๐Ÿ›ก๏ธ 7-Layer Unified Security Model

A comprehensive security strategy requires defense at every layer

7
Security Layers
48
ShipGuard Rules
6
Language Stacks
4
Severity Levels

Layer 7: Observability & Incident Response

RUNTIME
โ–ผ

Detect and respond to security incidents in production

๐Ÿ“Š SIEM (Splunk, ELK)
๐Ÿšจ Alerting (PagerDuty)
๐Ÿ“ˆ Monitoring (Datadog)
๐Ÿ“‹ Logging & Audit
Stage: Production
ShipGuard: No direct coverage (runtime phase)

Layer 6: Supply Chain Integrity

BUILD & DEPLOY
โ–ผ

Ensure build artifacts and dependencies are properly pinned and trustworthy

๐Ÿณ Pinned container images
๐Ÿ“Œ Locked dependencies
โœ๏ธ Artifact signing (Sigstore)
๐Ÿ” Image scanning
Stage: CI/CD & Deployment
โœ… ShipGuard: SC-001..SC-004 (Docker pinning, dependency pinning, lockfile safety, .gitignore baseline)

Layer 5: DAST (Dynamic Testing)

TESTING
โ–ผ

Find runtime vulnerabilities by testing the running application

๐Ÿ”ง OWASP ZAP
๐Ÿ”’ Burp Suite
๐ŸŽฏ API fuzzing
๐Ÿงช Penetration testing
Stage: Testing/Staging
ShipGuard: No direct coverage (requires running app)

Layer 4: AI Reasoning

REVIEW
โ–ผ

Use semantic understanding and architectural knowledge to find complex vulnerabilities

๐Ÿค– Claude / GPT-4
๐Ÿ‘ฅ Human architects
๐Ÿ—๏ธ Threat modeling
๐Ÿ” Authorization review
Stage: Code Review
ShipGuard: No direct coverage (manual process)

Layer 3: SAST (Static Analysis)

PRIMARY
โ–ผ

Find code vulnerabilities without executing the application

๐Ÿ” Command injection
๐Ÿ›ฃ๏ธ Path traversal
๐Ÿ’‰ SQL injection
โœ‚๏ธ XXE attacks
๐Ÿ” Weak crypto
๐Ÿšซ Unsafe deserialization
Stage: Development
โœ… ShipGuard: 34 SAST rules (SHELL-001-009, PY-001-009, JS-001-008, GHA-001-005, CFG-001-003)

Layer 2: Secrets Management

PREVENTION
โ–ผ

Prevent hardcoded credentials and tokens from being committed

๐Ÿ”‘ AWS keys
โ˜๏ธ GCP tokens
๐Ÿ™ GitHub tokens
๐Ÿ” DB passwords
Stage: Git & Pre-commit
โœ… ShipGuard: SEC-001..SEC-010 (cloud/API credential and token patterns)

Layer 1: Dependencies

SUPPLY CHAIN
โ–ผ

Detect vulnerable or compromised dependencies before they reach production

๐Ÿ pip-audit
๐Ÿ“ฆ npm audit
๐Ÿ”Ž osv-scanner
๐Ÿ›ก๏ธ Snyk
Stage: Package Selection
ShipGuard: No direct coverage (use external tools)

ShipGuard Coverage

ShipGuard provides primary coverage for Layers 3, 2, and 6:

Layer 3 (SAST): 34 rules across Shell, Python, JavaScript, GitHub Actions, and Config files
Layer 2 (Secrets): 10 rules (SEC-001..SEC-010) for cloud/API credentials and tokens
Layer 6 (Supply Chain): 4 rules (SC-001..SC-004) for Docker images, dependency pinning, lockfiles, and .gitignore baselines
Other Layers (1, 4, 5, 7): Use external tools or manual processes