A complete demonstration of a secure CI/CD pipeline integrating DevSecOps best practices using open-source tools. This PoC showcases how to build a pipeline that catches misconfigurations, secrets, and vulnerabilities before production deployment.
| Security Layer | Tools Used | Description |
|---|---|---|
| Secrets Scanning | Gitleaks | Detect leaked credentials early |
| Static Code Analysis | Semgrep | Catch insecure code patterns |
| Dependency Scanning | Trivy | Identify known vulnerabilities in dependencies |
| Container Scanning | Trivy | Ensure hardened Docker images |
| IaC Scanning | tfsec, Checkov | Prevent cloud misconfigurations |
| Policy as Code | OPA (Rego), Conftest | Enforce org-wide deployment policies |
| CI/CD Security | GitHub Actions | Secure workflow with fine-grained permissions |
| Pre-Commit Hooks | gitleaks, tflint | Catch issues before they reach CI/CD |
├── app/ # Sample Node.js App
├── terraform/ # AWS Infra using IaC
├── opa/ # OPA policies
├── .github/workflows/ # GitHub Actions pipeline
├── Dockerfile # Containerization
├── .pre-commit-config.yaml
└── README.md
on: [push, pull_request]
jobs:
security-scan:
steps:
- Checkout
- Gitleaks
- Trivy (container scan)
- tfsec & Checkov (IaC scan)
- Semgrep (code scan)- ✅ Secrets scan sample result
- ✅ IaC scan JSON output from tfsec
- ✅ OPA policy decision logs
git clone https://github.com/rishirajbansal/DevSecOps-Hardening-Poc.git
cd DevSecOps-Hardening-Poc
docker build -t devsecops-app .
docker run -p 3000:3000 devsecops-app- GitHub Action hardened with minimal permissions
.gitignoreand.envhandling included- Rego policy to enforce deny-all rule (modifiable)
- ✅ Reduces security vulnerabilities before deployment
- ✅ Aligns with shift-left security practices
- ✅ Demonstrates audit readiness for cloud & container workloads