This repository is currently under active development. Features and documentation may change frequently. Please check back later for updates!
This project is an open-source collection of Continuous Integration (CI) pipelines designed to streamline the development of secure and compliant healthcare software. The project provides CI pipeline configurations that enforce current security best practices and compliance standards. Our goal is to enable rapid integration, testing, and delivery of software that meets stringent regulatory requirements while actually improving the security of the software stack.
- Drop-In Pipelines: Ready-to-use workflows for common healthcare software scenarios.
- Compliance as Code: Ensures that every build adheres to predefined regulatory standards.
- Security Checks: Integrates security scanning tools to detect vulnerabilities early.
- Automated Testing: Supports unit, integration, and end-to-end testing.
- Documentation Generation: Automatically generates compliance reports in various formats.
- Notification System: Alerts for build status, security vulnerabilities, and compliance deviations.
- Free: All pipelines are based on freely available tools up to certain usage thresholds.
All pipelines within this repo implement standalone security checks that pass/fail and generate reports. The generic integration pattern looks as follows:
flowchart TB
Develop[Developer]
Commit[Push Changes]
Test[Security Check]
Report[Certificate]
Release[Release]
Pass[Check Passed]
subgraph SDLC
start[ ] --> Develop
Develop --> Commit
Commit --> Test
Test --> Pass
Pass --> Release
Pass --> Report
end
Test -->| Check Failed |Develop
classDef empty fill:none,stroke-width:0px
class Pass empty
Integration within your project's CI system may differ depending on the platform and code development flow you use.
FDA pre-market cybersecurity guidelines for submission include vulnerability scanning as a requirement. Specifically, the categories:
- Abuse or misuse cases, malformed and unexpected inputs; Robustness and Fuzz testing.
- Attack surface analysis;
- Vulnerability chaining;
- Closed box testing of known vulnerability scanning;
- Software composition analysis of binary executable files; and
- Static and dynamic code analysis, including testing for credentials that are "hardcoded," default, easily guessed, and easily compromised.
In this repository we provide example pipelines that cover multiple categories above, including:
- Software Composition Analysis (SCA) - Static scan, known vulnerability testing.
- API Testing - Dynamic analysis, unknown vulnerability detection, robustness and fuzz testing.
Table of templates:
| Scan / CI | Github Actions | Bitbucket Pipelines | Gitlab CI |
|---|---|---|---|
| SCA | ✅ | ✅ | |
| API Testing | ✅ | ✅ |
For support, email [email protected] or open an issue in the GitHub repository.
We welcome contributions from the community! Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.
This project is licensed under the MIT License - see the LICENSE.md file for details.