DevSecOps SDLC for IaC with ThothCTL¶
Overview¶
This guide demonstrates how ThothCTL enables a complete DevSecOps Software Development Lifecycle (SDLC) for Infrastructure as Code, from planning to production deployment.
The DevSecOps SDLC Phases¶
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#3f51b5','primaryTextColor':'#ffffff','primaryBorderColor':'#303f9f','lineColor':'#536dfe','secondaryColor':'#536dfe','tertiaryColor':'#fff','background':'transparent','mainBkg':'#3f51b5','secondBkg':'#536dfe','tertiaryBkg':'#90caf9','textColor':'#ffffff','nodeTextColor':'#ffffff','fontSize':'14px'}}}%%
graph TB
A["Plan<br/>📋 Cost Estimation<br/>Risk Assessment<br/>Template Selection"] --> B["Develop<br/>💻 Environment Check<br/>Structure Validation<br/>Best Practices"]
B --> C["Build<br/>🔨 Inventory Creation<br/>Dependency Tracking<br/>Version Management"]
C --> D["Test<br/>✅ Plan Validation<br/>Blast Radius<br/>Change Impact"]
D --> E["Secure<br/>🔒 Security Scanning<br/>Compliance Check<br/>Vulnerability Detection"]
E --> F["Deploy<br/>🚀 Pre-Deploy Checks<br/>Risk Mitigation<br/>Approval Gates"]
F --> G["Operate<br/>🔧 Config Management<br/>Project Updates<br/>Documentation"]
G --> H["Monitor<br/>📊 Dashboard<br/>Continuous Scan<br/>Drift Detection"]
H --> A
classDef planStyle fill:#01579b,stroke:#0288d1,stroke-width:2px,color:#ffffff
classDef devStyle fill:#1b5e20,stroke:#2e7d32,stroke-width:2px,color:#ffffff
classDef buildStyle fill:#e65100,stroke:#ef6c00,stroke-width:2px,color:#ffffff
classDef testStyle fill:#4a148c,stroke:#6a1b9a,stroke-width:2px,color:#ffffff
classDef secureStyle fill:#b71c1c,stroke:#c62828,stroke-width:2px,color:#ffffff
classDef deployStyle fill:#004d40,stroke:#00695c,stroke-width:2px,color:#ffffff
classDef operateStyle fill:#880e4f,stroke:#ad1457,stroke-width:2px,color:#ffffff
classDef monitorStyle fill:#33691e,stroke:#558b2f,stroke-width:2px,color:#ffffff
class A planStyle
class B devStyle
class C buildStyle
class D testStyle
class E secureStyle
class F deployStyle
class G operateStyle
class H monitorStyle
ThothCTL Coverage by Phase¶
| Phase | DevSecOps Practices | ThothCTL Commands |
|---|---|---|
| Plan | Cost estimation, Risk assessment, Template selection | init project, check iac --type cost-analysis |
| Develop | Environment validation, Structure enforcement, Standards | check environment, check iac --type structure |
| Build | Dependency management, Version tracking, Inventory | inventory iac --check-versions |
| Test | Plan validation, Impact analysis, Change assessment | check iac --type plan, --type blast-radius |
| Secure | Security scanning, Compliance validation, CVE detection | scan iac --tool checkov/trivy/opa |
| Deploy | Pre-deployment validation, Risk gates, Approval workflow | check iac --type all |
| Operate | Configuration management, Updates, Documentation | project upgrade, document iac |
| Monitor | Continuous monitoring, Drift detection, Dashboards | dashboard launch, scheduled scans |
Phase 1: Plan 📋¶
Objective¶
Define infrastructure requirements, estimate costs, and assess risks before writing code.
ThothCTL Commands¶
1.1 Initialize Project Space¶
# Create a new space for your organization/team
thothctl init space --name production \
--vcs github \
--ci-system github-actions
What it does: - Sets up organizational structure - Configures VCS integration - Establishes CI/CD pipelines
1.2 Initialize Project¶
# Create new IaC project from template
thothctl init project --name my-infrastructure \
--template terraform-aws \
--space production
What it does: - Scaffolds project structure - Applies best practices - Sets up configuration files
1.3 Cost Estimation (Before Writing Code)¶
# Estimate costs from Terraform plan
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
thothctl check iac --type cost-analysis --plan-file tfplan.json
Output: - Monthly/annual cost projections - Service-by-service breakdown - Optimization recommendations - Budget alerts
Phase 2: Develop 💻¶
Objective¶
Write IaC code following best practices and organizational standards.
ThothCTL Commands¶
2.1 Check Environment Setup¶
Validates: - Terraform/OpenTofu/Terragrunt - Security scanners (Checkov, Trivy, KICS) - Documentation tools - Version control
2.2 Validate Project Structure¶
Checks: - Directory structure - File naming conventions - Required files (README, .gitignore) - Configuration standards
2.3 Generate Documentation¶
Creates: - README.md with module descriptions - Input/output documentation - Dependency graphs - Architecture diagrams
Phase 3: Build 🔨¶
Objective¶
Create infrastructure inventory and validate dependencies.
ThothCTL Commands¶
3.1 Create Infrastructure Inventory¶
Generates: - Component catalog - Module dependencies - Provider versions - Compatibility matrix
3.2 Check for Updates¶
# Identify outdated modules and providers
thothctl inventory iac --check-versions --report-type html
Provides: - Latest available versions - Breaking changes warnings - Update recommendations - Security advisories
Phase 4: Test ✅¶
Objective¶
Validate infrastructure changes before deployment.
ThothCTL Commands¶
4.1 Terraform Plan Validation¶
# Validate Terraform plan
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
thothctl check iac --type plan --plan-file tfplan.json
Validates: - Resource changes - Dependency order - Configuration syntax - State consistency
4.2 Blast Radius Assessment¶
Analyzes: - Affected resources - Change propagation - Risk levels (Low/Medium/High/Critical) - Rollback complexity - Mitigation strategies
Phase 5: Secure 🔒¶
Objective¶
Identify and remediate security vulnerabilities.
ThothCTL Commands¶
5.1 Security Scanning with Checkov¶
Detects: - Misconfigurations - Security vulnerabilities - Compliance violations - Best practice deviations
5.2 Scan with Trivy¶
Finds: - CVEs in dependencies - Exposed secrets - Insecure configurations - License issues
Checks: - AWS/Azure/GCP security - Encryption settings - Network exposure - IAM policies
5.4 Compliance Testing¶
# Policy-as-code validation
thothctl scan iac --tool terraform-compliance \
--feature-path ./compliance/
Validates: - Regulatory compliance (SOC2, HIPAA, PCI-DSS) - Organizational policies - Tagging standards - Naming conventions
Phase 6: Deploy 🚀¶
Objective¶
Deploy infrastructure safely with proper validation.
ThothCTL Commands¶
6.1 Pre-Deployment Checks¶
Performs: - Cost analysis - Blast radius assessment - Security scanning - Compliance validation
6.2 Generate Deployment Report¶
# Create comprehensive deployment report
thothctl check iac --type blast-radius \
--plan-file tfplan.json \
--output deployment-report.html
Includes: - Change summary - Risk assessment - Cost impact - Security findings - Approval checklist
Phase 7: Operate 🔧¶
Objective¶
Manage and maintain deployed infrastructure.
ThothCTL Commands¶
7.1 Update Project Configuration¶
Adds: - ThothCTL configuration - Metadata tracking - Version control integration
7.2 Upgrade Project¶
Updates: - Template files - Best practices - Configuration standards - Documentation
7.3 Bootstrap Development Environment¶
Creates: - Pre-commit hooks - Git configuration - IDE settings - Documentation
Phase 8: Monitor 📊¶
Objective¶
Track infrastructure health and compliance.
ThothCTL Commands¶
8.1 Generate Compliance Dashboard¶
Displays: - Security scan results - Cost analysis - Blast radius metrics - Inventory status
8.2 Continuous Monitoring¶
Tracks: - Security posture - Compliance drift - Cost trends - Version updates
Complete Workflow Example¶
Scenario: Deploy New AWS Infrastructure¶
# 1. PLAN: Initialize project
thothctl init project --name aws-prod --template terraform-aws
# 2. DEVELOP: Check environment
thothctl check environment
# 3. BUILD: Create inventory
thothctl inventory iac --check-versions
# 4. TEST: Validate plan
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
thothctl check iac --type plan --plan-file tfplan.json
# 5. SECURE: Run security scans
thothctl scan iac --tool checkov
thothctl scan iac --tool trivy
thothctl scan iac --tool trivy
# 6. ASSESS: Check blast radius
thothctl check iac --type blast-radius --plan-file tfplan.json
# 7. COST: Estimate expenses
thothctl check iac --type cost-analysis --plan-file tfplan.json
# 8. DEPLOY: Apply changes
terraform apply tfplan.binary
# 9. DOCUMENT: Generate docs
thothctl document iac --recursive
# 10. MONITOR: Launch dashboard
thothctl dashboard launch
CI/CD Integration¶
GitHub Actions Example¶
name: IaC DevSecOps Pipeline
on: [pull_request, push]
jobs:
devsecops:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup ThothCTL
run: pip install thothctl
- name: Check Environment
run: thothctl check environment
- name: Validate Structure
run: thothctl check iac --type structure
- name: Create Inventory
run: thothctl inventory iac --check-versions
- name: Security Scan
run: |
thothctl scan iac --tool checkov
thothctl scan iac --tool trivy
- name: Terraform Plan
run: |
terraform init
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tfplan.json
- name: Blast Radius Assessment
run: thothctl check iac --type blast-radius --plan-file tfplan.json
- name: Cost Analysis
run: thothctl check iac --type cost-analysis --plan-file tfplan.json
- name: Generate Documentation
run: thothctl document iac --recursive
Best Practices¶
For Beginners¶
- Start with templates: Use
thothctl init projectwith templates - Check environment first: Run
thothctl check environment - Use interactive mode: Add
--interactiveflag for guidance - Review reports: Always check HTML reports for details
- Start with soft validation: Use
--mode softinitially
For Professionals¶
- Automate everything: Integrate into CI/CD pipelines
- Use strict validation: Apply
--mode hardfor enforcement - Track inventory: Regular
inventory iacscans - Monitor costs: Set up cost alerts and budgets
- Enforce compliance: Use terraform-compliance policies
- Version control: Track all changes with Git
- Document continuously: Auto-generate docs on every change
Key Benefits¶
| Phase | Without ThothCTL | With ThothCTL |
|---|---|---|
| Plan | Manual cost estimation | Automated cost analysis with AWS pricing |
| Develop | Inconsistent structure | Enforced standards and templates |
| Build | Manual dependency tracking | Automated inventory with version checking |
| Test | Basic terraform validate | Comprehensive plan validation + blast radius |
| Secure | Manual security reviews | Automated multi-tool scanning |
| Deploy | High risk | Risk-assessed with mitigation strategies |
| Operate | Manual updates | Automated upgrade paths |
| Monitor | Scattered metrics | Unified dashboard |
Next Steps¶
- Install ThothCTL:
pip install thothctl - Initialize your first project:
thothctl init project - Run your first scan:
thothctl scan iac --tool checkov - Explore the dashboard:
thothctl dashboard launch - Read detailed docs: Visit thothctl.readthedocs.io
Support¶
- Documentation: https://thothctl.readthedocs.io
- GitHub: https://github.com/thothforge/thothctl
- Issues: Report bugs or request features