Skip to content

vivek1251/devsecops-pipeline

BranchesTags

Repository files navigation

🔐 DevSecOps Pipeline

DevSecOps Python Docker SonarCloud GitHub Actions Trivy Slack Bandit SBOM

A fully automated, enterprise-grade CI/CD pipeline with security baked in at every stage — secrets scanning, dependency auditing, SAST, DAST, container scanning, SBOM generation, 3-environment deployment with manual approval gate, and real-time stage-level Slack alerts.

📊 Pipeline Health

Pipeline Status Last Commit Issues Coverage Security Rating Vulnerabilities SBOM Dependabot

📋 Table of Contents

🌟 Overview

This project implements a DevSecOps CI/CD pipeline that integrates security scanning seamlessly into the software delivery lifecycle. Security is not an afterthought — it is embedded at every stage of the pipeline.

Every push to the repository automatically triggers:

  • 🔑 Secrets scanning — Gitleaks detects any leaked credentials
  • 🐍 Dependency scanning — pip-audit checks for CVEs in Python packages
  • 🔍 SAST — Bandit + SonarCloud perform deep static code analysis
  • 🌐 DAST — OWASP ZAP full-scan for runtime vulnerabilities
  • 🐳 Build, Push & Scan — Docker image built, scanned with Trivy, SBOM generated
  • 🟡 Deploy to Staging — Auto-deploy on every commit
  • 🟠 Deploy to Pre-prod — Auto-deploy after staging passes
  • ⏸️ Manual Approval Gate — Human review required before production
  • 🟢 Deploy to Production — Final deployment after approval
  • 📣 Stage-level Slack alerts — Real-time pass/fail notifications per stage
  • 🤖 Dependabot — Automated weekly dependency update PRs

🎬 Pipeline in Action

✅ GitHub Actions — Full Pipeline Run (Success)

All stages passed — Gitleaks ✅ · pip-audit ✅ · Bandit ✅ · SonarCloud ✅ · OWASP ZAP ✅ · Trivy ✅ · SBOM ✅ · Staging ✅ · Pre-prod ✅ · Production ✅

GitHub Actions Pipeline

🔍 SonarCloud — Code Quality & Security Results

Quality Gate: Passed · Open Issues: 0 · Duplications: 0.0% · Coverage: 99.4% · Security Rating: A

SonarCloud Dashboard

📣 Slack — Real-Time Stage-Level Alerts

The devsecops-bot sends instant Slack notifications per stage — success or failure — with commit info and direct links.

Slack Alerts

🌍 3-Environment Deploy — Staging → Pre-prod → Production Approval

Full pipeline passing all stages with manual approval gate for production deployment.

3-Environment Deploy

🏗️ Architecture

Developer Push / Pull Request
            │
            ▼
┌─────────────────────────────────────────────────────────────────────────────┐
│                          GitHub Actions CI/CD                               │
│                                                                             │
│  ┌──────────┐  ┌───────────┐  ┌──────────────┐  ┌────────┐  ┌──────────┐  │
│  │ Gitleaks │─▶│ pip-audit │─▶│Bandit+Sonar  │─▶│OWASPZap│─▶│Build+    │  │
│  │ Secrets  │  │ Dep Scan  │  │     SAST     │  │  DAST  │  │Trivy+SBOM│  │
│  └──────────┘  └───────────┘  └──────────────┘  └────────┘  └──────────┘  │
│                                                                    │        │
│              ┌─────────────────────────────────────────────────────▼──────┐ │
│              │  🟡 Staging → 🟠 Pre-prod → ⏸️ Manual Approval → 🟢 Prod  │ │
│              └────────────────────────────────────────────────────────────┘ │
│                                                                             │
│  ┌─────────────────────────────────────────────────────────────────────┐   │
│  │                Stage-Level Slack Alerts (each job)                  │   │
│  └─────────────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────────────┘

🚀 Pipeline Stages

1. 🔑 Secrets — Gitleaks Scan

Scans the entire git history for leaked API keys, passwords, tokens, or credentials.

- name: Gitleaks secrets scan
  uses: gitleaks/gitleaks-action@v2

Result: No leaks detected

2. 🐍 Dependency Scan — pip-audit

Audits all Python dependencies in requirements.txt against the PyPI Advisory Database for known CVEs.

- name: Run pip-audit
  run: pip-audit -r app/requirements.txt --format=json --output=pip-audit-report.json

Report uploaded as downloadable artifact on every run ✅

3. 🔍 SAST — Bandit + SonarCloud

Bandit — Python-specific static security analysis:

- name: Run Bandit SAST Scan
  run: bandit -r app/ -f json -o bandit-report.json --exit-zero

SonarCloud — Deep static analysis for bugs, security hotspots, and code smells:

  • Quality Gate: Passed
  • Security Issues: 0
  • Code Coverage: 99.4%
  • Security Rating: A

4. 🌐 DAST — OWASP ZAP Full-Scan

Actively attacks the running application to find vulnerabilities like XSS, SQL injection, and misconfigurations.

- name: OWASP ZAP Scan
  uses: zaproxy/action-full-scan@v0.10.0

138 checks PASS · 0 FAIL ✅

5. 🐳 Build, Push, Scan & SBOM

Builds the Docker image, scans with Trivy, generates an SBOM with Syft, pushes to Docker Hub.

docker build -t devsecops-app .
trivy image devsecops-app    # CVE scan
syft devsecops-app           # SBOM generation
docker push vivek1251/devsecops-app

🌍 3-Environment Deployment

Build & Scan
     │
     ▼
🟡 Staging (auto)          → my-cicd-server      port 5001
     │
     ▼
🟠 Pre-prod (auto)         → cicd-server         port 5000
     │
     ▼
⏸️  Manual Approval Gate   → vivek1251 must approve
     │
     ▼
🟢 Production (approved)   → devsecops-server    port 5000
Environment Server Trigger
🟡 Staging my-cicd-server Auto on every commit
🟠 Pre-prod cicd-server Auto after staging passes
🟢 Production devsecops-server Manual approval required

🛡️ Security Tools

Tool Type Purpose Stage
Gitleaks Secrets Scan Detects leaked credentials in git history Pre-build
pip-audit Dependency Scan CVE scanning of Python packages Pre-build
Bandit SAST Python-specific static security analysis Pre-build
SonarCloud SAST Static code quality & security analysis Pre-build
OWASP ZAP DAST Full active runtime vulnerability testing Post-deploy
Trivy Container Scan Docker image CVE scanning Post-build
Syft SBOM Software Bill of Materials generation Post-build
Dependabot Dependency Updates Automated weekly PRs for outdated packages Scheduled
Slack Bot Alerting Stage-level real-time notifications All stages

📁 Project Structure

devsecops-pipeline/
├── .github/
│   ├── workflows/
│   │   └── deploy.yml              # Main CI/CD pipeline
│   └── dependabot.yml              # Automated dependency updates
├── app/
│   ├── app.py                      # Python Flask application
│   ├── test_app.py                 # Unit tests (99.4% coverage)
│   ├── Dockerfile                  # Container definition
│   └── requirements.txt            # Python dependencies
├── .env.example                    # Required environment variables
├── CONTRIBUTING.md                 # Contribution guidelines
├── LICENSE                         # MIT License
├── sonar-project.properties        # SonarCloud configuration
└── README.md

⚙️ Setup & Installation

Prerequisites

  • Python 3.x
  • Docker
  • GitHub account
  • SonarCloud account
  • AWS EC2 instances (3 for full environment setup)
  • Slack workspace

Local Setup

# 1. Clone the repository
git clone https://github.com/vivek1251/devsecops-pipeline.git
cd devsecops-pipeline

# 2. Copy env example and fill in values
cp .env.example .env

# 3. Install dependencies
pip install -r app/requirements.txt

# 4. Run tests
pytest app/ --cov=app

# 5. Run Bandit locally
pip install bandit
bandit -r app/

# 6. Build Docker image
docker build -t devsecops-app ./app

# 7. Scan with Trivy
trivy image devsecops-app

GitHub Secrets Required

Set these in Settings → Secrets → Actions:

Secret Description
SONAR_TOKEN SonarCloud authentication token
DOCKER_USERNAME Docker Hub username
DOCKER_PASSWORD Docker Hub password
STAGING_HOST Staging EC2 public IP
STAGING_USERNAME Staging EC2 SSH username
STAGING_KEY Staging EC2 private SSH key
PREPROD_HOST Pre-prod EC2 public IP
PREPROD_USERNAME Pre-prod EC2 SSH username
PREPROD_KEY Pre-prod EC2 private SSH key
EC2_HOST Production EC2 public IP
EC2_USERNAME Production EC2 SSH username
EC2_KEY Production EC2 private SSH key
SLACK_WEBHOOK Slack incoming webhook URL

📣 Slack Notifications

The pipeline sends stage-level real-time Slack alerts:

Stage Alert
🔑 Gitleaks ❌ Secret detected in code
🐍 pip-audit ❌ Vulnerable dependency found
🔍 SAST ❌ Bandit or SonarCloud Quality Gate failed
🌐 DAST ❌ OWASP ZAP found critical vulnerabilities
🐳 Trivy ❌ CRITICAL/HIGH CVE in Docker image
🟡 Staging ✅ Staging deployed successfully
🟠 Pre-prod ✅ Pre-prod deployed, awaiting approval
🚀 Production ✅ Full pipeline passed, production deployed

🔮 Future Improvements

Feature Effort
Pipeline metrics dashboard Advanced

✅ Recently Completed

Feature Status
3-environment deploy (staging → preprod → prod) ✅ Done
Manual approval gate for production ✅ Done
OWASP ZAP full-scan (vs baseline) ✅ Done
Dependabot auto-PRs for dependency updates ✅ Done
Vigilant mode (commit verification) ✅ Done
pip + Docker layer caching ✅ Done
Stage-level Slack alerts ✅ Done
Branch protection on main ✅ Done
SBOM generation with Syft ✅ Done
Bandit SAST scanning ✅ Done
pip-audit dependency scanning ✅ Done

🤝 Contributing

See CONTRIBUTING.md for full guidelines.

  1. Fork the repository
  2. Create a feature branch: git checkout -b feat/your-feature
  3. Commit your changes: git commit -m 'feat: add your feature'
  4. Push to the branch: git push origin feat/your-feature
  5. Open a Pull Request into main — all pipeline checks must pass

Made with ❤️ by vivek1251

Security Status License Environments

About

Enterprise-grade DevSecOps CI/CD pipeline — Gitleaks, pip-audit, Bandit, SonarCloud, OWASP ZAP, Trivy, SBOM, 3-environment deploy with manual approval gate

Topics

github python docker sonarqube slack-bot aws-ec2 cicd owasp-zap devsecops bandit syft sbom github-actions gitleaks multienvironment trivy devsecops-pipeline pip-audit

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 — Production DevSecOps Pipeline Latest
Mar 27, 2026

Packages

 
 
 

Contributors

Languages