Skip to main content

Automation for Security Teams

In a Nutshell
What will I learn?In this tutorial, we will create a CI workflow focused on code security checks using Autoworx. This workflow will help ensure that your code adheres to best practices and is free from potential security vulnerabilities.

Securing Your Code with worX

What you'll need

Software & Services

GitLab repository

  • A GitLab account and repository to set up your CI/CD pipeline.
  • A GitLab repository with sample Python code and Infrastructure as Code (IaC) files. You can fork the Autoworx CI/CD examples repository.
  • A .gitlab-ci.yml file in your repository, which we will be configuring with Autoworx security jobs.


In this tutorial, we will walk through the process of setting up various security jobs in GitLab CI/CD using Autoworx snippets. These jobs will help ensure that your Python code and IaC files are free of security vulnerabilities.

Autoworx Security Jobs

The following security jobs will be added to your GitLab CI/CD pipeline:

Bandit (Python Security)

Run a security check on the Python code to identify potential vulnerabilities. This step helps protect your application from security risks and ensures compliance with security standards. We use bandit, a popular Python static analysis tool, to scan the codebase for common security issues.

python_security python_security

Container Security (Trivy)

Scan the built Docker image for security vulnerabilities. This step ensures that the application's runtime environment, including the base OS and third-party packages, are free from known security issues. We use Aqua Trivy, a comprehensive vulnerability scanner for containers and other artifacts, to scan the Docker image.

container_security container_security

TFSec (Terraform Security)

Scans your Terraform code for security vulnerabilities using the TFSec static analysis tool. This step helps ensure that your infrastructure as code (IaC) complies with security best practices and standards. TFSec checks for common misconfigurations, insecure settings, and other issues that may pose security risks. The job is configured with the TERRAFORM_CODE_PATH variable pointing to the Terraform code directory.

terraform_tfsec terraform_tfsec

Terrascan (Terraform Security)

Performs security and compliance scans on your Terraform code using the Terrascan open-source scanner. This step helps you identify potential security risks and compliance violations in your IaC. Terrascan supports a wide range of policies and integrates with various security standards. The job is configured with the TERRAFORM_CODE_PATH variable pointing to the Terraform code directory.

terraform_terrascan terraform_terrascan

Checkov (IaC Security)

Scans your infrastructure as code (IaC) files for security vulnerabilities and compliance issues using the Checkov static analysis tool. This step helps ensure that your IaC files adhere to security best practices and meet compliance requirements. Checkov supports multiple IaC languages, including Terraform, and is integrated with GitLab CI to provide detailed reports. The job is configured with the IAC_CODE_PATH variable pointing to the IaC code directory.

terraform_checkov terraform_checkov

Gitleaks (Secrets Detection)

Scans your Git repository for leaked secrets using the Gitleaks scanner. This step helps protect sensitive data from accidental exposure and ensures compliance with data protection regulations. Gitleaks checks for API keys, passwords, and other sensitive information that may be accidentally committed to your Git repository.

terraform_gitleaks terraform_gitleaks

Sample GitLab CI/CD configuration

# This sample GitLab CI/CD configuration is part of the Autoworx tutorial
# and demonstrates a complete CI workflow for various security-related tasks.
# The pipeline provides security scans for Python code, Terraform code,
# Infrastructure-as-Code files, and Git repositories.
# The pipeline consists of the following stages:
# - security: Run security checks on Python and IaC files, scan Git repositories for secrets
# - container-security: Scan the Docker image for security vulnerabilities
# The pipeline includes several jobs from external templates, such as bandit,
# tfsec, terrascan, checkov, and gitleaks.
# The pipeline produces various artifacts, such as security scan results.
# These artifacts expire after 1 week.
# Sample Python code, Dockerfile, and IaC files used in this tutorial can
# be found in the public repository at:

- security
- container-security

- project: 'hest-io/hestio-product/hestio-worx/autoworx/ci/templates'
- 'Jobs/Python/python-bandit.gitlab-ci.yml'
- 'Jobs/Docker/docker-container-security.gitlab-ci.yml'
- 'Jobs/Terraform/terraform-terraascan.gitlab-ci.yml'
- 'Jobs/Terraform/terraform-tfsec.gitlab-ci.yml'
- 'Jobs/IaC/iac-checkov.gitlab-ci.yml'
- 'Jobs/IaC/iac-secret-detection.gitlab-ci.yml'

stage: security
PYTHON_CODE_PATH: "python/*.py"

stage: container-security

stage: security
allow_failure: true

stage: security
allow_failure: true

stage: security
IAC_CODE_PATH: "terraform/"
allow_failure: true

stage: security
allow_failure: true

ci tests


This tutorial guided you through setting up a security-focused GitLab CI/CD pipeline using Autoworx for a Python-based application. The pipeline includes code analysis, container scanning, and IaC checks, ensuring your application remains secure during development.

Want to find out more?

At Hestio, we have taken our experience with designing and building on cloud to codify these patterns and made them available as a low-code pattern library for AWS. Why spend time and effort on reinventing the wheel when it's already a solved problem? Would you start developing office productivity software in a world where Microsoft Office already exists?

If you'd like to find out about worX, our low-code patterns library for AWS you can read more here or get in touch today to schedule a demo.

If you'd like to find out more about the products and services Hestio has to offer, select one of the options below.