A comprehensive DevSecOps implementation showcasing a complete CI/CD pipeline with integrated security scanning, code quality analysis, and automated deployment using GitHub Actions, SonarCloud, and Kubernetes.
This DevSecOps pipeline implements a comprehensive security-first approach with the following stages. For comprehensive pipeline documentation and workflow details .github/workflows/README.md
- Source Control - Developer commits trigger the pipeline
- Pre-Build Security - Secrets scanning (Gitleaks) and dependency/IaC scanning (Trivy FS)
- Code Validation - Unit testing with comprehensive test coverage
- Static Code Quality - SonarCloud analysis with quality gate enforcement
- Build & CI Artifacts - Application build and artifact upload
- Container Build & Security - Docker image creation with Trivy image scanning and pushing to GHCR
- Continuous Delivery - Automated Kubernetes manifest updates for GitOps deployment
๐ Getting Started
This project features a modern React-based Tic-Tac-Toe game built with:
- React 18 with TypeScript for type safety
- Tailwind CSS for responsive styling
- Vite for fast development and optimized builds
- Vitest for comprehensive unit testing
- ESLint for code quality enforcement
- Node.js (v18 or higher)
- npm or yarn
- Docker (for containerization)
- kubectl (for Kubernetes deployment)
-
Clone the repository:
git clone https://github.com/atkaridarshan04/devsecops-github-actions.git cd devsecops-github-actions -
Install dependencies:
npm install # or yarn install -
Start the development server:
npm run dev # or yarn dev -
Open your browser and navigate to:
http://localhost:5173
To create a production build:
npm run build
# or
yarn buildThe build artifacts will be stored in the dist/ directory.
Execute the test suite:
npm test
# or
yarn testBuild and run the application using Docker:
# Build the Docker image
docker build -t tic-tac-toe-app .
# Run the container
docker run -p 80:80 tic-tac-toe-appgit clone https://github.com/atkaridarshan04/devsecops-github-actions.git
cd devsecops-github-actions2. SonarCloud Setup
- Navigate to SonarCloud and create a new project:
- Configure new code definition - Select "Previous version" for projects following regular versions or releases.
-
Go to Security settings in your SonarCloud account:
-
Generate a new token with appropriate permissions for your CI/CD pipeline.
The project information page shows:
- Quality Gate: Sonar way (default)
- Quality Profiles: CSS and TypeScript using Sonar way
- Project Key:
atkaridarshan04-devsecops-github-actions - Organization Key:
atkaridarshan04-devsecops-github-actions
Ensure to update your sonar-project.properties file with the correct project and organization configurations.
Important: For CI/CD integration, disable automatic analysis:
- Go to Administration โ Analysis Method
- Disable Automatic Analysis
- Select "With GitHub Actions" for CI integration
Note: Let the project run with automatic analysis initially to establish a baseline, then disable it for CI/CD integration to avoid conflicts.
3. GitHub Token & Secrets Setup
- Go to Settings โ Developer settings โ Personal access tokens โ Tokens (classic)
- Generate new token with permissions:
contents: write(for updating Kubernetes manifests)packages: write(for pushing to GitHub Container Registry)actions: read(for workflow access)
- Go to your repository Settings โ Secrets and variables โ Actions
- Add the following secrets:
SONAR_TOKEN=your_sonarcloud_token_here GH_TOKEN=your_github_personal_access_token
Make a change and push to main branch or start the workflow manually
Monitor execution in GitHub Actions tab and verify all security scans pass.
Head over to SonarCloud to review the analysis results.
You can further configure GitOps deployment using ArgoCD or FluxCD to automate application deployment to your Kubernetes cluster.
This project is licensed under the MIT License - see the LICENSE file for details.
Built with โค๏ธ for DevSecOps Excellence
โญ Star this repository if you find it helpful!