π€ Created by: Wahba Mousa β Senior DevOps Engineer
- CI/CD with GitHub Actions
- Security-first architecture (CodeQL, Trivy, Gitleaks, SBOM)
- Rolling deployment strategy
- Branch protection enforcement via GitHub CLI
βββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Repo β
β WahbaMousa-DevOps.github.io β
βββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββββ
βΌ βΌ βΌ
Pull Request Direct Pushes Staticman API
(e.g., feature β main) (e.g., main) (user comments form)
β β β
βΌ βΌ βΌ
.github/workflows/ .github/workflows/ staticman.yml
ββ CI triggers: ββ Deploy triggers β
test.yml to staging/prod βΌ
lint.yml ββββββββββββββββΊ _data/comments/ (via commit)
trivy.yml
codeql.yml
scan.yml
sbom.yml
sbom-sign.yml
lighthouse.yml
coverage.yml
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β CI & Security Checks (Parallel Jobs) β
β - Trivy FS + Trivy Image β
β - Gitleaks + git-secrets β
β - CodeQL + Jest Coverage β
β - SEO + Accessibility + SBOM β
ββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Auto-label/merge (PR Bot), Bad PR Filter β
β ββ auto-label.yml, auto-merge.yml, bad-pr.yml β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββ
β Branch Protection Enforcement β
β ββ enforce-branch-protection.yml β
β ββ Reads: branch-protection.yml β
β ββ Applies via Python/CLI β
ββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Pages Rolling Deployment (CD) β
β ββ deploy-page-staging.yml β "Success" β
β ββ deploy-page-production.yml β Environment β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β Public Website β
β ββββββββββββββββββββββββββββββββββββββ β
β β wahba.aiopsvision.com β β
β β β β
β ββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββ
π Note: sbom-image.yml and Cosign-based Docker image signing are included as modular references for future container-based pipelines. They are not active in this static GitHub Pages project.
- Production: https://wahba.aiopsvision.com
| Area | Tools/Tech |
|---|---|
| Frontend | Jekyll, GitHub Pages |
| CI/CD | GitHub Actions, Environments, Artifacts |
| Security | CodeQL, Trivy (FS), Gitleaks, Secret Scanning |
| Branching | GitFlow (main, release, develop, etc.) |
| SBOM | Anchore (CycloneDX), Syft (reference only) |
| Governance | Branch protection rules, PR automation |
| Area | How You're Covered |
|---|---|
| Secrets in Code (A03:2021) | gitleaks, git-secrets, secret.yml |
| Vulnerable Components (A06:2021) | Trivy FS, Trivy Image, SBOM |
| Security Misconfig (A05:2021) | GitHub branch protection, token management |
| Software Integrity (A08:2021) | Cosign signing, SBOM attestation |
| CI/CD Exposure (A10:2021) | Modular workflows + policy enforcement |
| OWASP CycloneDX | SBOM format generated via sbom.yml, sbom-sign.yml |
| Metric | Status | Notes |
|---|---|---|
| Code Coverage | Enabled | Reported via Jest + Codecov |
| Security Score | A+ Equivalent | Secret scanning, SBOM, image signing |
| Performance | <2s load time | Jekyll site + CDN = fast load |
| Accessibility | Enabled | Checked via axe-core CI workflow |
| SEO Score | >90/100 | Verified via Lighthouse CI audit |
main β π¦ Production Environment
βββ release β π© Staging Environment
βββ develop β Integration / QA Branch
βββ feature/* β New Features
βββ hotfix/* β Emergency Fixes
βββ bugfix/* β Bug Patches
swap.yml is used to promote release β main after successful staging validation.
Require PR review (1+)
Require code owner review
Require status checks to pass
Require branches up to date
Require conversation resolution
Require linear history
Lock branch (prevent bypass)
Restrict force pushes
Restrict deletions
Require PR review (1+)
Require code owner review
Require status checks to pass
Require branches up to date
Require conversation resolution
Require linear history
Lock branch (prevent bypass)
Restrict force pushes
Restrict deletions
Triggers: Push to [develop, feature/*, hotfix/*, release, main]
Stages:
1. Build with Jekyll (or App Build)
2. Unit Tests (Jest / npm test)
3. Lint (Markdown, JS, etc.)
4. Code Coverage + Lighthouse + SEO
5. CodeQL Security Scan
6. Trivy FS Scan (Source)
7. Trivy Image Scan (Docker)
8. SBOM Generation (Syft / Trivy)
9. Image Signing (Cosign)
10. Quality Gate Summary# Clone repository
git clone https://github.com/WahbaMousa-DevOps/WahbaMousa-DevOps.github.io.git
cd WahbaMousa-DevOps.github.io
# Install dependencies
bundle install
# Run locally
bundle exec jekyll serve
# Access development server
http://localhost:4000# Create feature branch
git checkout -b feature/your-feature-name
# Make changes and test locally
bundle exec jekyll serve
# Run local quality checks
./scripts/local-lint.sh
./scripts/local-security-scan.sh
# Commit and push
git add .
git commit -m "feat: add new feature"
git push origin feature/your-feature-name
# Create pull request to develop branch- Fork the repository
- Create feature branch from
develop - Follow coding standards and security practices
- Ensure all quality gates pass
- Submit pull request with detailed description
- Code review and approval process
- Automated deployment to Staging
- promotion to Production
π¦ Designed and implemented by Wahba Mousa β Senior DevSecOps Engineer (2025) This repository serves as a real-world demonstration of CI/CD + DevSecOps excellence on GitHub.
- Theme: Jekyll + Minimal Mistakes by Michael Rose
- Customizations by Wahba Mousa
Licensed under MIT
If you have questions or want to learn how to build a similar site, feel free to:
- Connect with me on LinkedIn