From 9268b2d7dad2b9ab95beb5e034ea22a6ebebf475 Mon Sep 17 00:00:00 2001 From: shaibuuneks Date: Mon, 29 Sep 2025 08:08:29 +0000 Subject: [PATCH 1/2] Readme update --- .github/workflows/cicd.yml | 8 +- README.md | 95 +++++++++++++-------- helm/alertmanager/templates/deployment.yaml | 4 +- infra/grafana/Dockerfile | 2 +- 4 files changed, 67 insertions(+), 42 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index e23cfae..27114e6 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -17,7 +17,7 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 with: - fetch-depth: 0 # ← Crucial for Sentry and Checkov to see full history + fetch-depth: 0 # Crucial for Sentry and Checkov to see full history - name: Setup Node.js uses: actions/setup-node@v4 @@ -36,7 +36,7 @@ jobs: - name: Dependency Audit run: npm audit --audit-level=high - # --- IaC Security Scans --- + # IaC Security Scans - name: Checkov Scan (IaC security) run: | pip install checkov @@ -60,7 +60,7 @@ jobs: sudo mv terrascan /usr/local/bin/ terrascan scan -d infra/ -i terraform -t k8s || echo "Terrascan completed" - # --- Build + Scan Image --- + # Build + Scan Image - name: Build Docker Images run: | docker build -t mydev:${{ github.sha }} . @@ -162,7 +162,7 @@ jobs: environment: production version: ${{ github.sha }} set_commits: auto - ignore_missing: true #set to true + ignore_missing: true notify: diff --git a/README.md b/README.md index b58fcde..a43bd66 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # πŸš€ FullStack DevSecOps Demo +A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD to observability and Infrastructure-as-Code (IaC). This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. + +## 🌟 Highlights + - **CI/CD Pipeline**: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan - **Secure Containerization**: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions - **Runtime Security**: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities) @@ -13,7 +17,6 @@ - Production: auto-deploy on `main` - **IaC Versioning**: Full `render.yaml` and Helm manifests for portability to Kubernetes (k3s, GKE, EKS) - ## πŸ—οΈ Architecture ```mermaid @@ -44,67 +47,69 @@ flowchart TD ## 🐳 Build & Push - Docker image pushed to Docker Hub with commit + latest tags -## πŸš€ Deployments +Deploy -### Staging (`develop` branch) -πŸ”— **Live Staging App**: [Your Staging URL Here] +Render Staging (branch: develop) -### Production (`main` branch) -πŸ”— **Live Production App**: [Your Production URL Here] +Render Prod (branch: main) -## πŸ”” Notifications -Slack messages for staging/prod deployments with build status: +Automatic Sentry release tracking +Notify ---- +Slack messages for staging/prod deployments with build status +πŸ“Š Observability +Prometheus -πŸ”— **See live link here**: [Your Prometheus URL Here] +Scrapes app /metrics endpoint (via prom-client) +Collects: +Default Node.js process metrics -πŸ”— **See live link here**: [Your Grafana URL Here] +http_requests_total counter +Latency histogram -## Alertmanager -- Sends alerts to Slack via webhook -- Starter rules: - - CPU > 80% for 2 minutes - - Error rate > 5% over 5 minutes +Grafana -## Sentry -- Captures unhandled exceptions -- Tied to GitHub Actions release versions -- Shows "Deployed to Staging/Prod" in release timeline +Preprovisioned dashboards: +CPU % +Memory usage -## πŸ“Έ Project in Action +HTTP requests/sec -### βœ… Lint & Tests Passing -![Lint + Tests](docs/images/Lint-test.png) +5xx error rate -### πŸš€ Render Staging Deployment -![Render Staging Deploy](docs/images/Render-staging.png) +95th percentile latency -πŸ”— [Staging App URL](docs/images/Staging-Url.png) +Alertmanager -### 🌍 Production Deployment -![Production URL](docs/images/Prod-url.png) +Sends alerts to Slack via webhook -### πŸ”” Slack Notifications -![Slack Notifications](docs/images/SLACK-NOTIFY.png) +Starter rules: +CPU > 80% for 2 minutes +Error rate > 5% over 5 minutes + +## Sentry +- Captures unhandled exceptions +- Tied to GitHub Actions release versions +- Shows "Deployed to Staging/Prod" in release timeline + +🐳 Docker Hardening All service images include: - `HEALTHCHECK` instructions - Non-root user execution - Minimal base images (`node:18-alpine`, `alpine:3.20`, etc.) - -# ☸️ Kubernetes (Future-Ready) +☸️ Kubernetes (Future-Ready) ## Helm charts included for: - `myapp` (Node.js/Express) @@ -149,16 +154,34 @@ Secrets managed via K8s Secret resources (Slack webhook, Grafana admin password) β”œβ”€β”€ render.yaml # Render IaC config └── Dockerfile # App Dockerfile +``` 🎯 Why This Matters +Feature Benefit + +Full DevSecOps pipeline Not just CI/CD, but integrated security, monitoring, and alerting + +Cloud-native ready Helm charts β†’ easy migration to Kubernetes + +Production realism Covers error tracking, observability, secrets management, IaC scanning + +Team collaboration Slack notifications + Sentry releases β†’ transparent deployments + +Hands-on expertise End-to-end experience across modern DevSecOps toolchain + + +This repo serves as my portfolio centerpiece: a showcase of how I'd run secure, observable, cloud-ready software delivery in a real engineering organization. -Interested in how I can bring end-to-end DevSecOps expertise to your team? Let’s connect! +πŸ“¬ Contact +Interested in how I can bring end-to-end DevSecOps expertise to your team? Let's connect! +
-[![GitHub stars](https://img.shields.io/github/stars/wizzfi1/fullstack-devsecops-demo?style=social)](https://github.com/wizzfi1/fullstack-devsecops-demo) -[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) +Built with ❀️ to demonstrate modern DevSecOps practices +https://img.shields.io/github/stars/yourusername/fullstack-devsecops-demo?style=social +https://img.shields.io/badge/License-MIT-blue.svg -
+ ``` diff --git a/helm/alertmanager/templates/deployment.yaml b/helm/alertmanager/templates/deployment.yaml index fec108b..3d77817 100644 --- a/helm/alertmanager/templates/deployment.yaml +++ b/helm/alertmanager/templates/deployment.yaml @@ -14,6 +14,7 @@ spec: app: alertmanager spec: automountServiceAccountToken: false + # Pod-level context β€” only for pod-wide settings securityContext: runAsNonRoot: true @@ -35,7 +36,8 @@ spec: - name: alertmanager-secret-vol mountPath: /etc/secrets/alertmanager readOnly: true - # CONTAINER-LEVEL SECURITY CONTEXT β€” THIS IS WHAT MATTERS + + # CONTAINER-LEVEL SECURITY CONTEXT securityContext: runAsNonRoot: true runAsUser: 10001 diff --git a/infra/grafana/Dockerfile b/infra/grafana/Dockerfile index 79015eb..4397b91 100644 --- a/infra/grafana/Dockerfile +++ b/infra/grafana/Dockerfile @@ -1,4 +1,4 @@ -# Use official Grafana image with pinned version (avoid 'latest') +# Use official Grafana image with pinned version FROM grafana/grafana:11.1.4 # Copy provisioning config files From 9b915b49d55ba8a8c7afba55b6a92b78862ad201 Mon Sep 17 00:00:00 2001 From: shaibuuneks Date: Mon, 29 Sep 2025 08:17:43 +0000 Subject: [PATCH 2/2] Readme update --- README.md | 121 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 69 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index a43bd66..b51fd31 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,9 @@ # πŸš€ FullStack DevSecOps Demo -A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD to observability and Infrastructure-as-Code (IaC). This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. +A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD to observability and Infrastructure-as-Code (IaC). +This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. + +--- ## 🌟 Highlights @@ -17,6 +20,8 @@ A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” - Production: auto-deploy on `main` - **IaC Versioning**: Full `render.yaml` and Helm manifests for portability to Kubernetes (k3s, GKE, EKS) +--- + ## πŸ—οΈ Architecture ```mermaid @@ -47,69 +52,87 @@ flowchart TD ## 🐳 Build & Push - Docker image pushed to Docker Hub with commit + latest tags -Deploy +## πŸš€ Deployments -Render Staging (branch: develop) +### Staging (`develop` branch) +πŸ”— **Live Staging App**: [Your Staging URL Here] -Render Prod (branch: main) +### Production (`main` branch) +πŸ”— **Live Production App**: [Your Production URL Here] -Automatic Sentry release tracking +## πŸ”” Notifications +Slack messages for staging/prod deployments with build status: -Notify -Slack messages for staging/prod deployments with build status +--- -πŸ“Š Observability +# πŸ“Š Observability -Prometheus +## Prometheus +- Scrapes app `/metrics` endpoint (via `prom-client`) +- Collects: + - Default Node.js process metrics + - `http_requests_total` counter + - Latency histogram -Scrapes app /metrics endpoint (via prom-client) +πŸ”— **See live link here**: [Your Prometheus URL Here] -Collects: +## Grafana Dashboards +Includes panels for: +- CPU % +- Memory usage +- HTTP requests/sec +- 5xx error rate +- 95th percentile latency -Default Node.js process metrics +πŸ”— **See live link here**: [Your Grafana URL Here] -http_requests_total counter -Latency histogram +## Alertmanager +- Sends alerts to Slack via webhook +- Starter rules: + - CPU > 80% for 2 minutes + - Error rate > 5% over 5 minutes -Grafana +## Sentry +- Captures unhandled exceptions +- Tied to GitHub Actions release versions +- Shows "Deployed to Staging/Prod" in release timeline -Preprovisioned dashboards: +--- -CPU % -Memory usage +## πŸ“Έ Project in Action -HTTP requests/sec +### βœ… Lint & Tests Passing +![Lint + Tests](docs/images/Lint-test.png) -5xx error rate +### πŸš€ Render Staging Deployment +![Render Staging Deploy](docs/images/Render-staging.png) -95th percentile latency +πŸ”— [Staging App URL](docs/images/Staging-Url.png) -Alertmanager +### 🌍 Production Deployment +![Production URL](docs/images/Prod-url.png) -Sends alerts to Slack via webhook +### πŸ”” Slack Notifications +![Slack Notifications](docs/images/SLACK-NOTIFY.png) -Starter rules: +### πŸ“Š Observability with Prometheus & Grafana +![Prometheus Dashboard](docs/images/Prometheus-dashh.png) -CPU > 80% for 2 minutes -Error rate > 5% over 5 minutes -## Sentry -- Captures unhandled exceptions -- Tied to GitHub Actions release versions -- Shows "Deployed to Staging/Prod" in release timeline - -🐳 Docker Hardening +# 🐳 Docker Hardening All service images include: - `HEALTHCHECK` instructions - Non-root user execution - Minimal base images (`node:18-alpine`, `alpine:3.20`, etc.) -☸️ Kubernetes (Future-Ready) +--- + +# ☸️ Kubernetes (Future-Ready) ## Helm charts included for: - `myapp` (Node.js/Express) @@ -153,35 +176,29 @@ Secrets managed via K8s Secret resources (Slack webhook, Grafana admin password) β”œβ”€β”€ .github/workflows/ # CI/CD pipelines β”œβ”€β”€ render.yaml # Render IaC config └── Dockerfile # App Dockerfile - ``` -🎯 Why This Matters -Feature Benefit - -Full DevSecOps pipeline Not just CI/CD, but integrated security, monitoring, and alerting - -Cloud-native ready Helm charts β†’ easy migration to Kubernetes - -Production realism Covers error tracking, observability, secrets management, IaC scanning - -Team collaboration Slack notifications + Sentry releases β†’ transparent deployments +🎯 Why This Matters -Hands-on expertise End-to-end experience across modern DevSecOps toolchain +| Feature | Benefit | +| ----------------------- | --------------------------------------------------------- | +| Full DevSecOps pipeline | Integrated security, monitoring, and alerting | +| Cloud-native ready | Helm charts β†’ easy migration to Kubernetes | +| Production realism | Error tracking, observability, secrets mgmt, IaC scanning | +| Team collaboration | Slack notifications + Sentry releases β†’ transparency | +| Hands-on expertise | End-to-end modern DevSecOps toolchain experience | -This repo serves as my portfolio centerpiece: a showcase of how I'd run secure, observable, cloud-ready software delivery in a real engineering organization. πŸ“¬ Contact -Interested in how I can bring end-to-end DevSecOps expertise to your team? Let's connect! +Interested in how I can bring end-to-end DevSecOps expertise to your team? Let’s connect!
-Built with ❀️ to demonstrate modern DevSecOps practices - -https://img.shields.io/github/stars/yourusername/fullstack-devsecops-demo?style=social -https://img.shields.io/badge/License-MIT-blue.svg +**Built with ❀️ to demonstrate modern DevSecOps practices** -
``` +[![GitHub stars](https://img.shields.io/github/stars/wizzfi1/fullstack-devsecops-demo?style=social)](https://github.com/wizzfi1/fullstack-devsecops-demo) +[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) +