Skip to content

SecurityWithAdarsh/DevSecOps-CI-CD-Pipeline

Repository files navigation

πŸ›‘οΈ DevSecOps CI/CD Pipeline

DevSecOps Pipeline CodeQL Secret Scan License: MIT

A production-grade, security-first CI/CD pipeline built with GitHub Actions β€” integrating SAST, SCA, secret scanning, container scanning, and DAST as automated security gates.

Author: Adarsh Singh | DevSecOps Engineer | SecurityWithAdarsh


πŸ“‹ Table of Contents


πŸ—οΈ Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                         GitHub Repository                               β”‚
β”‚                                                                         β”‚
β”‚  Code Push / PR                                                         β”‚
β”‚       β”‚                                                                 β”‚
β”‚       β–Ό                                                                 β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  SAST    β”‚   β”‚   SCA    β”‚   β”‚  Secret  β”‚   β”‚    Unit Tests      β”‚  β”‚
β”‚  β”‚ Bandit   │──▢│  Safety  │──▢│  Scan    │──▢│  + Code Coverage   β”‚  β”‚
β”‚  β”‚ Semgrep  β”‚   β”‚ pip-auditβ”‚   β”‚ Gitleaks β”‚   β”‚    (pytest)        β”‚  β”‚
β”‚  β”‚ CodeQL   β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                                           β”‚              β”‚
β”‚                                                         β–Ό              β”‚
β”‚                                                  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”‚
β”‚                                                  β”‚ Docker Build β”‚      β”‚
β”‚                                                  β”‚  + Push GHCR β”‚      β”‚
β”‚                                                  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜      β”‚
β”‚                                                         β”‚              β”‚
β”‚                                                         β–Ό              β”‚
β”‚                                                  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”‚
β”‚                                                  β”‚  Container   β”‚      β”‚
β”‚                                                  β”‚  Scan (Trivy)β”‚      β”‚
β”‚                                                  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜      β”‚
β”‚                                                         β”‚              β”‚
β”‚                                                         β–Ό              β”‚
β”‚                                                  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”‚
β”‚                                                  β”‚ DAST (OWASP  β”‚      β”‚
β”‚                                                  β”‚    ZAP)      β”‚      β”‚
β”‚                                                  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜      β”‚
β”‚                                                         β”‚              β”‚
β”‚                            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€              β”‚
β”‚                            β”‚                            β”‚              β”‚
β”‚                            β–Ό                            β–Ό              β”‚
β”‚                     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”              β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”         β”‚
β”‚                     β”‚  Staging   β”‚              β”‚ Production β”‚         β”‚
β”‚                     β”‚ (develop)  β”‚              β”‚   (main)   β”‚         β”‚
β”‚                     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜         β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ”„ Pipeline Stages

# Stage Tools Trigger Gate
1 SAST Bandit, Semgrep, CodeQL Push/PR ❌ Fails on Medium+ severity
2 SCA Safety, pip-audit Push/PR ❌ Fails on known CVEs
3 Secret Scan Gitleaks Push/PR ❌ Fails on any secret
4 Unit Tests pytest + coverage After SAST/SCA ❌ Fails on test failure
5 Build Docker Buildx, GHCR After tests Pushes signed image
6 Container Scan Trivy After build ❌ Fails on CRITICAL/HIGH
7 DAST OWASP ZAP After container scan ⚠️ Warns on findings
8 Deploy Staging kubectl + Kustomize develop branch Manual approval
9 Deploy Prod kubectl + Kustomize main branch Manual approval

πŸ› οΈ Security Tools

Static Application Security Testing (SAST)

Tool What it Checks Config
Bandit Python security anti-patterns, hardcoded passwords, SQL injection security/bandit/bandit.ini
Semgrep Custom rules + community rulesets (flask, secrets, python) security/semgrep/semgrep-rules.yml
CodeQL Deep semantic code analysis by GitHub .github/workflows/codeql.yml

Software Composition Analysis (SCA)

Tool What it Checks
Safety Known CVEs in Python dependencies (PyPI advisory DB)
pip-audit Vulnerability audit via OSV and PyPI advisories
GitHub Dependency Review PR-level dependency diff with vulnerability flagging

Secret Detection

Tool What it Checks
Gitleaks 150+ secret patterns: AWS keys, GCP tokens, JWT, SSH keys, API tokens

Container Security

Tool What it Checks Config
Trivy OS packages, language deps, misconfigs, embedded secrets security/trivy/trivy.yaml

Dynamic Application Security Testing (DAST)

Tool What it Tests
OWASP ZAP XSS, SQLi, CSRF, security headers, active crawl

πŸ“ Project Structure

DevSecOps-CI-CD-Pipeline/
β”‚
β”œβ”€β”€ .github/
β”‚   └── workflows/
β”‚       β”œβ”€β”€ devsecops-pipeline.yml   # Main pipeline (SASTβ†’SCAβ†’Buildβ†’Scanβ†’DASTβ†’Deploy)
β”‚       β”œβ”€β”€ codeql.yml               # GitHub CodeQL analysis
β”‚       β”œβ”€β”€ dependency-review.yml    # PR dependency gate
β”‚       └── secret-scan.yml         # Gitleaks secret scanning
β”‚
β”œβ”€β”€ app/
β”‚   β”œβ”€β”€ __init__.py                  # Flask app factory
β”‚   β”œβ”€β”€ routes.py                    # API routes (/health, /api/info)
β”‚   └── templates/
β”‚       └── index.html               # Pipeline visualization UI
β”‚
β”œβ”€β”€ tests/
β”‚   └── test_app.py                  # Pytest unit tests
β”‚
β”œβ”€β”€ security/
β”‚   β”œβ”€β”€ bandit/bandit.ini            # Bandit SAST config
β”‚   β”œβ”€β”€ semgrep/semgrep-rules.yml    # Custom Semgrep rules
β”‚   └── trivy/trivy.yaml             # Trivy scanner config
β”‚
β”œβ”€β”€ k8s/
β”‚   β”œβ”€β”€ base/                        # Kustomize base manifests
β”‚   β”‚   β”œβ”€β”€ deployment.yaml          # Hardened K8s deployment
β”‚   β”‚   β”œβ”€β”€ service.yaml
β”‚   β”‚   β”œβ”€β”€ network-policy.yaml      # Zero-trust NetworkPolicy
β”‚   β”‚   └── kustomization.yaml
β”‚   └── overlays/
β”‚       β”œβ”€β”€ dev/                     # Staging (1 replica)
β”‚       └── prod/                    # Production (3 replicas)
β”‚
β”œβ”€β”€ scripts/
β”‚   β”œβ”€β”€ run-security-scan.sh         # Local security scan runner
β”‚   └── zap-scan.sh                  # Local OWASP ZAP runner
β”‚
β”œβ”€β”€ reports/                         # Generated security reports (gitignored)
β”œβ”€β”€ .zap/rules.tsv                   # ZAP rule overrides
β”œβ”€β”€ .gitleaks.toml                   # Gitleaks config
β”œβ”€β”€ Dockerfile                       # Multi-stage, hardened
β”œβ”€β”€ docker-compose.yml               # Local dev + DAST profile
β”œβ”€β”€ main.py                          # App entrypoint
β”œβ”€β”€ requirements.txt                 # Production dependencies
β”œβ”€β”€ requirements-dev.txt             # Dev/security tool dependencies
β”œβ”€β”€ pytest.ini                       # Test config
β”œβ”€β”€ SECURITY.md                      # Vulnerability disclosure policy
└── CONTRIBUTING.md

⚑ Quick Start

Prerequisites

  • Python 3.12+
  • Docker
  • (Optional) kubectl + a Kubernetes cluster

Run Locally

# Clone the repo
git clone https://github.com/SecurityWithAdarsh/DevSecOps-CI-CD-Pipeline.git
cd DevSecOps-CI-CD-Pipeline

# Create virtual environment
python -m venv venv && source venv/bin/activate

# Install dependencies
pip install -r requirements.txt -r requirements-dev.txt

# Run the app
python main.py
# β†’ Visit http://localhost:5000

Run with Docker

# Build and start
docker compose up --build

# Run DAST against the running app
docker compose --profile dast up zap

Run Security Scans Locally

# Run all security tools (Bandit + Safety + Semgrep + Trivy)
bash scripts/run-security-scan.sh

# Run unit tests with coverage
pytest

☸️ Kubernetes Deployment

# Deploy to staging
kubectl apply -k k8s/overlays/dev/

# Deploy to production
kubectl apply -k k8s/overlays/prod/

# Watch rollout
kubectl rollout status deployment/devsecops-app -n production

Security Hardening in K8s Manifests

  • runAsNonRoot: true β€” no root containers
  • readOnlyRootFilesystem: true β€” immutable container FS
  • allowPrivilegeEscalation: false
  • capabilities: drop: [ALL]
  • seccompProfile: RuntimeDefault
  • NetworkPolicy β€” restricts ingress/egress traffic

πŸ“Š Security Reports

All reports are generated as GitHub Actions artifacts (retained 30 days):

Report Tool Format
bandit-report.json Bandit JSON
semgrep-report.json Semgrep JSON
safety-report.json Safety JSON
pip-audit-report.json pip-audit JSON
trivy-report.json Trivy JSON
trivy-results.sarif Trivy SARIF β†’ GitHub Security tab
zap-report.json OWASP ZAP JSON
coverage.xml pytest-cov XML

πŸ” Secrets Management

Never commit secrets. This pipeline uses:

  • GitHub Secrets for GITHUB_TOKEN (auto-provided), kubeconfig, registry credentials
  • Gitleaks to block secret commits at the PR gate
  • Trivy to detect secrets baked into Docker images

Required secrets for full pipeline operation:

Secret Used By
GITHUB_TOKEN Auto-provided β€” GHCR push, release creation
KUBECONFIG kubectl deploy steps (add manually)

πŸ“„ License

MIT License β€” see LICENSE


🀝 Connect

Adarsh Singh β€” DevSecOps Engineer | Application Security | OT/ICS Security

  • πŸ”— LinkedIn
  • πŸ™ GitHub
  • 🎯 TryHackMe β€” Top 5% globally

"Security is not a feature β€” it's a pipeline gate."

About

Enterprise-grade DevSecOps CI/CD Pipeline using GitHub Actions, Docker, Kubernetes, CodeQL, Trivy, Secret Scanning, and Automated Security Testing.

Topics

Resources

License

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors