team/terraform-modules 1h ago PASS
Repositories — Connected repos & scan status
ZeroTrustOps Webhook Setup 1 Start ngrok tunnel $ ngrok http 3000 2 Your public URL https://a3f9b2c.ngrok.io/webhook/github 3 Add to GitHub → Settings → Webhooks Content-Type: application/json · Event: push
Setup Page — Guided webhook configuration
04

SecTL — Security Enforcement Engine

SecTL is the heart of ZeroTrustOps. A custom static analysis CLI written in Go with zero external rule dependencies — every rule is built-in and version-controlled with the platform.

Scan Types

Type Target Coverage
k8s Kubernetes manifests Pods, Deployments, RBAC, Ingress, ConfigMaps, ServiceAccounts
terraform Infrastructure as Code AWS, GCP, Azure — S3, IAM, Security Groups, RDS, EKS, CloudTrail
helm Helm charts Chart.yaml, values.yaml, rendered templates
posture Live AWS account IAM root keys, MFA, password policy, user access keys, S3 buckets
supply-chain Container images Digest pinning, latest tag detection, EOL base images

Output Formats

Shell
$sectl scan ./manifests --type k8s # human-readable table
$sectl scan ./manifests --type k8s -o json # machine-readable JSON
$sectl scan ./manifests --type k8s -o sarif # GitHub Security tab
$sectl scan ./infra --type terraform --severity high --fail-on-findings
$sectl verify nginx:latest myapp:1.0.0 # supply chain checks
$sectl audit --provider aws --region us-east-1 # live posture
05

Selected Security Rules

70+ rules across Kubernetes, Terraform, and supply-chain targets. Rules are identified by a unique ID and carry severity, category, remediation guidance, and affected resource path.

K8S-001CRITICALhostPID enabled — container sees all host processes
K8S-004CRITICALPrivileged container — full host device access
K8S-020CRITICALRBAC wildcard apiGroups (*)
K8S-024CRITICALBinding to cluster-admin role
K8S-031HIGHHardcoded secret in environment variable
K8S-005HIGHallowPrivilegeEscalation not set to false
TF-S3-010CRITICALS3 bucket ACL set to public
TF-IAM-001CRITICALIAM policy allows Action: * (all actions)
TF-SG-001CRITICALSecurity group: sensitive port open to internet
TF-RDS-002CRITICALRDS instance publicly accessible
K8S-009MEDIUMMutable :latest image tag
K8S-010MEDIUMNo resource requests or limits defined
SC-001HIGHImage not pinned by digest — non-reproducible build
SC-020HIGHPotentially EOL base image detected

Full rule set: sectl rules  ·  Filter by source: sectl rules --source k8s

06

Quick Start

Prerequisites

🐳 Docker + Compose
🐹 Go 1.21+
🔀 Git any
🌐 ngrok webhook tunnel

Installation

Shell
$git clone https://github.com/Debasish-87/ZeroTrustOps-Platform.git
$cd ZeroTrustOps-Platform
$bash setup.sh
One command. The setup script checks prerequisites, compiles SecTL from source, builds all Docker containers, runs a quick scan test, and waits for health checks to pass. First run takes 3–5 minutes; subsequent starts are instant (cached layers).

Running Services

Dashboard
http://localhost:3000
React frontend
API
http://localhost:8000
FastAPI backend
API Docs
http://localhost:8000/docs
Swagger UI

Uninstall

Shell
$bash uninstall.sh # removes all containers, volumes, images, and sectl binary
07

GitHub Webhook Setup

1
🌐
Run ngrok http 3000 to expose your local platform publicly
2
⚙️
In your GitHub repo, go to Settings → Webhooks → Add webhook
3
🔗
Set Payload URL to https://your-ngrok-url/webhook/github
4
📋
Content type: application/json · Event: push
5
🚀
Push code → watch the scan run automatically in the dashboard
08

REST API

Full Swagger/OpenAPI documentation available at http://localhost:8000/docs when the platform is running.

GET/healthHealth check
GET/api/statsDashboard overview counts
GET/api/reposList connected repositories
POST/api/reposAdd a repository
DEL/api/repos/:idRemove a repository
GET/api/scansList recent scans
GET/api/scans/:idScan detail with all findings
POST/api/scans/triggerManually trigger a scan
POST/webhook/githubGitHub push webhook receiver
09

Project Structure

ZeroTrustOps-Platform/ ├── setup.sh # One-command installer ├── uninstall.sh # Complete cleanup script ├── docker-compose.yml # Service orchestration├── sectl/ # Security CLI (Go) │ ├── main.go │ ├── cmd/ # scan, audit, verify, rules commands │ └── internal/ │ ├── scanner/ # K8s, Terraform, Helm analyzers │ ├── posture/ # Live AWS account audit │ ├── supply/ # Container image checks │ └── report/ # Table, JSON, SARIF renderers├── platform/ │ ├── api/ # FastAPI backend │ │ ├── main.py # Webhook + orchestrator + REST API │ │ └── Dockerfile │ ├── web/ # React dashboard │ │ ├── src/pages/ # Dashboard, Repos, Scans, Setup │ │ └── Dockerfile │ └── db/ │ └── init.sql # PostgreSQL schema└── manifests/ ├── dev/ # Hardened K8s deployment example └── kyverno-policies/ # Enforcement policies
10

Kyverno Policies

Three cluster-wide policies enforce security at the Kubernetes admission level. All policies run in Enforce mode — they actively block non-compliant resources from entering the cluster.

🏷️
disallow-latest-tag Enforce
Blocks containers using the :latest image tag or no tag at all. Requires explicit, immutable version tags for reproducible deployments.
🔒
disallow-privileged Enforce
Blocks privileged containers, privilege escalation, and host namespace sharing (hostPID, hostIPC, hostNetwork).
⚖️
require-resource-limits Enforce
Requires CPU and memory requests and limits on all containers to prevent resource starvation and noisy-neighbor issues.
11

Roadmap

GitHub commit status API — report PASS/FAIL directly on pull requests
Slack and Microsoft Teams notification webhooks
Trivy container image vulnerability scanning integration
Falco runtime threat detection support
SARIF upload to GitHub Advanced Security via API
Multi-organization support
Prometheus metrics endpoint
GCP and Azure cloud posture modules
Debasish Mohanty  /  github.com/Debasish-87
Apache 2.0 License  ·  v0.1.0
"Trust nothing.
Scan everything.
Deploy with confidence."