diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index e23cfae..27114e6 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -17,7 +17,7 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 with: - fetch-depth: 0 # ← Crucial for Sentry and Checkov to see full history + fetch-depth: 0 # Crucial for Sentry and Checkov to see full history - name: Setup Node.js uses: actions/setup-node@v4 @@ -36,7 +36,7 @@ jobs: - name: Dependency Audit run: npm audit --audit-level=high - # --- IaC Security Scans --- + # IaC Security Scans - name: Checkov Scan (IaC security) run: | pip install checkov @@ -60,7 +60,7 @@ jobs: sudo mv terrascan /usr/local/bin/ terrascan scan -d infra/ -i terraform -t k8s || echo "Terrascan completed" - # --- Build + Scan Image --- + # Build + Scan Image - name: Build Docker Images run: | docker build -t mydev:${{ github.sha }} . @@ -162,7 +162,7 @@ jobs: environment: production version: ${{ github.sha }} set_commits: auto - ignore_missing: true #set to true + ignore_missing: true notify: diff --git a/README.md b/README.md index b58fcde..b51fd31 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,12 @@ # πŸš€ FullStack DevSecOps Demo +A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD to observability and Infrastructure-as-Code (IaC). +This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. + +--- + +## 🌟 Highlights + - **CI/CD Pipeline**: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan - **Secure Containerization**: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions - **Runtime Security**: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities) @@ -13,6 +20,7 @@ - Production: auto-deploy on `main` - **IaC Versioning**: Full `render.yaml` and Helm manifests for portability to Kubernetes (k3s, GKE, EKS) +--- ## πŸ—οΈ Architecture @@ -58,11 +66,24 @@ Slack messages for staging/prod deployments with build status: --- +# πŸ“Š Observability +## Prometheus +- Scrapes app `/metrics` endpoint (via `prom-client`) +- Collects: + - Default Node.js process metrics + - `http_requests_total` counter + - Latency histogram πŸ”— **See live link here**: [Your Prometheus URL Here] - +## Grafana Dashboards +Includes panels for: +- CPU % +- Memory usage +- HTTP requests/sec +- 5xx error rate +- 95th percentile latency πŸ”— **See live link here**: [Your Grafana URL Here] @@ -78,6 +99,7 @@ Slack messages for staging/prod deployments with build status: - Tied to GitHub Actions release versions - Shows "Deployed to Staging/Prod" in release timeline +--- ## πŸ“Έ Project in Action @@ -96,13 +118,19 @@ Slack messages for staging/prod deployments with build status: ### πŸ”” Slack Notifications ![Slack Notifications](docs/images/SLACK-NOTIFY.png) +### πŸ“Š Observability with Prometheus & Grafana +![Prometheus Dashboard](docs/images/Prometheus-dashh.png) + +# 🐳 Docker Hardening + All service images include: - `HEALTHCHECK` instructions - Non-root user execution - Minimal base images (`node:18-alpine`, `alpine:3.20`, etc.) +--- # ☸️ Kubernetes (Future-Ready) @@ -148,17 +176,29 @@ Secrets managed via K8s Secret resources (Slack webhook, Grafana admin password) β”œβ”€β”€ .github/workflows/ # CI/CD pipelines β”œβ”€β”€ render.yaml # Render IaC config └── Dockerfile # App Dockerfile +``` 🎯 Why This Matters +| Feature | Benefit | +| ----------------------- | --------------------------------------------------------- | +| Full DevSecOps pipeline | Integrated security, monitoring, and alerting | +| Cloud-native ready | Helm charts β†’ easy migration to Kubernetes | +| Production realism | Error tracking, observability, secrets mgmt, IaC scanning | +| Team collaboration | Slack notifications + Sentry releases β†’ transparency | +| Hands-on expertise | End-to-end modern DevSecOps toolchain experience | + + + +πŸ“¬ Contact Interested in how I can bring end-to-end DevSecOps expertise to your team? Let’s connect! +
+**Built with ❀️ to demonstrate modern DevSecOps practices** [![GitHub stars](https://img.shields.io/github/stars/wizzfi1/fullstack-devsecops-demo?style=social)](https://github.com/wizzfi1/fullstack-devsecops-demo) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) -
- diff --git a/helm/alertmanager/templates/deployment.yaml b/helm/alertmanager/templates/deployment.yaml index fec108b..3d77817 100644 --- a/helm/alertmanager/templates/deployment.yaml +++ b/helm/alertmanager/templates/deployment.yaml @@ -14,6 +14,7 @@ spec: app: alertmanager spec: automountServiceAccountToken: false + # Pod-level context β€” only for pod-wide settings securityContext: runAsNonRoot: true @@ -35,7 +36,8 @@ spec: - name: alertmanager-secret-vol mountPath: /etc/secrets/alertmanager readOnly: true - # CONTAINER-LEVEL SECURITY CONTEXT β€” THIS IS WHAT MATTERS + + # CONTAINER-LEVEL SECURITY CONTEXT securityContext: runAsNonRoot: true runAsUser: 10001 diff --git a/infra/grafana/Dockerfile b/infra/grafana/Dockerfile index 79015eb..4397b91 100644 --- a/infra/grafana/Dockerfile +++ b/infra/grafana/Dockerfile @@ -1,4 +1,4 @@ -# Use official Grafana image with pinned version (avoid 'latest') +# Use official Grafana image with pinned version FROM grafana/grafana:11.1.4 # Copy provisioning config files