DevSecOps
Pipeline Platform
A production-grade demonstration of modern DevSecOps practices featuring CI/CD security, Infrastructure as Code, container security, and Policy-as-Code implementation with enterprise security standards.
Backend Connectivity
Live demonstration of secure frontend-backend communication
Static Documentation Site
This is a static frontend for documentation purposes
Deploy the Full Application
To experience the full DevSecOps pipeline with live backend connectivity:
- Clone the repository from GitHub
- Configure AWS credentials and GitHub secrets
- Run the Terraform deployment
- Push changes to trigger the CI/CD pipeline
Architecture Overview
A multi-tier architecture designed for security, scalability, and operational excellence following AWS Well-Architected Framework principles.
User Layer
Load Balancing
Compute Layer
Network Layer
Network Isolation
Backend services run in private subnets, accessible only from the frontend security group.
Least Privilege IAM
Task roles follow strict least privilege principles, granting only necessary AWS permissions.
Encrypted Communications
All traffic encrypted in transit via TLS. Images scanned and pulled securely from GHCR.
Serverless Security
AWS Fargate manages underlying infrastructure security, reducing the attack surface.
Powered By AWS Services
CI/CD Pipeline
A comprehensive security-first pipeline with 14 stages, each implemented as an independent GitHub Actions job for maximum visibility and control.
Pipeline Stages
Click on any stage to view detailed information about its purpose and how to test it.
Pipeline Philosophy
Fail Fast
Security checks run early to catch issues before expensive build stages.
Defense in Depth
Multiple security layers ensure no single point of failure in the pipeline.
Full Visibility
Each security check is a separate job for clear audit trails and debugging.
Security Controls
Defense-in-depth security implementation with automated enforcement at every stage of the delivery pipeline.
Code Security
| Control | Tool | Enforcement | Status |
|---|---|---|---|
| Secret Detection | Gitleaks | Pre-merge | Automated |
| Static Code Analysis | ESLint | Build stage | Automated |
Container Security
| Control | Tool | Enforcement | Status |
|---|---|---|---|
| Image Vulnerability Scan | Trivy | Post-build | Automated |
| Non-root Container User | Dockerfile | Build-time | Enforced |
| Minimal Base Images | Alpine Linux | Build-time | Enforced |
Infrastructure Security
| Control | Tool | Enforcement | Status |
|---|---|---|---|
| IaC Security Scan | Checkov | Pre-plan | Automated |
| Policy-as-Code | OPA/Conftest | Pre-apply | Automated |
| Drift Detection | Terraform | Post-deploy | Automated |
Access Control
| Control | Tool | Enforcement | Status |
|---|---|---|---|
| Manual Approval Gate | GitHub Environments | Pre-production | Required |
| Least Privilege IAM | Terraform/AWS | Design-time | Enforced |
| Network Segmentation | AWS VPC | Infrastructure | Enforced |
Compliance Framework Alignment
The security controls implemented in this pipeline align with industry-standard compliance frameworks.
SOC 2
NIST CSF
CIS Benchmarks
Infrastructure as Code
All infrastructure is defined using Terraform, enabling version control, code review, and automated security scanning of infrastructure changes.
providers.tf
AWS provider and Terraform backend configuration
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
backend "s3" {
bucket = "devsecops-terraform-state"
key = "production/terraform.tfstate"
region = "us-west-2"
encrypt = true
dynamodb_table = "terraform-state-lock"
}
}
provider "aws" {
region = var.aws_region
default_tags {
tags = {
Project = var.project_name
Environment = var.environment
ManagedBy = "Terraform"
}
}
}Terraform Best Practices
- Remote state with S3 backend and DynamoDB locking
- State encryption enabled by default
- Modular structure for reusability
- Version constraints for providers
- Default tags applied to all resources
- Separate workspaces for environments
Security Enforcement
- Checkov scans all Terraform files
- OPA policies validate plan output
- No public access to backend services
- Encryption required for all data stores
- Mandatory resource tagging
- Drift detection after deployment
Policy-as-Code
Open Policy Agent (OPA) with Conftest enforces custom organizational policies against Terraform plan output before any infrastructure changes are applied.
no_public_backend.rego
Ensures the backend ECS service cannot be exposed to the public internet
package main
import rego.v1
# Deny public access to backend services
deny contains msg if {
resource := input.resource_changes[_]
resource.type == "aws_security_group_rule"
resource.change.after.type == "ingress"
resource.change.after.cidr_blocks[_] == "0.0.0.0/0"
contains(resource.change.after.security_group_id, "backend")
msg := sprintf(
"Backend security group '%s' cannot have public ingress rules (0.0.0.0/0)",
[resource.address]
)
}
# Deny backend service registration with public load balancer
deny contains msg if {
resource := input.resource_changes[_]
resource.type == "aws_lb_target_group"
contains(resource.name, "backend")
resource.change.after.target_type == "ip"
# Check if associated with public ALB
lb := input.resource_changes[_]
lb.type == "aws_lb"
lb.change.after.internal == false
msg := "Backend service cannot be registered with a public load balancer"
}How Policy Enforcement Works
Plan Generation
Terraform generates a JSON plan of proposed changes
Policy Evaluation
Conftest evaluates the plan against Rego policies
Decision
Policies return deny messages for violations
Enforcement
Pipeline fails if any deny rules match
Pipeline command:
conftest test tfplan.json --policy policies/ --all-namespaces