Skip to content

swanand18/devsecops-pipeline

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
.github/workflows
.github/workflows
Β 
Β 
app
app
Β 
Β 
docs/images
docs/images
Β 
Β 
scripts
scripts
Β 
Β 
sonarqube
sonarqube
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ” DevSecOps CI/CD Pipeline with Automated Security Gates

CI/CD Security Terraform Kubernetes License: MIT

Portfolio Project by Swanand Awatade
Cloud & DevOps Engineer | DevSecOps | CI/CD | Kubernetes | AWS

πŸš€ Overview

This project demonstrates a production-style DevSecOps CI/CD pipeline with automated security gates integrated at every stage of the delivery lifecycle.

The pipeline enforces a security-first approach by embedding scanning, validation, and policy checks directly into CI/CD workflows.

πŸ” What this project showcases

  • Secure CI/CD pipelines using GitHub Actions
  • Shift-left security with automated scanning
  • Infrastructure validation using Terraform + Checkov
  • Container image scanning using Trivy
  • Kubernetes-ready deployment workflows
  • Policy-driven pipeline enforcement

✨ Key Features

  • πŸ” DevSecOps-first pipeline design
  • βš™οΈ GitHub Actions-based CI/CD workflows
  • πŸ›‘οΈ Automated security scanning (IaC + containers)
  • 🚫 Pipeline failure on HIGH/CRITICAL vulnerabilities
  • πŸ“¦ Infrastructure validation before deployment
  • ☁️ Kubernetes-ready deployment structure
  • πŸ” Repeatable and modular pipeline architecture

πŸ“‹ Table of Contents

πŸ—οΈ Pipeline Architecture

This pipeline follows a DevSecOps lifecycle model, where security is integrated into every stage:

  1. Code is pushed to GitHub
  2. CI pipeline is triggered
  3. Terraform is validated and scanned
  4. Security checks are enforced
  5. Container images are scanned
  6. Deployment proceeds only if all checks pass

This ensures that no insecure code or infrastructure reaches production.

πŸ–ΌοΈ Architecture Diagram

πŸ“Œ Add your pipeline diagram here:

docs/images/pipeline.png

![Pipeline Diagram](docs/images/pipeline.png)

After uploading the image, it will render here:

Pipeline Diagram

πŸ› οΈ Tech Stack

Category Tools
CI/CD GitHub Actions
IaC Terraform
Container Security Trivy
IaC Security Checkov
Orchestration Kubernetes
Cloud AWS
Scripting Bash, YAML

πŸ“ Project Structure

devsecops-pipeline/
β”œβ”€β”€ .github/
β”‚   └── workflows/
β”‚       β”œβ”€β”€ terraform-plan.yml       # Terraform validation + Checkov scan
β”‚       β”œβ”€β”€ terraform-apply.yml      # Apply infrastructure changes
β”‚       └── trivy-scan.yml           # Container vulnerability scanning
β”œβ”€β”€ terraform/
β”‚   β”œβ”€β”€ main.tf
β”‚   β”œβ”€β”€ variables.tf
β”‚   └── outputs.tf
β”œβ”€β”€ k8s/
β”‚   └── manifests/
β”œβ”€β”€ scripts/
β”œβ”€β”€ docs/
β”‚   └── pipeline-diagram.md
└── README.md

βš™οΈ Pipeline Stages

1. Code Commit / Pull Request

  • Developer pushes code or raises PR
  • CI pipeline is triggered automatically

2. Terraform Validation

terraform init
terraform validate
terraform plan

Ensures:

  • syntax correctness
  • infrastructure validity
  • safe execution plan

3. IaC Security Scanning (Checkov)

  • Scans Terraform code for misconfigurations
  • Detects:
    • open security groups
    • unencrypted resources
    • insecure IAM policies

4. Container Security Scanning (Trivy)

  • Scans container images for:
    • vulnerabilities (CVEs)
    • outdated packages
    • misconfigurations

5. Security Gate Enforcement

🚫 Pipeline fails if:

  • CRITICAL vulnerabilities are found
  • HIGH severity issues are present

βœ… Only secure builds proceed further

6. Deployment Stage

  • Deployment is triggered only after all checks pass
  • Supports Kubernetes-based workloads

πŸ”’ Security Gates

Security is enforced at multiple layers:

Stage Tool Purpose
IaC Scan Checkov Detect insecure Terraform configs
Image Scan Trivy Detect vulnerabilities in containers
Pipeline Rules GitHub Actions Block insecure deployments

πŸ” CI/CD Workflows

Located in:

.github/workflows/

Example Workflow: Terraform + Security Scan

- name: Terraform Validate
  run: terraform validate

- name: Checkov Scan
  uses: bridgecrewio/checkov-action@master

- name: Trivy Scan
  uses: aquasecurity/trivy-action@master

πŸš€ How to Run

1. Clone the repository

git clone https://github.com/swanand18/devsecops-pipeline.git
cd devsecops-pipeline

2. Trigger pipeline

  • Push code OR
  • Create a Pull Request

GitHub Actions will automatically run the pipeline.

3. View pipeline results

Go to:

GitHub β†’ Actions tab

Review:

  • pipeline stages
  • security scan results
  • logs

πŸ“ˆ Future Improvements

  • Integrate SAST tools (SonarQube / CodeQL)
  • Add DAST scanning
  • Implement OPA / policy-as-code
  • Integrate Secrets scanning
  • Add SBOM generation
  • Implement container signing (Cosign)
  • Add deployment to live Kubernetes cluster

🎯 What This Project Demonstrates

This project reflects:

  • Real-world DevSecOps pipeline design
  • Security-first software delivery practices
  • CI/CD automation using GitHub Actions
  • Integration of security into development lifecycle
  • Production-style pipeline enforcement patterns

πŸ‘¨β€πŸ’» Author

Swanand Awatade
Cloud & DevOps Engineer
πŸ“ Pune, India
πŸ“§ swanand.awatade@gmail.com
πŸ”— LinkedIn | GitHub

πŸ“„ License

This project is licensed under the MIT License.
See the LICENSE file for details.

About

DevSecOps CI/CD pipeline with automated security gates, scanning, and policy checks

Topics

kubernetes security devops terraform cicd devsecops github-actions trivy checkov

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages