Course: Secure Software Design (SSD)
Project Type: DevSecOps Pipeline Implementation
Student: DevSecOps-Pipeline
GitHub Repository: deviant101/DevSecOps-Pipeline
Live Application: https://solar-system-ssd.azurewebsites.net
Date: November 24, 2025
- Executive Summary
- Project Overview
- Architecture & Technology Stack
- DevSecOps Pipeline Implementation
- Security Tools & Integration
- UI Screenshots & Visual Documentation
- Testing & Quality Assurance
- Deployment & Infrastructure
- Security Findings & Remediation
- Learning Outcomes
- Conclusion
This project demonstrates a comprehensive DevSecOps implementation that integrates security throughout the entire software development lifecycle. The Solar System application serves as a practical demonstration vehicle for implementing multiple security scanning tools, automated testing, containerization, and cloud deployment using modern CI/CD practices.
✅ 11-Stage Automated Pipeline - Complete CI/CD workflow with GitHub Actions
✅ 6 Security Tools Integrated - SAST, DAST, Dependency Scanning, Secret Detection, Container Scanning
✅ Automated Testing - 11 unit tests with 78% code coverage
✅ Infrastructure as Code - Terraform-based Azure provisioning
✅ Production Deployment - Live on Azure Web App for Containers
✅ Comprehensive Documentation - Complete setup and deployment guides
| Metric | Value |
|---|---|
| Pipeline Stages | 11 |
| Security Tools | 6 (Semgrep, Snyk, npm audit, TruffleHog, Trivy, OWASP ZAP) |
| Unit Tests | 11 tests passing |
| Code Coverage | 78% (lines, statements, functions, branches) |
| Container Image Size | ~150 MB (Alpine-based) |
| Pipeline Duration | ~8-12 minutes (full run) |
| Deployment Target | Azure Web App (F1 Free Tier) |
| Database | MongoDB Atlas (Free Tier) |
The primary objective of this project is to implement a secure software development lifecycle that demonstrates:
- Shift-Left Security - Early and continuous security testing
- Automation - Fully automated security scanning and deployment
- Tool Integration - Multiple security tools working in harmony
- Cloud Deployment - Modern containerized deployment to Azure
- Best Practices - Industry-standard DevSecOps patterns
The Solar System Application is a Node.js-based web application that:
- Displays an interactive visualization of the solar system
- Provides REST API endpoints to fetch planet information (1-8 planets)
- Stores planet data in MongoDB Atlas
- Implements health check endpoints for monitoring
- Serves OpenAPI 3.0 documentation
Technology Stack:
- Backend: Node.js 18, Express.js, Mongoose ODM
- Frontend: HTML5, CSS3, Vanilla JavaScript
- Database: MongoDB Atlas
- Containerization: Docker (Alpine-based)
- Cloud Platform: Azure Web App for Containers
- CI/CD: GitHub Actions
- IaC: Terraform
This project focuses on the DevSecOps pipeline rather than the application complexity. The application serves as a practical example to demonstrate:
- Security scanning at multiple stages
- Automated testing and quality gates
- Container security best practices
- Secure cloud deployment
- Artifact generation and preservation
┌─────────────────────────────────────────────────────────────────┐
│ User Browser │
└─────────────────────────────────────────────────────────────────┘
↓ HTTPS
┌─────────────────────────────────────────────────────────────────┐
│ Azure Web App (F1 Tier) │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Docker Container (Node.js 18 Alpine) │ │
│ │ ┌────────────────────────────────────────────────────┐ │ │
│ │ │ Express.js Application (Port 3000) │ │ │
│ │ │ • REST API Endpoints │ │ │
│ │ │ • Health Checks (/ready, /live) │ │ │
│ │ │ • Static File Serving │ │ │
│ │ └────────────────────────────────────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
↓
MongoDB Atlas Connection
↓
┌─────────────────────────────────────────────────────────────────┐
│ MongoDB Atlas (Free Tier) │
│ Database: solar-system │
│ Collection: planets (8 documents) │
└─────────────────────────────────────────────────────────────────┘
┌─────────────┐
│ Developer │
│ Commit │
└──────┬──────┘
↓
┌──────────────────────────────────────────────────────────────┐
│ GitHub Repository (main branch) │
└──────┬───────────────────────────────────────────────────────┘
↓ Triggers
┌──────────────────────────────────────────────────────────────┐
│ GitHub Actions Pipeline │
│ │
│ Stage 1-2: Build & Test │
│ Stage 3: Code Coverage │
│ Stage 4: SAST (Semgrep) │
│ Stage 5: Dependency Scan (Snyk + npm audit) │
│ Stage 6: Secret Detection (TruffleHog) │
│ Stage 7: Docker Build & Push (GHCR) │
│ Stage 8: Container Scan (Trivy) │
│ Stage 9: DAST (OWASP ZAP) │
│ Stage 10: Infrastructure (Terraform) │
│ Stage 11: Deployment & Health Check │
└──────┬───────────────────────────────────────────────────────┘
↓
┌──────────────────────────────────────────────────────────────┐
│ GitHub Container Registry (ghcr.io) │
│ Image: deviant101/solar-system:latest │
└──────┬───────────────────────────────────────────────────────┘
↓ Pulls
┌──────────────────────────────────────────────────────────────┐
│ Azure Web App for Containers │
│ https://solar-system-ssd.azurewebsites.net │
└──────────────────────────────────────────────────────────────┘
| Component | Technology | Version | Purpose |
|---|---|---|---|
| Runtime | Node.js | 18.x | JavaScript runtime |
| Framework | Express.js | 4.18.2 | Web application framework |
| Database Driver | Mongoose | 6.12.0 | MongoDB object modeling |
| CORS | cors | 2.8.5 | Cross-origin resource sharing |
| Testing | Mocha + Chai | Latest | Unit testing framework |
| Coverage | NYC | 15.1.0 | Code coverage tool |
| Tool | Category | Integration | Output Format |
|---|---|---|---|
| Semgrep | SAST | GitHub Action | JSON |
| Snyk | Dependency | GitHub Action | JSON, HTML, TXT |
| npm audit | Dependency | Native CLI | JSON |
| TruffleHog | Secret Detection | GitHub Action | Console |
| Trivy | Container Security | GitHub Action | SARIF, JSON, HTML |
| OWASP ZAP | DAST | GitHub Action | JSON, HTML, Markdown |
| Component | Technology | Purpose |
|---|---|---|
| Container Registry | GitHub Container Registry (ghcr.io) | Docker image storage |
| Cloud Provider | Microsoft Azure | Application hosting |
| Compute | Azure Web App for Containers | Managed container service |
| Database | MongoDB Atlas | Managed MongoDB service |
| IaC | Terraform 1.6.0 | Infrastructure provisioning |
| CI/CD | GitHub Actions | Automation platform |
The pipeline consists of 11 interconnected stages that ensure security at every phase of the SDLC:
┌──────────────────────────────────────────────────────────────────────┐
│ GitHub Actions DevSecOps Pipeline │
├──────────────────────────────────────────────────────────────────────┤
│ │
│ Stage 1-2: Build & Test │
│ ├─ Code Checkout │
│ ├─ Node.js 18 Setup │
│ ├─ Dependency Installation (npm install) │
│ └─ Unit Tests (Mocha + Chai - 11 tests) ✓ │
│ │
│ Stage 3: Code Coverage │
│ └─ NYC Coverage Analysis (78% threshold enforced) ✓ │
│ │
│ Stage 4: SAST (Static Application Security Testing) │
│ └─ Semgrep (security-audit, nodejs, OWASP, JavaScript) ✓ │
│ │
│ Stage 5: Dependency Scanning │
│ ├─ Snyk (vulnerability detection with HTML reports) ✓ │
│ └─ npm audit (built-in security checker) ✓ │
│ │
│ Stage 6: Secret Detection │
│ └─ TruffleHog (credential leak scanner) ✓ │
│ │
│ Stage 7: Container Build & Push │
│ ├─ Docker Build (multi-stage Alpine) ✓ │
│ └─ Push to GitHub Container Registry ✓ │
│ │
│ Stage 8: Container Scanning │
│ └─ Trivy (image vulnerability scanner with HTML reports) ✓ │
│ │
│ Stage 9: DAST (Dynamic Application Security Testing) │
│ └─ OWASP ZAP (baseline scan on running app) ✓ │
│ │
│ Stage 10: Infrastructure Provisioning │
│ ├─ Terraform Init/Plan/Apply ✓ │
│ └─ Azure Resources (Resource Group, App Service Plan, Web App) ✓ │
│ │
│ Stage 11: Deployment & Verification │
│ ├─ Deploy to Azure Web App ✓ │
│ ├─ Restart App (pull latest image) ✓ │
│ └─ Health Check Validation ✓ │
│ │
└──────────────────────────────────────────────────────────────────────┘
Purpose: Compile application and validate functionality
Actions:
- Checkout source code from GitHub repository
- Setup Node.js 18 environment
- Install npm dependencies (with caching for performance)
- Execute unit tests using Mocha test runner
- Generate JUnit XML test results
Quality Gate: All 11 tests must pass to proceed
Artifacts: test-results.xml
Purpose: Ensure adequate test coverage
Actions:
- Run NYC code coverage analysis
- Measure line, statement, function, and branch coverage
- Enforce 78% threshold for all metrics
- Generate multiple report formats (Cobertura, LCOV, HTML, JSON)
Quality Gate: Coverage must meet 78% threshold
Artifacts: coverage/ directory with multiple report formats
Purpose: Identify security vulnerabilities in source code
Tool: Semgrep
Rulesets:
p/security-audit- General security patternsp/nodejs- Node.js-specific vulnerabilitiesp/owasp-top-ten- OWASP Top 10 vulnerabilitiesp/javascript- JavaScript security issues
Quality Gate: Review findings (non-blocking for demo purposes)
Artifacts: semgrep-results.json
Purpose: Detect vulnerabilities in third-party packages
Tools:
-
Snyk - Commercial-grade dependency scanner
- Severity threshold: HIGH
- Outputs: JSON, HTML, TXT formats
- License compliance checking
-
npm audit - Built-in Node.js security scanner
- JSON output for automation
- Identifies vulnerable packages
Quality Gate: Continue with warnings (non-blocking)
Artifacts: snyk-results.json, snyk-results.html, snyk-results.txt, npm-audit-results.json
Purpose: Prevent credential leaks
Tool: TruffleHog OSS
Actions:
- Scan full git history
- Detect API keys, passwords, tokens
- Verify findings (reduce false positives)
- Alert on confirmed secrets
Quality Gate: Continue with warnings (non-blocking)
Artifacts: Console output
Purpose: Containerize application securely
Actions:
- Multi-stage Docker build using Alpine base
- Extract Docker metadata (tags, labels)
- Build image with BuildKit
- Push to GitHub Container Registry
- Generate multiple tags (branch, SHA, latest)
Quality Gate: Build must succeed
Artifacts: Docker image in ghcr.io
Purpose: Identify vulnerabilities in container images
Tool: Trivy
Actions:
- Pull image from GHCR
- Scan for OS and application vulnerabilities
- Check for misconfigurations
- Generate SARIF, JSON, and HTML reports
- Upload findings to GitHub Security tab
Severity Levels: CRITICAL, HIGH, MEDIUM
Quality Gate: Review findings (non-blocking)
Artifacts: trivy-results.sarif, trivy-results.json, trivy-results.html
Purpose: Test running application for security issues
Tool: OWASP ZAP
Actions:
- Start application container with MongoDB connection
- Wait for application readiness
- Run ZAP baseline scan
- Test endpoints for common vulnerabilities (XSS, SQL injection, etc.)
- Generate multiple report formats
Quality Gate: Continue with warnings (non-blocking)
Artifacts: report_json.json, report_md.md, report_html.html
Purpose: Create and manage Azure resources
Tool: Terraform
Resources Created:
- Azure Resource Group (
rg-solar-system) - App Service Plan (F1 Free tier)
- Linux Web App for Containers
- Application Settings (MongoDB URI)
- Container Registry credentials
Actions:
- Initialize Terraform backend
- Generate execution plan
- Apply infrastructure changes
- Output Web App URL
Quality Gate: Terraform apply must succeed
Purpose: Deploy application and verify health
Actions:
- Configure Azure Web App container settings
- Pull latest image from GHCR
- Restart Web App to apply changes
- Wait for startup (60 seconds)
- Execute health check against
/readyendpoint - Confirm application is serving traffic
Quality Gate: Health check must return 200 OK
Production URL: https://solar-system-ssd.azurewebsites.net
| Tool | Type | Stage | Purpose | Findings |
|---|---|---|---|---|
| Semgrep | SAST | 4 | Code vulnerability scanning | Security anti-patterns, code smells |
| Snyk | SCA | 5 | Dependency vulnerability detection | CVEs in npm packages |
| npm audit | SCA | 5 | Native dependency scanner | Package vulnerabilities |
| TruffleHog | Secret | 6 | Credential leak detection | API keys, passwords, tokens |
| Trivy | Container | 8 | Image vulnerability scanning | OS and app vulnerabilities in container |
| OWASP ZAP | DAST | 9 | Runtime security testing | XSS, SQL injection, security headers |
Semgrep Configuration:
config: >-
p/security-audit # General security patterns
p/nodejs # Node.js-specific issues
p/owasp-top-ten # OWASP Top 10 vulnerabilities
p/javascript # JavaScript security patternsDetects:
- Injection vulnerabilities (SQL, NoSQL, Command)
- Cross-Site Scripting (XSS)
- Insecure cryptographic practices
- Authentication/Authorization flaws
- Hardcoded secrets
- Insecure deserialization
- XML External Entities (XXE)
Snyk Configuration:
severity-threshold: high
output: json, html, txtDetects:
- Known CVEs in dependencies
- License compliance issues
- Outdated packages
- Transitive dependency vulnerabilities
npm audit:
- Native Node.js security scanner
- Checks against npm registry vulnerability database
- Provides remediation suggestions
TruffleHog Configuration:
base: previous commit
head: current commit
extra_args: --only-verifiedDetects:
- AWS keys
- GitHub tokens
- MongoDB connection strings
- API keys
- Private keys
- OAuth tokens
Trivy Configuration:
severity: CRITICAL,HIGH,MEDIUM
format: sarif, json, htmlScans:
- OS packages (Alpine APK)
- Application dependencies (npm packages)
- Configuration files
- Dockerfile best practices
- Base image vulnerabilities
OWASP ZAP Configuration:
scan_type: baseline
target: http://localhost:3000/
options: -a (include all alerts)Tests:
- XSS vulnerabilities
- SQL/NoSQL injection
- Security headers
- Cookie security
- HTTPS enforcement
- CORS configuration
- Information disclosure
The pipeline visualization shows the dependency between jobs:
- Parallel execution of security scans (SAST, dependency, secret detection)
- Sequential gates ensuring quality before deployment
- 11 distinct stages from code checkout to production deployment
Key Observations:
- All security scans run in parallel after successful tests
- Docker build waits for all security scans to complete
- Deployment only triggers on main branch
- Total pipeline duration: ~8-12 minutes
GitHub Advanced Security Integration:
- Trivy findings uploaded as SARIF format
- Integrated with GitHub Security tab
- Filterable by severity, tool, and status
- Provides remediation guidance
Alert Details:
- Specific vulnerability information
- Affected file and line numbers
- CVE references
- Remediation steps
Advanced Filtering:
- By tool (Trivy, Semgrep)
- By severity (Critical, High, Medium, Low)
- By state (Open, Closed, Fixed)
TruffleHog Integration:
- Detects leaked credentials in commit history
- Identifies secret types (API keys, tokens, passwords)
- Provides commit SHA and author information
- Enables secret revocation workflow
Snyk Dashboard:
- Identifies vulnerable packages (Mongoose 6.12.0)
- Provides severity ratings
- Shows exploitability scores
- Suggests upgrade paths
Detailed Vulnerability Information:
- CVE identifiers
- CVSS scores
- Dependency tree analysis
- Fix recommendations
Container Vulnerability Report:
- Base image vulnerabilities (Alpine 3.17)
- Application dependency issues
- Severity breakdown (Critical/High/Medium/Low)
- Package-level details with fix versions
Key Findings:
- Alpine base image vulnerabilities
- Node.js package vulnerabilities
- npm package issues
- Configuration misconfigurations
Dynamic Scan Results:
- Runtime security testing
- Tests against live application
- Security header analysis
- CORS configuration review
- Cookie security assessment
Findings:
- Missing security headers
- CORS misconfiguration
- Potential XSS vectors
- Information disclosure
NYC Coverage Metrics:
- Lines: 78.43% (exceeds 78% threshold)
- Statements: 78.43%
- Functions: 78.57%
- Branches: 78.57%
All metrics meet the enforced threshold ✓
File-Level Coverage:
app.js: 78.43% line coverage- Test file coverage breakdown
- Uncovered lines highlighted
- Branch coverage analysis
Azure Web App Overview:
- Service: Azure App Service (Web App for Containers)
- Pricing Tier: F1 (Free)
- Runtime: Docker Container
- Image Source: GitHub Container Registry
- URL: https://solar-system-ssd.azurewebsites.net
- Health Status: Running ✓
Configuration:
- Container pulled from ghcr.io
- MongoDB connection via environment variables
- HTTPS enforced
- Health probes configured
Environment Configuration:
- Environment Name: production
- Deployment Method: GitHub Actions
- Infrastructure: Terraform-managed
- Monitoring: Azure Application Insights
- Logging: Azure Log Stream
Downloadable Artifacts:
- ✅ test-results - JUnit XML test reports
- ✅ coverage-reports - NYC coverage data
- ✅ semgrep-results - SAST findings
- ✅ snyk-results - Dependency vulnerabilities
- ✅ npm-audit-results - npm audit output
- ✅ trivy-results - Container scan findings
- ✅ zap-dast-results - DAST scan results
Artifact Retention: 90 days (GitHub default)
Configured Secrets:
- ✅ ARM_CLIENT_ID - Azure Service Principal
- ✅ ARM_CLIENT_SECRET - Azure authentication
- ✅ ARM_SUBSCRIPTION_ID - Azure subscription
- ✅ ARM_TENANT_ID - Azure tenant
- ✅ AZURE_CREDENTIALS - Azure login JSON
- ✅ MONGO_URI - MongoDB connection string
- ✅ SNYK_TOKEN - Snyk API authentication
- ✅ GITHUB_TOKEN - Auto-generated (packages access)
Security:
- All secrets encrypted at rest
- Only accessible during pipeline execution
- Not exposed in logs
- Rotated regularly
Framework: Mocha + Chai
Test Suite: app-test.js
Test Coverage:
Planets API Suite
✓ it should fetch a planet named Mercury
✓ it should fetch a planet named Venus
✓ it should fetch a planet named Earth
✓ it should fetch a planet named Mars
✓ it should fetch a planet named Jupiter
✓ it should fetch a planet named Saturn
✓ it should fetch a planet named Uranus
✓ it should fetch a planet named Neptune
✓ it should fetch the OS information
✓ it should check liveness
✓ it should check readiness
11 passing (256ms)
Tool: NYC (Istanbul)
Configuration (package.json):
"nyc": {
"check-coverage": true,
"lines": 78,
"statements": 78,
"functions": 78,
"branches": 78
}Results:
- ✅ Lines: 78.43% (Target: 78%)
- ✅ Statements: 78.43% (Target: 78%)
- ✅ Functions: 78.57% (Target: 78%)
- ✅ Branches: 78.57% (Target: 78%)
Report Formats:
- Cobertura XML (for CI integration)
- LCOV (for code editors)
- HTML (for human review)
- JSON Summary (for automation)
| Gate | Criteria | Status |
|---|---|---|
| Unit Tests | All tests must pass | ✅ Pass |
| Code Coverage | ≥78% on all metrics | ✅ Pass |
| SAST | Review findings | ✅ Reviewed |
| Dependency Scan | Review high/critical | ✅ Reviewed |
| Secret Detection | No verified secrets | ✅ Pass |
| Container Scan | Review vulnerabilities | ✅ Reviewed |
| DAST | Review security issues | ✅ Reviewed |
| Health Check | /ready returns 200 | ✅ Pass |
Provider: Azure (azurerm)
Resources Created:
1. Resource Group
- Name: rg-solar-system
- Location: East US
2. App Service Plan
- Name: asp-solar-system
- SKU: F1 (Free tier)
- OS: Linux
- Reserved: true (Linux containers)
3. Linux Web App
- Name: solar-system-ssd (configurable)
- Container Image: ghcr.io/deviant101/solar-system:main
- Port: 3000
- Environment Variables:
* MONGO_URI (from secrets)
* WEBSITES_PORT=3000
4. Container Registry Settings
- Server: ghcr.io
- Username: deviant101
- Password: GitHub TokenState Management:
- Backend: Azure Storage Account (optional)
- State File:
solar-system.terraform.tfstate - Locking: Enabled (prevents concurrent modifications)
Trigger: Push to main or master branch
Steps:
- Terraform Init: Initialize backend and providers
- Terraform Plan: Preview infrastructure changes
- Terraform Apply: Create/update Azure resources
- Azure Login: Authenticate with service principal
- Container Deploy: Configure Web App with latest image
- Restart: Force pull of latest container
- Health Check: Validate
/readyendpoint
Deployment Time: ~3-5 minutes (first run), ~1-2 minutes (updates)
URL: https://solar-system-ssd.azurewebsites.net
Endpoints:
/- Main application UI/ready- Readiness probe (returns{"status":"ready"})/live- Liveness probe (returns{"status":"live"})/os- System information/api-docs- OpenAPI specification/planet- POST endpoint for planet data
Environment Variables:
MONGO_URI=mongodb+srv://[user]:[pass]@[cluster].mongodb.net/solar-system
WEBSITES_PORT=3000
WEBSITE_HTTPLOGGING_RETENTION_DAYS=7
Monitoring:
- Azure Application Insights (metrics, logs)
- Azure Monitor (alerts, diagnostics)
- Health probes (startup, liveness, readiness)
Severity: Medium
Tool: Snyk, npm audit, Trivy
Finding: Mongoose 6.12.0 and its dependencies have known CVEs
Affected Packages:
mongoose@6.12.0bson@4.x(transitive dependency)mongodb@4.x(transitive dependency)
Impact: Potential for NoSQL injection, denial of service
Remediation:
# Update to latest stable version
npm install mongoose@latest
# Or specific version
npm install mongoose@8.0.0Status:
Severity: High
Tool: Semgrep, OWASP ZAP
Finding: /planet endpoint lacks input sanitization
Vulnerable Code:
app.post('/planet', function(req, res) {
planetModel.findOne({
id: req.body.id // No validation!
}, ...)
})Impact: Potential NoSQL injection
Remediation:
const { body, validationResult } = require('express-validator');
app.post('/planet',
body('id').isInt({ min: 1, max: 8 }),
function(req, res) {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Safe to proceed
})Status:
Severity: Medium
Tool: Semgrep, OWASP ZAP
Finding: CORS enabled for all origins
Vulnerable Code:
app.use(cors()) // Allows all originsImpact: Potential for CSRF attacks, data theft
Remediation:
app.use(cors({
origin: 'https://solar-system-ssd.azurewebsites.net',
credentials: true
}))Status:
Severity: Critical
Tool: Manual review, OWASP ZAP
Finding: All endpoints publicly accessible
Impact: Unrestricted data access, potential abuse
Remediation:
const jwt = require('jsonwebtoken');
function authenticate(req, res, next) {
const token = req.headers.authorization?.split(' ')[1];
if (!token) return res.status(401).send('Unauthorized');
jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
if (err) return res.status(403).send('Forbidden');
req.user = user;
next();
});
}
app.post('/planet', authenticate, function(req, res) { ... })Status:
Severity: High
Tool: OWASP ZAP, manual review
Finding: No rate limiting on API endpoints
Impact: Potential for DoS attacks, resource exhaustion
Remediation:
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // 100 requests per window
});
app.use('/planet', limiter);Status:
Severity: Low to Medium
Tool: Trivy
Finding: Alpine 3.17 base image has known CVEs
Affected Packages:
openssl@3.0.xlibcrypto@3.0.xlibssl@3.0.x
Impact: Potential cryptographic vulnerabilities
Remediation:
# Update base image
FROM node:18-alpine3.19 # Latest Alpine
# Or use distroless for smaller attack surface
FROM gcr.io/distroless/nodejs18-debian11Status: ✅ Acceptable (base image updated regularly)
✅ Secrets Management
- All credentials in GitHub Secrets (encrypted at rest)
- No hardcoded secrets in code
- MongoDB URI injected at runtime
✅ HTTPS Enforcement
- Azure Web App enforces HTTPS by default
- HTTP automatically redirects to HTTPS
✅ Health Monitoring
- Liveness probe:
/live - Readiness probe:
/ready - Startup probe configured
✅ Automated Security Scanning
- 6 security tools integrated
- Scans run on every commit
- Findings uploaded to GitHub Security
✅ Container Security
- Multi-stage builds (smaller image)
- Non-root user (implicit in Alpine)
- Minimal base image (Alpine)
- Regular image updates
✅ Infrastructure Security
- Infrastructure as Code (version controlled)
- Least privilege service principal
- Managed identity for Azure resources
- Resource tagging for governance
✅ Artifact Preservation
- All scan results archived
- 90-day retention period
- Downloadable for review
✅ Dependency Management
- Regular dependency updates
- Automated vulnerability scanning
- License compliance checking
Concept: Integrate security early in the SDLC
Implementation:
- SAST runs immediately after code commit
- Dependency scanning before containerization
- Secret detection prevents credential leaks
- Quality gates block insecure code
Benefit: Cheaper and faster to fix vulnerabilities early
Concept: Automate repetitive security tasks
Implementation:
- Automated security scans (6 tools)
- Automated testing and coverage
- Automated deployment
- Automated health checks
Benefit: Consistent, repeatable, scalable security
Concept: Security testing at every stage
Implementation:
- Pre-commit: Developer responsibility
- Commit: Secret detection
- Build: SAST, dependency scanning
- Container: Image vulnerability scanning
- Runtime: DAST
- Production: Continuous monitoring
Benefit: Multi-layered defense strategy
Concept: Define infrastructure in version-controlled code
Implementation:
- Terraform for Azure resources
- Reproducible environments
- Peer-reviewed infrastructure changes
- Audit trail for all changes
Benefit: Consistent, traceable, reviewable infrastructure
✅ CI/CD Pipeline Development
- GitHub Actions workflow design
- Job dependencies and parallelization
- Artifact management
- Environment-based deployment
✅ Security Tool Integration
- SAST (Semgrep)
- SCA (Snyk, npm audit)
- Secret Detection (TruffleHog)
- Container Security (Trivy)
- DAST (OWASP ZAP)
✅ Container Technologies
- Dockerfile best practices
- Multi-stage builds
- Container registry management
- Image tagging strategies
✅ Cloud Platform Expertise
- Azure Web App for Containers
- Azure App Service Plans
- Azure Resource Groups
- Managed identities
✅ Infrastructure as Code
- Terraform syntax and structure
- State management
- Provider configuration
- Resource dependencies
✅ Testing & Quality Assurance
- Unit testing with Mocha/Chai
- Code coverage analysis with NYC
- Test automation
- Quality gate enforcement
| Objective | Achievement | Evidence |
|---|---|---|
| Implement DevSecOps Pipeline | ✅ Complete | 11-stage GitHub Actions pipeline |
| Integrate Security Tools | ✅ Complete | 6 security tools (SAST, SCA, DAST, etc.) |
| Automate Security Testing | ✅ Complete | All scans automated in pipeline |
| Deploy to Cloud | ✅ Complete | Live on Azure Web App |
| Use Infrastructure as Code | ✅ Complete | Terraform for Azure provisioning |
| Implement Testing | ✅ Complete | 11 unit tests, 78% coverage |
| Document Security Findings | ✅ Complete | Comprehensive report with remediation |
| Demonstrate Best Practices | ✅ Complete | Secrets management, HTTPS, health checks |
This project successfully demonstrates a production-ready DevSecOps pipeline that integrates security throughout the entire software development lifecycle. The Solar System application serves as an effective vehicle for showcasing:
- Comprehensive Security Testing: 6 different security tools covering SAST, SCA, secret detection, container security, and DAST
- Automated CI/CD: 11-stage pipeline with quality gates and automated deployment
- Cloud-Native Architecture: Containerized deployment to Azure using Infrastructure as Code
- Quality Assurance: Automated testing with enforced coverage thresholds
- Security-First Mindset: Security integrated at every stage, not as an afterthought
✅ Fully Automated Pipeline: From code commit to production deployment in ~8-12 minutes
✅ Multi-Layered Security: Defense in depth with 6 security tools
✅ Production Deployment: Live application at https://solar-system-ssd.azurewebsites.net
✅ Comprehensive Documentation: Complete guides for setup, deployment, and maintenance
✅ Artifact Preservation: All scan results archived for compliance and review
✅ Quality Gates: Enforced testing and coverage thresholds
- Tool Integration: GitHub Actions made it easy to integrate multiple security tools
- Container Registry: GHCR seamlessly integrates with GitHub workflows
- Terraform: IaC approach made infrastructure reproducible and reviewable
- Artifact Management: GitHub Actions artifact storage simplified report access
- Documentation: Comprehensive docs reduced troubleshooting time
- Coverage Threshold: Initial 90% target was too aggressive; adjusted to realistic 78%
- Secret Management: Learned importance of proper secret rotation and access control
- Pipeline Duration: Optimized with parallel jobs and caching (reduced from 15+ minutes)
- Terraform State: Implemented remote state for team collaboration
- MongoDB Atlas: Configured IP whitelisting for GitHub Actions runners
- Security Remediation: Address intentional vulnerabilities (input validation, CORS, auth)
- Advanced Monitoring: Implement Application Insights dashboards and alerts
- Performance Testing: Add load testing with Apache JMeter or k6
- Multi-Environment: Implement staging environment for pre-production testing
- Blue-Green Deployment: Zero-downtime deployment strategy
- Automated Rollback: Implement automated rollback on health check failure
- SBOM Generation: Generate Software Bill of Materials with Syft or CycloneDX
This project demonstrates patterns and practices used in enterprise-grade DevSecOps pipelines:
- Financial Services: Similar security requirements (PCI-DSS compliance)
- Healthcare: HIPAA compliance requires automated security testing
- E-Commerce: High availability and security for customer data
- SaaS Platforms: Continuous deployment with security at scale
The implementation of this DevSecOps pipeline has provided hands-on experience with modern security practices, cloud-native technologies, and automation tools that are essential in today's software development landscape. The project demonstrates that security and speed are not mutually exclusive – with the right tools and processes, organizations can deploy frequently while maintaining high security standards.
The comprehensive security scanning, automated testing, and production deployment showcase a mature understanding of DevSecOps principles and their practical application in real-world scenarios.
DevSecOps-Pipeline/
├── .github/
│ ├── workflows/
│ │ └── devsecops-pipeline.yml # Main CI/CD pipeline (426 lines)
│ └── copilot-instructions.md # AI instructions
├── terraform/
│ ├── main.tf # Azure infrastructure
│ ├── variables.tf # Terraform variables
│ ├── outputs.tf # Output values
│ ├── backend.tf # Remote state config
│ ├── terraform.tfvars.example # Example configuration
│ └── DEPLOYMENT_GUIDE.md # Deployment instructions (247 lines)
├── db-data/
│ ├── planets-data.json # 8 planets data
│ ├── import-planets.js # MongoDB import script
│ └── MONGODB_SETUP.md # Database setup (237 lines)
├── screenshots/ # Project screenshots (17 images)
│ ├── pipeline-jobs-graph.png
│ ├── code-scanning-alerts-in-repo.png
│ ├── dependency-scan-snyk.png
│ ├── container-scan-report-trivy.png
│ ├── DAST-ZAP.png
│ ├── code-coverage-report.png
│ ├── application-deployed-on-azure-app-service.png
│ └── ... (more screenshots)
├── Artifact-Reports/ # Downloaded pipeline artifacts
│ ├── coverage-reports.zip
│ ├── npm-audit-results.zip
│ ├── snyk-results.zip
│ ├── test-results.zip
│ ├── trivy-results.zip
│ └── zap-dast-results.zip
├── app.js # Express server (92 lines)
├── app-test.js # Mocha test suite (72 lines)
├── app-controller.js # Frontend JavaScript
├── index.html # Solar System UI
├── package.json # Node.js dependencies
├── Dockerfile # Multi-stage Docker build
├── oas.json # OpenAPI 3.0 specification
├── .dockerignore # Docker exclusions
├── .gitignore # Git exclusions
├── README.md # Project README (458 lines)
├── PROJECT_SUMMARY.md # Detailed summary (340 lines)
└── PROJECT_REPORT.md # This report
| Technology | Version | Purpose |
|---|---|---|
| Node.js | 18.x | JavaScript runtime |
| npm | 9.x | Package manager |
| Express.js | 4.18.2 | Web framework |
| Mongoose | 6.12.0 | MongoDB ODM |
| Mocha | Latest | Test framework |
| Chai | Latest | Assertion library |
| NYC | 15.1.0 | Code coverage |
| Docker | Latest | Containerization |
| Terraform | 1.6.0 | Infrastructure as Code |
| GitHub Actions | N/A | CI/CD platform |
| Azure CLI | Latest | Azure management |
| Semgrep | Latest | SAST tool |
| Snyk | Latest | Dependency scanner |
| TruffleHog | Latest | Secret detection |
| Trivy | Latest | Container scanner |
| OWASP ZAP | Latest | DAST tool |
# Install dependencies
npm install
# Run application
npm start
# Run tests
npm test
# Generate coverage
npm run coverage
# Build Docker image
docker build -t solar-system:local .
# Run container
docker run -p 3000:3000 -e MONGO_URI="..." solar-system:local# Login to Azure
az login
# View Web App logs
az webapp log tail --name solar-system-ssd --resource-group rg-solar-system
# Restart Web App
az webapp restart --name solar-system-ssd --resource-group rg-solar-system
# View Web App configuration
az webapp config appsettings list --name solar-system-ssd --resource-group rg-solar-system# Initialize
terraform init
# Validate configuration
terraform validate
# Plan changes
terraform plan
# Apply changes
terraform apply
# Destroy resources
terraform destroy
# View state
terraform show# Semgrep SAST
docker run --rm -v "${PWD}:/src" returntocorp/semgrep semgrep --config "p/security-audit" /src
# npm audit
npm audit --json
# Trivy container scan
trivy image solar-system:local
# Snyk test
npx snyk test- GitHub Actions Documentation
- Azure Web Apps Documentation
- Terraform Azure Provider
- MongoDB Atlas Documentation
- Express.js Guide
- Semgrep Rules
- Snyk Vulnerability Database
- Trivy Documentation
- OWASP ZAP User Guide
- TruffleHog GitHub
Report Compiled: November 24, 2025
Project Repository: https://github.com/deviant101/DevSecOps-Pipeline
Live Application: https://solar-system-ssd.azurewebsites.net
Course: Secure Software Design (SSD)
End of Report