Creating a CI/CD pipeline using CloudFormation
In this section, we will create a CodePipeline project that gets triggered the moment any code change gets pushed to the CatalogDetail repository. This CodePipeline project executes the following stages and actions in sequence:
- The CodePipeline project will first read the changes from the source and then go to the
Build-Secretsstage. - At this stage, the CodeBuild project will start scanning repository code with the
git-secretsutility and look for any secret leakages. After the completion of this stage, theBuild-SASTstage will start executing. - The
Build-SASTstage consists of two actions. The first action is SAST analysis, which invokes Anchore to scan the Docker build and then generates the report. Based on the vulnerability status, if there is a high or critical CVE, then the build will fail; otherwise, it will continue to build and push the image to the ECR repository. The next action isECR-SAST-and-STG-Deploy. This...
