DevSecOps for Swift/Vapor infrastructure. Covers Docker, CI/CD (GitHub Actions), SwiftPM dependency security, secrets management, and supply chain. Use when auditing infrastructure, Dockerfile, CI/CD, or dependencies.
Package.resolved committed (lockfile)Package.swift, exact pins in Package.resolved# Required patterns:
FROM swift:6.2-jammy AS build # Pinned version
COPY Package.swift Package.resolved ./ # Deps first (layer cache)
RUN swift package resolve
COPY Sources ./Sources # No Tests in build
RUN swift build -c release --product social-care-s
FROM ubuntu:22.04 # Minimal runtime
RUN useradd -r -g appgroup appuser # Non-root user
COPY --from=build --chown=appuser:appgroup ... # Owned by appuser
USER appuser # Run as non-root
HEALTHCHECK ... # Health check defined
Checklist:
:latest).dockerignore excludes .env, .git, .buildsecurity_opt: [no-new-privileges:true] in compose@main)swift test runs BEFORE image push.env in .gitignoresha-<commit>, vX.Y.Z):latest only on main, production uses digestprint())