Skip to content

devopsaisyd/devsecops-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.config
.config
 
 
app
app
 
 
docker
docker
 
 
infra
infra
 
 
policies
policies
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
README.md
README.md
 
 

Repository files navigation

Multi-language DevSecOps Demo — ALL SCANS + Signing + SBOM + ECS (Fargate)

Languages: Python (Flask), Node (Express), Java (Spring Boot)

Deliberate demo vulns in hello apps:

  • Python: yaml.load with yaml.Loader + urllib3==1.25.8, PyYAML==5.1
  • Node: lodash@4.17.19 + /vuln route using eval
  • Java: log4j-core:2.14.1 + /vuln route logging user input

⚠️ Demo only. Do not deploy these versions to production.

GitLab CI pipeline

Stages: prepare → SAST (GitLab + Bandit) → Dependency (GitLab + pip-audit) → Secrets (GitLab + Gitleaks) → IaC (tfsec + Checkov) → tests → build → SBOM (Syft SPDX) → Container scan (GitLab + Trivy) → Sign & Attest (Cosign keyless + SBOM + provenance) → push → Deploy (Terraform → ECS Fargate + ALB).

Setup

  1. Import to GitLab.
  2. CI/CD Variables:
    • VPC_ID — e.g., vpc-xxxx in ap-southeast-2
    • SUBNET_A, SUBNET_B — two public subnets in that VPC
  3. Choose language by pipeline var LANG = python | node | java.
  4. Push to develop → dev deploy; merge to main → manual prod deploy.

Local smoke (Python)

docker build -f docker/Dockerfile.python -t local/hello-python:dev .
docker run --rm -p 5000:5000 local/hello-python:dev
curl 'http://localhost:5000/'
curl 'http://localhost:5000/vuln?p=a:1'   # demo endpoint

Verify signatures / SBOM (after CI)

export COSIGN_EXPERIMENTAL=1
cosign verify <registry>/<group>/<project>/hello-demo:1.0.0-<sha>
cosign verify-attestation --type spdx <image-ref>

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages