devsecops-platform / model /GOLDEN_PATH_CHECKLIST.md

refactor: merged structure - model at center, DevSecOps wrapped around it

9d4d5c7 verified 19 days ago

1.24 kB

	# Microservice Golden Path Checklist

	## Pre-Deployment
	- [ ] Service name follows naming convention: lowercase-hyphenated
	- [ ] Dockerfile uses multi-stage build + distroless base
	- [ ] Image is signed with Cosign
	- [ ] SBOM is generated and attested
	- [ ] All security scans pass (Trivy, Semgrep, Checkov)
	- [ ] Health endpoints: /healthz (liveness) + /readyz (readiness)
	- [ ] Graceful shutdown handles SIGTERM

	## Kubernetes
	- [ ] Resource requests AND limits defined
	- [ ] runAsNonRoot: true + readOnlyRootFilesystem: true
	- [ ] capabilities.drop: ["ALL"]
	- [ ] Probes configured (liveness + readiness)
	- [ ] PDB created (minAvailable >= 2)
	- [ ] HPA configured
	- [ ] NetworkPolicy: default deny + selective allow
	- [ ] Secrets from External Secrets Operator (not hardcoded)
	- [ ] automountServiceAccountToken: false (unless needed)
	- [ ] TopologySpreadConstraints for multi-AZ

	## Observability
	- [ ] Prometheus metrics endpoint exposed
	- [ ] Structured JSON logging
	- [ ] OpenTelemetry traces emitted
	- [ ] Dashboard exists in Grafana
	- [ ] Alert rules defined in Prometheus

	## CI/CD
	- [ ] DevSecOps pipeline passes (SAST + scan + sign + test)
	- [ ] ArgoCD application manifest created
	- [ ] Kustomize overlay for each environment