Yarova Studio

Master Pipeline Diagram

All stages, all phases. Critical path in red. Stages lit green when your decisions affect them. Click any stage to highlight it.

Critical path Changed by your picks Click any stage for details

Decision Map

Each card is a pipeline decision. Click to explore why it matters and pick an option. Required decisions change generated YAML. Optional decisions tune behavior.

fullstack

snyk

precommit

gitleaks

← set in config bar

argocd

same-repo

distroless

syft

trivy

cosign

aws

canary

← set in config bar

20 Pipeline Invariants

Rules that must hold for every release. Each maps to the stage that enforces it.

ID	Rule	Enforced by	Real incident
I-1	No long-lived credentials anywhere	Phase 0: OIDC setup	CodeCov bash uploader (2021)
I-2	Every commit passes pre-commit hooks	S1: Pre-commit Hooks	event-stream npm (2018)
I-3	No HIGH/CRITICAL dep CVE ships	S2: Dependency Audit	Log4Shell (CVE-2021-44228)
I-4	No OWASP Top-10 code pattern ships	S3: Static Analysis	Equifax 2017 (Struts CVE-2017-5638)
I-5	No privileged containers, no hostPath	S4: IaC Scan	Tesla K8s pwn (2018)
I-6	No secrets in git history	S5: Secret Scan	Uber 2016 (AWS keys in repo)
I-7	Multi-stage, non-root, distroless image	S6: Docker Build	Capital One 2019
I-8	Every prod image signed + SBOM attested	S8: SBOM + Signing	SolarWinds Orion (2020)
I-9	Test coverage does not decrease on merge	S9: Test Suite	Knight Capital 2012
I-10	SLSA Level 3 provenance on every prod image	S10: SLSA Provenance	SolarWinds (substituted build step)
I-11	No :latest tags in K8s manifests	S4: IaC Scan + CD	GitLab class (2017)
I-12	No :latest tag pushed to registry	S6: Docker Build	Same class as I-11
I-13	Base images from approved registries only	Phase 0 + S4	Docker Hub typosquat 2018
I-14	All CI action/image refs pinned to SHA	Phase 0 review	tj-actions/changed-files (2025)
I-15	Dep auto-update PRs require review	Phase 0: branch protection	ua-parser-js (2021)
I-16	Deployed image provenance verified at admission	S14: Sig Verify	PyPI ctx package (2022)
I-17	No untrusted fork code runs with secrets	Phase 0: branch protection	pwn-request pattern
I-18	All creds OIDC-derived; no long-lived tokens	Phase 0: OIDC setup	Codecov 2021 (4-month access)
I-19	Vuln allowlist entries expire ≤90 days	S7: .trivyignore	Equifax (Struts on wishlist 2 months)
I-20	All admission policies fail-closed	S14 + platform admission (out of scope)	Cryptojacking 2018 (fail-open admission)

Compliance Control Map

Which pipeline invariants satisfy which auditor controls, per framework.

PCI

Control	Title	Invariants
6.4.4	Secure software development (SAST)	I-4
6.5	Common coding vulnerabilities addressed	I-4
6.3.2	Inventory of all software components	I-8, I-10
11.3	Vulnerability scans	I-3, I-19
11.5	Detect changes to critical files	I-8, I-10, I-16
8.6.3	Strong cryptography for keys	I-1, I-18

HIPAA

Control	Title	Invariants
164.312(a)	Access control	I-1, I-18, I-17
164.312(c)	Integrity controls	I-8, I-10, I-16
164.312(e)	Transmission security	I-7, I-13
164.308(a)(1)	Risk analysis	I-3, I-4, I-5
164.308(a)(8)	Evaluation	I-9, I-19

SOC2

Control	Title	Invariants
CC6.1	Logical access controls	I-1, I-18, I-17
CC6.6	Encryption of data in transit	I-13
CC7.1	Detection of vulnerabilities	I-3, I-4, I-5, I-19
CC7.2	Detection of anomalies	I-6, I-8, I-16
CC8.1	Change management	I-2, I-15, I-17, I-14

FEDRAMP

Control	Title	Invariants
AC-2	Account management	I-1, I-18
CM-3	Configuration change control	I-2, I-15
RA-5	Vulnerability scanning	I-3, I-19
SI-2	Flaw remediation	I-3, I-19
SI-7	Software / firmware integrity	I-8, I-10, I-16
SC-13	Cryptographic protection	I-1, I-13, I-18

GDPR

Control	Title	Invariants
Art. 25	Data protection by design	I-4, I-5, I-6
Art. 32	Security of processing	I-3, I-7, I-8

ISO27001

Control	Title	Invariants
A.8.25	Secure development lifecycle	I-2, I-4, I-9
A.8.28	Secure coding	I-4, I-5
A.8.30	Outsourced development	I-14, I-15, I-17
A.5.23	Information security for cloud	I-1, I-13, I-18

CMMC

Control	Title	Invariants
AC.L2-3.1.1	Limit access to authorized users	I-1, I-17, I-18
CM.L2-3.4.3	Track changes to system	I-2, I-15
SI.L2-3.14.1	Identify + correct flaws	I-3, I-19
SI.L2-3.14.2	Protection from malicious code	I-4, I-6, I-8

Generated Files

All files update as you change the config above. Select a file from the list, read it, copy it, drop it in your repo. All files are production-ready — not illustrative templates.

CI Workflows

Container

Local Dev Hooks

Security Policy

Kustomize Deploy Tree

Helm Chart (alternative)

25 files total — all copy-pasteable

Dockerfile

# syntax=docker/dockerfile:1.9
# Next.js 15 → distroless/nodejs22 (standalone build)
# REQUIRED: set output: 'standalone' in next.config.ts/js

FROM node:22-alpine AS deps
WORKDIR /app
RUN corepack enable 2>/dev/null || true
COPY package*.json ./
RUN npm ci --ignore-scripts

FROM node:22-alpine AS builder
WORKDIR /app
RUN corepack enable 2>/dev/null || true
COPY --from=deps /app/node_modules ./node_modules
COPY . .
ENV NEXT_TELEMETRY_DISABLED=1
RUN npm run build

FROM gcr.io/distroless/nodejs22-debian12:nonroot AS runtime
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
ENV PORT=3000
ENV HOSTNAME="0.0.0.0"
COPY --from=builder --chown=nonroot:nonroot /app/.next/standalone ./
COPY --from=builder --chown=nonroot:nonroot /app/.next/static ./.next/static
COPY --from=builder --chown=nonroot:nonroot /app/public ./public
USER nonroot
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \
  CMD ["node", "-e", "fetch('http://127.0.0.1:3000').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
CMD ["server.js"]

Reference

Setup guides · Tool versions · Tested combinations · Common mistakes · Glossary · Tradeoffs · Maintain

First-time registry setup. Showing guide for your selected registry: GHCR. OIDC — no stored secrets

1

No OIDC setup required

GHCR uses GITHUB_TOKEN — automatically available in all GitHub Actions workflows. No external credential ever stored.

2

Configure branch protection

Settings → Branches → Add rule for main:
✅ Require PR
✅ Require status checks (select your CI jobs)
✅ No force push

3

Enable secret scanning

Settings → Code security → Secret scanning + Push protection → Enable both.

Framework Catalog

55 production-ready stacks out of 69 total. Production = full Dockerfile + CI workflow generated. Coming soon = listed, use closest sister framework.

Production Beta Coming soon

JS

React + Vite 🌐

Vue 3 + Vite 🌐

Angular 18 🌐

SvelteKit 🏗️

SolidStart 🏗️

Solid + Vite 🌐

Preact + Vite 🌐

Lit (Web Components) 🌐

Next.js 15 🏗️

Remix 2 🏗️

Nuxt 3 🏗️

Qwik City 🏗️

TanStack Start 🏗️

Astro 4 (SSR) 🏗️

RedwoodJS 🏗️

Astro 4 (static) 📄

Gatsby 5 📄

Blitz.js 🏗️

T3 (create-t3-app) 🏗️

Wasp 🏗️

Eleventy (11ty) 📄

VitePress 📄

Docusaurus 📄

HTMX 🏗️

Expo (managed) 📱

React Native (bare) 📱

Ionic + Capacitor 📱

TS

Fresh (Deno) 🏗️

Node

Express (Node) ⚙️

Fastify (Node) ⚙️

NestJS (Node) ⚙️

Hono (Node/Bun/Deno) ⚙️

Koa (Node) ⚙️

Bun

Elysia (Bun) ⚙️

Python

FastAPI ⚙️

Django REST ⚙️

Flask ⚙️

Litestar ⚙️

Starlette ⚙️

Go

Go + gin ⚙️

Go + echo ⚙️

Go + chi ⚙️

Go + fiber ⚙️

Go stdlib net/http ⚙️

Java

Spring Boot 3 ⚙️

Quarkus ⚙️

Micronaut ⚙️

Javalin ⚙️

Helidon ⚙️

Kotlin

Ktor (Kotlin) ⚙️

.NET

ASP.NET Web API ⚙️

ASP.NET Minimal API ⚙️

Carter ⚙️

Rust

Axum ⚙️

Actix-web ⚙️

Rocket ⚙️

Warp ⚙️

Poem ⚙️

Leptos (full-stack) 🏗️

Ruby

Rails 7 (full-stack) 🏗️

Sinatra ⚙️

Hanami 🏗️

PHP

Laravel 11 (full-stack) 🏗️

Symfony 7 ⚙️

Slim 4 ⚙️

Elixir

Phoenix (API) ⚙️

Phoenix LiveView (full-stack) 🏗️

Swift

Vapor (Swift) ⚙️

Dart

Flutter 📱