Policy
Environments
Observability
Cheat Sheets
Hub DevOps DevSec Core Cheat Sheets
Cheat Sheets
Three dense quick references by persona—daily developer CI workflows, platform deploy/promote operations,
and security scanning plus policy-as-code commands. Use Copy sheet for plain text or persona filters to focus one role.
developer
devops
security
Cosign
Trivy
Developer
DevOps
Security
Daily pipeline & git commands
Task Command Notes
Run tests locally make testMirror CI target Lint before push pre-commit run --all-filesSame rules as pipeline Debug CI locally act -j buildGitHub Actions emulator Check PR CI status gh pr checks 1842Requires gh CLI auth View workflow runs gh run list --workflow=ci.ymlFilter: --branch=feature/x Re-run failed jobs gh run rerun RUN_ID --failedAfter fixing infra flake Clone with depth git clone --depth=1Faster CI checkout Signed commit git commit -S -m 'fix: auth'GPG or SSH sig View SARIF in PR Open Security tabGitHub code scanning Cosign verify image cosign verify --certificate-oidc-issuer REGISTRY_IMAGE:tagBefore deploy Trivy scan locally trivy image --severity HIGH,CRITICAL myapp:devCatch before push Semgrep local semgrep scan --config=autoSAST in IDE terminal Check secret leak gitleaks detect --source .Pre-commit hook Helm template dry-run helm template api ./chart -f values-staging.yamlRender without cluster Kustomize build kubectl kustomize overlays/stagingValidate overlays Port-forward staging kubectl port-forward svc/api 8080:80 -n stagingDebug without ingress Fetch pod logs kubectl logs -f deploy/api -n staging --tail=200Since deploy Exec debug shell kubectl exec -it deploy/api -n staging -- /bin/shEphemeral debug Diff cluster vs git argocd app diff api-stagingDrift before merge Trigger review app gh pr create --fillOpens PR → CI deploys preview
Environment variables (twelve-factor)
Task Command Notes
ENV LOG_LEVEL=debugNon-secret config DATABASE_URL vault://secret/dev/dbNever in .env committed FEATURE_X truePrefer feature flag service OTEL_SERVICE_NAME apiTracing resource attr CI=true set by runnerDetect CI in scripts
Pre-commit hook (.pre-commit-config.yaml)
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
- repo: https://github.com/returntocorp/semgrep
rev: v1.72.0
hooks:
- id: semgrep
args: ['--config', 'p/ci', '--error']
- repo: local
hooks:
- id: unit-tests
name: unit tests
entry: make test
language: system
pass_filenames: false
Makefile targets (CI parity)
.PHONY: test lint scan build
test:
pytest -q --tb=short
lint:
ruff check . && ruff format --check .
scan:
trivy fs --severity HIGH,CRITICAL .
build:
docker build -t $(APP):$(GIT_SHA) .
💡 Tip
Run make lint test scan before every push. If local passes, CI failure is infra—not your code.
CI/CD & deploy operations
Task Command Notes
List workflows gh workflow listGitHub Dispatch workflow gh workflow run promote.yml -f image_digest=sha256:abcManual promote GitLab pipeline glab ci viewLive pipeline status Retry GitLab job glab ci retry JOB_IDAfter runner recovery Push to ECR aws ecr get-login-password | docker login …OIDC preferred in CI Sign image cosign sign --yes IMAGE@DIGESTKeyless with Fulcio Copy image cross-account crane copy SRC DSTPromotion between registries Helm upgrade helm upgrade --install api ./chart -n prod -f values-prod.yaml --atomicRollback on failure Helm rollback helm rollback api 41 -n prodPrevious revision ArgoCD sync argocd app sync api-prod --pruneGitOps deploy ArgoCD rollback argocd app rollback api-prod 12To previous git revision Kubectl rollout status kubectl rollout status deploy/api -n prod --timeout=300sWait for deploy Drain node kubectl drain NODE --ignore-daemonsets --delete-emptydir-dataPre-upgrade Apply Kyverno policy kubectl apply -f policies/verify-images.yamlAdmission verify Terraform plan in CI terraform plan -out=plan.tfplanPR comment with summary Atlantis apply atlantis apply -p prodAfter approved PR Vault login OIDC vault login -method=oidcHuman break-glass ESO refresh secret kubectl annotate es api-db force-sync=$(date +%s)Force ExternalSecret sync Pushgateway metric echo 'ci_build_duration_seconds 142' | curl --data-binary @- PUSHGATEWAY/metrics/job/ciPipeline metrics Promote GitLab env glab ci run --branch main deploy:productionManual prod job
Promotion one-liner (digest pin)
# Promote verified digest to prod overlay
DIGEST=sha256:abc123...
yq -i ".image.digest = \"$DIGEST\"" deploy/overlays/prod/values.yaml
git commit -am "promote: $DIGEST" && git push
argocd app sync api-prod --timeout 600
Pipeline failure triage
Stage red First command Common fix
lint Run linter locally Auto-format, commit fix unit test pytest -k failing_test Fix or quarantine flake SAST semgrep --config=ruleid Fix or document waiver container scan trivy image IMAGE Base image upgrade deploy kubectl describe pod -n ns ImagePullBackOff, OOM, probe policy kyverno policy report -n ns Missing signature, resource limit
🔬 Under the Hood
helm upgrade --atomic rolls back automatically if hooks or readiness fail—use on prod to avoid half-upgraded releases.
Scanning & supply chain commands
Task Command Notes
Trivy fs scan trivy fs --scanners vuln,secret,misconfig .Repo + IaC Trivy image CI gate trivy image --exit-code 1 --severity CRITICAL,HIGH IMAGEBlock pipeline Grype SBOM scan grype sbom:./sbom.jsonFrom Syft SBOM Syft generate SBOM syft packages IMAGE -o spdx-json > sbom.jsonAttach to release Semgrep CI semgrep ci --config p/ciPR blocking rules Gitleaks history gitleaks detect --source . --log-opts='--all'Full git history Conftest K8s conftest test -p policy/ deploy.yamlOPA/Rego policies Cosign verify policy cosign verify --certificate-identity-regexp .* IMAGESigstore SLSA provenance slsa-verifier verify-artifact ARTIFACT --provenance-path provenance.intoto.jsonlSupply chain OPA eval opa eval -d policy.rego 'data.kubernetes.admission.deny'Test Rego locally Kyverno test kyverno test ./tests/Policy unit tests Checkov IaC checkov -d terraform/Terraform misconfig tfsec tfsec terraform/Alternative IaC scanner Falco alert kubectl logs -n falco -l app=falcoRuntime threats Network policy test kubectl run test --rm -it --image=nicolaka/netshoot -- curl targetVerify deny RBAC audit kubectl auth can-i --list --as=system:serviceaccount:prod:apiSA permissions SAST SARIF upload gh api repos/OWNER/REPO/code-scanning/sarifs -f [email protected] GitHub Security Dependency review gh api dependency-graph/snapshotsTransitive vulns Vault policy write vault policy write ci-read - <Least privilege CI Rotate leaked secret 1. Revoke 2. Rotate in vault 3. gitleaks allowlist false positiveIncident playbook
Kyverno verifyImages policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-signed-images
spec:
validationFailureAction: Enforce
rules:
- name: verify-cosign
match:
any:
- resources:
kinds: [Pod]
verifyImages:
- imageReferences: ["123456789012.dkr.ecr.us-east-1.amazonaws.com/*"]
attestors:
- entries:
- keyless:
subject: "https://github.com/org/repo/.github/workflows/*"
issuer: "https://token.actions.githubusercontent.com"
Severity response matrix
Severity SLA Pipeline action Exception process
Critical 24h fix or block Fail build (--exit-code 1) CISO waiver + ticket High 7 days Warn + Jira auto-create Risk acceptance doc Medium 30 days Report only Backlog prioritization Low 90 days SBOM attach No exception needed
🔒 Security
Never waive Critical findings without expiry date and compensating control documented. Waivers without TTL become permanent vulnerabilities.
GitHub Actions quick flags
Flag / syntax Purpose
if: always()Run step even when job fails (metrics upload) needs: [job-a]DAG dependencies between jobs environment: productionApproval gate + secrets scope concurrency: group: deployCancel in-progress duplicate deploys permissions: id-token: writeOIDC for AWS/GCP without static keys
GitLab CI quick reference
# Stages run in order; jobs in same stage parallel
stages: [test, scan, build, deploy]
# Cache between pipelines
cache:
key: $CI_COMMIT_REF_SLUG
paths: [node_modules/, .venv/]
# Rules replace only/except
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# Protected environments need Maintainer to deploy
deploy:prod:
environment: production
when: manual
Supply chain one-liners
Task Command
SBOM from image syft packages IMAGE -o spdx-jsonAttest provenance cosign attest --predicate provenance.json IMAGEVerify in cluster Kyverno verifyImages + cosign keyless Pin action SHA uses: actions/checkout@b4ffde65... not @v4
🎯 Interview Tip
Memorize the promote flow: build → scan → sign → staging → E2E → manual/auto prod with same digest. Mention cosign verify, SARIF gates, and deployment markers for rollback correlation.
Developer — extended commands
Task Command Notes
Install pre-commit pip install pre-commit && pre-commit installHooks run on git commit Run single hook pre-commit run gitleaks --all-filesDebug one hook Docker build no cache docker build --no-cache -t app:test .Reproduce CI image build Compose up CI parity docker compose -f compose.ci.yml up --abort-on-container-exitLocal integration kubectl ctx switch kubectl config use-context stagingAvoid wrong cluster deploy Watch rollout kubectl rollout status deploy/api -wWait for preview ready Helm diff helm diff upgrade api ./chart -f values.yamlPR review for chart changes ArgoCD login argocd login argocd.example.com --ssoGitOps CLI gh pr view gh pr view --webOpen PR in browser git bisect start git bisect start; git bisect bad; git bisect good v1.2Find breaking commit
DevOps — extended commands
Task Command Notes
Terraform fmt check terraform fmt -check -recursiveCI formatting gate Terraform validate terraform validateAfter init in CI Ansible check ansible-playbook site.yml --checkDry-run changes Pulumi preview pulumi preview --diffPR comment with diff crane digest crane digest REGISTRY/image:tagGet sha256 for promotion cosign download cosign download signature IMAGE > sig.blobDebug verify failure kubectl top kubectl top pods -n prod --sort-by=cpuPost-deploy resource check stern logs stern api -n prod --since 15mMulti-pod log tail k9s k9s -n prodInteractive cluster UI velero backup velero backup create pre-deploy-$(date +%s) --include-namespaces prodPre-change snapshot
Security — extended commands
Task Command Notes
Nuclei scan nuclei -u https://staging.example.com -t cves/DAST quick sweep ZAP baseline docker run owasp/zap2docker zap-baseline.py -t URLCI DAST gate Snyk test snyk test --severity-threshold=highSCA in pipeline pip-audit pip-audit -r requirements.txtPython dep vulns npm audit npm audit --audit-level=highNode dep vulns dockle lint dockle --exit-code 1 IMAGEDockerfile best practices hadolint hadolint DockerfileLint Dockerfile in CI kube-bench kube-bench run --targets nodeCIS K8s benchmark kube-hunter kube-hunter --remote ARGOCD_URLPassive K8s pentest Falco rule test falco --dry-run -r custom-rules.yamlValidate runtime rules
Workflow snippet #1
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #2
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #3
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #4
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #5
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #6
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #7
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Workflow snippet #8
# Emergency prod rollback (GitOps)
git revert HEAD --no-edit && git push
argocd app sync api-prod --prune --timeout 600
kubectl rollout status deploy/api -n production
# Verify cosign signature before deploy
cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com IMAGE@DIGEST
# Export pipeline metrics (Pushgateway)
echo "ci_build_duration_seconds{repo=\"org/api\"} 245" | curl --data-binary @- http://pushgateway:9091/metrics/job/ci
Tooling matrix
Tool CLI Primary use
GitHub CLI ghpr, run, workflow, secret GitLab CLI glabci, mr, release Cosign cosignsign, verify, attest Trivy trivyfs, image, config, sbom Semgrep semgrepscan, ci, test Syft syftpackages, attest Grype grypesbom:, dir: Gitleaks gitleaksdetect, protect Checkov checkov-d terraform/ Conftest conftesttest -p policy/ Kyverno kyvernoapply, test OPA opaeval, test, run Helm helmupgrade, rollback, diff Kustomize kubectl kustomizebuild overlays/ ArgoCD argocdapp sync, diff, rollback Terraform terraformplan, apply, import Crane cranecopy, digest, ls Stern sternmulti-pod logs Kubectx kubectxswitch context fast Vault vaultkv, login, policy
Dockerfile hardening checklist (1)
Rule Dockerfile Scanner
Non-root USER USER 10001Dockle, Trivy config No secrets in ENV Use runtime injection Gitleaks, Trivy secret Pinned base digest FROM node@sha256:...Renovate bot Minimal base distroless or alpine Image size + CVE count Multi-stage build Separate build and runtime Smaller attack surface
Dockerfile hardening checklist (2)
Rule Dockerfile Scanner
Non-root USER USER 10001Dockle, Trivy config No secrets in ENV Use runtime injection Gitleaks, Trivy secret Pinned base digest FROM node@sha256:...Renovate bot Minimal base distroless or alpine Image size + CVE count Multi-stage build Separate build and runtime Smaller attack surface
Dockerfile hardening checklist (3)
Rule Dockerfile Scanner
Non-root USER USER 10001Dockle, Trivy config No secrets in ENV Use runtime injection Gitleaks, Trivy secret Pinned base digest FROM node@sha256:...Renovate bot Minimal base distroless or alpine Image size + CVE count Multi-stage build Separate build and runtime Smaller attack surface
Dockerfile hardening checklist (4)
Rule Dockerfile Scanner
Non-root USER USER 10001Dockle, Trivy config No secrets in ENV Use runtime injection Gitleaks, Trivy secret Pinned base digest FROM node@sha256:...Renovate bot Minimal base distroless or alpine Image size + CVE count Multi-stage build Separate build and runtime Smaller attack surface
Dockerfile hardening checklist (5)
Rule Dockerfile Scanner
Non-root USER USER 10001Dockle, Trivy config No secrets in ENV Use runtime injection Gitleaks, Trivy secret Pinned base digest FROM node@sha256:...Renovate bot Minimal base distroless or alpine Image size + CVE count Multi-stage build Separate build and runtime Smaller attack surface
Dockerfile hardening checklist (6)
Rule Dockerfile Scanner
Non-root USER USER 10001Dockle, Trivy config No secrets in ENV Use runtime injection Gitleaks, Trivy secret Pinned base digest FROM node@sha256:...Renovate bot Minimal base distroless or alpine Image size + CVE count Multi-stage build Separate build and runtime Smaller attack surface
