Snippets and Reference
Section focus: jump pages, high-signal snippets, and short reusable reference fragments that support deeper pages elsewhere in the KB.
Best use: come here when you already know the topic and want a fast command, checklist, config example, or jump page.
What this section is not
This section is not the main learning path.
Use the larger domain pages when you need context, trade-offs, threat framing, or rollout guidance. Use this section when you need something fast and reusable.
Start with these pages
| Page | Why it exists |
|---|---|
| Git Commit Signing and Image Signing | Short reference page that links signing decisions to CI/CD, image provenance, and admission checks. |
| Kubernetes Baseline Reference | A fast jump page for reviewers who land in snippets but actually need the curated Kubernetes baseline and hardening pages. |
| Modernized GitHub Actions stage pipeline starter | Fast starting point for plan/build/test/deploy modernization without copying old CI examples into production. |
| ZAP AF API + OAST starter | Practical starter for API-first ZAP automation with explicit auth and modern evidence output. |
| Jenkins ZAP AF OpenAPI pipeline | CI example for running a versioned AF plan instead of one-off scanner commands. |
| GitLab SonarQube PR Quality Gate job | Fast starter for MR analysis and quality-gate waiting in GitLab CI. |
| GitHub Actions SonarQube PR Quality Gate workflow | Minimal PR workflow for SonarQube scan plus gate waiting in GitHub Actions. |
| Example sonar-project.properties | Tiny starter file for project metadata, report paths, and optional SARIF import. |
| Express security baseline snippet | Quick starter for headers, rate limits, body limits, sessions, and generic error handling in browser-backed Node.js services. |
| Product Security Policy DOCX starter pack | Downloadable editable Word templates for a lean product-security policy library. |
| Spring Boot SecurityFilterChain and method-security snippet | Quick starter for explicit Boot-first security configuration with deeper service-layer authorization. |
| AWS WAF v2 baseline Web ACL starter | Quick starter for a pragmatic AWS WAF baseline with a login rate limit and core managed rule groups. |
| cert-manager root / CA bootstrap starter | Kubernetes starter for bootstrapping a private CA and issuing short-lived service certificates. |
| trust-manager private CA bundle starter | Quick starter for distributing internal trust bundles across namespaces instead of baking trust into images. |
| Vault PKI bootstrap and issuance starter | Reference shell flow for building a root/intermediate hierarchy and issuing short-lived workload certificates. |
| Namespace PSS labels and Kyverno starter | Quick starter for namespace-level pod hardening and an admission-policy baseline. |
| Restricted pod securityContext starter | Tiny deployment example showing the minimum pod-hardening flags most teams should standardize. |
| Kyverno image verification starter | Starter policy for verifying trusted images before they reach production namespaces. |
| Security release sign-off checklist | Fast checklist for release owners and approvers who need a lightweight evidence-backed gate. |
| GraphQL depth / introspection Apollo starter | Small starter for GraphQL depth controls, disabling open introspection in production, and request-cost hygiene. |
| gRPC Go mTLS and deadlines starter | Minimal gRPC server/client starter showing mTLS, deadlines, and safer stream handling defaults. |
| AWS KMS envelope encryption CLI starter | Practical starter for generating a data key, encrypting payloads, and separating KEK from DEK usage. |
| Azure Key Vault rotation and wrap starter | Quick CLI starter for key rotation policy and wrap/unwrap-style usage in Azure. |
| Advanced pod hardening starter | Example workload showing seccomp, capabilities drop, runtime-default posture, and container hardening flags together. |
| SOX-style Product Security ITGC finding template | Reusable finding template for audit observations around release controls, privileged access, and evidence gaps. |
| Apache HTTP Server hardening starter | Minimal baseline for request limits, TLS, and log controls. |
| NGINX hardening starter | Minimal baseline for TLS, auth, rate limiting, and structured logs. |
| Kafka broker security starter | Broker-side example for SASL_SSL, authorizer, and listener separation. |
| Redis hardening starter | Example baseline for protected mode, ACLs, and TLS-ready posture. |
| MySQL hardening starter | Basic MySQL network, TLS, and audit-ready settings. |
| MariaDB audit starter | Minimal MariaDB audit-plugin configuration example. |
| RabbitMQ hardening starter | Example baseline for TLS listeners, management isolation, and bootstrap credentials. |
| DAM / Immutable Logging / Privileged Session Review Checklist | Small checklist for database evidence, WORM storage, and admin-session oversight. |
| Secrets Anti-Patterns Review Checklist | Fast review list for secret sprawl, long-lived credentials, and backup/key mistakes. |
| mTLS / Service Identity Review Checklist | Quick review prompts for trust domains, issuers, and rotation ownership. |
| Cloud / Kubernetes Runtime Incident Case Tracker | First-hour case template for runtime incidents across Kubernetes and cloud identities. |
| Kubernetes containment decision template | Narrow-vs-broad containment prompt for runtime incidents. |
| Secure build factory control checklist | Short operational checklist for build integrity, provenance, signing, and promotion. |
| All-in-One Security Toolbox Dockerfile | Example container image that bundles several post-build scanners into one reproducible toolbox. |
| GitHub Actions cosign attestation and approval starter | Tiny starter for build, sign, attest, and environment approval stages. |
| Istio strict mTLS and authorization starter | Minimal starter for strict mesh auth and allowed-caller policy. |
| Linkerd cert-manager issuer rotation notes | Fast notes for workload-cert automation and operator-owned issuer lifecycle. |
| Semgrep / CodeQL / SonarQube selection matrix | Tiny decision matrix for choosing analysis roles by need. |
Snippet families in this KB
| Family | Where to browse next |
|---|---|
| CI/CD and quality gates | CI/CD and Software Supply Chain Security |
| SonarQube CI and IDE starters | Application Security and CI/CD and Software Supply Chain Security |
| Node.js and Spring framework starters | Stack-Specific Secure Engineering |
| Policy and governance templates | Governance, Roles, Metrics, and OKR |
| Kubernetes policy starters and workload isolation | Container and Kubernetes Security |
| Browser / web-server headers | Frontend and Browser Security |
| Cloud IAM / Terraform / Vault / SOPS / WAF / PKI / KMS | Infrastructure and Cloud Security |
| Middleware / web / queue / cache / DB hardening | Infrastructure and Cloud Security |
| Audit and finding templates | Compliance and Assurance |
| Secrets / KMS / storage review helpers | Data Security and Privacy Engineering |
| mTLS / service-identity helpers | Identity and Platform Access |
| Detection and IR helpers | Detection and Response |
| Reporting templates and evidence | Worked-Example Leadership Pack |
| Compliance evidence worksheets | Compliance and Assurance |
Discoverability rules used in this KB
A snippet should be easy to find from three directions:
- the domain page that explains the concept;
- the section index that groups related pages;
- this snippet/reference section for quick retrieval.
If a snippet or jump page becomes important often enough, it should eventually gain a full page with:
- an intro;
- typical use cases;
- related pages;
- next-read links.
Best โuse withโ combinations
- use Git Commit Signing and Image Signing with Signing, Attestation, and Verification โ Legacy vs Current
- use Kubernetes Baseline Reference with Kubernetes Security Baseline
- use browser and header snippets with Web-Server Security Controls: HTTPS, CORS, CSP, and HSTS for Apache and Nginx
- use SOPS snippets with Mozilla SOPS โ age, KMS, and GitOps Secrets
- use the CCM evidence template with Compliance-to-Engineering Evidence Pass
- use the modernized GitHub Actions stage starter with DevSecOps Stage Map and Modern Pipeline Patterns
- use the namespace PSS / Kyverno starter with Kubernetes Review Map โ CKS Domains and Modern Attack Paths
- use the ZAP AF API + OAST starter with OWASP ZAP for APIs, Automation Framework, and OAST โ Modern Practice
- use the Jenkins ZAP AF OpenAPI example with OWASP ZAP in the Real World: Tuning, Reports, and Quality Gates
- use the GitLab and GitHub SonarQube CI starters with SonarQube CI, PR Analysis, Quality Gates, and External Issues
- use the
sonar-project.propertiesexample with SonarQube Modern Practical Guide โ Quality Gates, Security Hotspots, PR Analysis, and Review Workflows - use the Express baseline snippet with Node.js Server Security โ Practical Guide and Review Map
- use the Spring Boot security-chain snippets with Spring Boot and Spring Security โ Practical Guide
Next read
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.