Secode
Request demo

Tools that plug straight into your pipeline

Access cheat sheets, secure-coding checklists, and IaC scanning scripts. Integrate them into CI/CD to raise security and visibility across your SDLC.

Zero-Trust Prompting: Preventing Prompt Injection

· AI Safety Secure SDLC Cheat Sheets
Illustration of prompt-safety and zero-trust prompting
Keep sensitive data out of prompts; validate and constrain outputs.

Treat model prompts and outputs like any other untrusted data flow. Redact sensitive inputs, validate responses, and put AI assistants behind explicit policy checks. Below is a compact cheat-sheet you can drop into your team wiki.

AI Safety Cheat-Sheet (excerpt)

Prompt & Output Handling 
• Do not include secrets/PII in prompts. Use masked test data only.
• Validate outputs (schema/regex/type) before using them in code or tools.
• Keep tools/extensions on an allowlist; restrict filesystem/network access.
• Rate-limit and log prompts/responses securely; set retention & access controls.
• Prefer retrieval-augmented generation (RAG) with sanitized sources.
• Never directly execute generated commands; require human confirmation or sandboxes.

PR Security Checklist (add to your repo)

.github/pull_request_template.md 
### Security checklist
- [ ] Input validated/encoded (XSS/Injection)
- [ ] AuthZ checks present for sensitive operations
- [ ] No hard-coded secrets / tokens
- [ ] TLS/HTTPS enforced for endpoints
- [ ] Tests updated for risky flows
- [ ] If AI used: no sensitive data in prompts; outputs validated

Terraform Pitfalls & How to Scan Your IaC

· Terraform Kubernetes IaC Scanning
Illustration of Infrastructure-as-Code scanning across cloud components
Scan for permissive IAM, public storage, and weak network rules before they ship.

Catch misconfigurations early. Use tfsec for Terraform, Trivy for files/containers, and Semgrep for policy rules. The following workflows plug into GitHub Actions and GitLab CI.

GitHub Actions: IaC Scan

.github/workflows/iac-scan.yml 
name: iac-scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: tfsec
        uses: aquasecurity/[email protected]
      - name: trivy fs
        uses: aquasecurity/[email protected]
        with:
          scan-type: fs
          ignore-unfixed: true
          format: table
      - name: semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: p/owasp-top-ten

GitLab CI: IaC Scan

.gitlab-ci.yml (job snippet) 
iac_scan:
  image: alpine:3.20
  stage: test
  before_script:
    - apk add --no-cache curl bash jq
    - curl -sL https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
    - wget -qO- https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
  script:
    - tfsec .
    - trivy fs --ignore-unfixed --format table .
    - docker run --rm -v $PWD:/src returntocorp/semgrep semgrep -q -f p/owasp-top-ten /src
  allow_failure: false

From CI to CD: SBOM, Secrets Scanning & Policy Gates

· CI/CD Visibility Compliance
Illustration of a CI/CD pipeline with packages scanned by lasers and gates
Build visibility with SBOMs, secrets scanning, and fail-on-severity policies.

Add local bootstrap scripts for developers, then enforce build-time controls that are visible to the whole org. Start with a one-liner, add SBOM & secrets scanning, then gate on severity.

Local one-liner (CLI bootstrap)

Shell 
curl -sSL https://get.secode.dev/bootstrap-iac | bash
tfsec . && trivy fs --ignore-unfixed . && semgrep -q -f p/owasp-top-ten .

GitHub Actions: SBOM + Secrets

.github/workflows/compliance.yml 
name: compliance
on: [push, pull_request]
jobs:
  sbom_secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: CycloneDX SBOM
        uses: CycloneDX/gh-actions-generate-sbom@v2
      - name: gitleaks
        uses: gitleaks/gitleaks-action@v2

Policy gate: fail on min severity

Shell (CI step) 
# Fail the build if High/Critical findings are detected
trivy fs --severity HIGH,CRITICAL --exit-code 1 .
semgrep -q --error --severity=ERROR -f p/owasp-top-ten .