diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f8607dd..e23cfae 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -123,7 +123,7 @@ jobs: customHeaders: '{"Accept": "application/json", "Authorization": "Bearer ${{ secrets.RENDER_API_KEY }}"}' - name: Sentry Release (Staging) - uses: getsentry/action-release@v1 + uses: getsentry/action-release@v2 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ secrets.SENTRY_ORG }} @@ -132,7 +132,7 @@ jobs: environment: staging version: ${{ github.sha }} set_commits: auto - extra_args: --ignore-missing + ignore_missing: true deploy-prod: @@ -153,7 +153,7 @@ jobs: customHeaders: '{"Accept": "application/json", "Authorization": "Bearer ${{ secrets.RENDER_API_KEY }}"}' - name: Sentry Release (Production) - uses: getsentry/action-release@v1 + uses: getsentry/action-release@v2 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ secrets.SENTRY_ORG }} @@ -162,7 +162,7 @@ jobs: environment: production version: ${{ github.sha }} set_commits: auto - extra_args: --ignore-missing + ignore_missing: true #set to true notify: diff --git a/README.md b/README.md index e733c6f..c592f89 100644 --- a/README.md +++ b/README.md @@ -1,44 +1,25 @@ -FullStack DevSecOps Demo +# πŸš€ FullStack DevSecOps Demo -A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD, to observability, to Infrastructure-as-Code (IaC). +A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD to observability and Infrastructure-as-Code (IaC). This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. -This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. +## 🌟 Highlights -🌟 Highlights +- **CI/CD Pipeline**: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan +- **Secure Containerization**: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions +- **Runtime Security**: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities) +- **Observability Stack**: + - Prometheus for metrics collection + - Grafana dashboards (CPU %, memory, HTTP request rates, error rate, latency) + - Alertmanager + Slack for real-time alerts + - Sentry for application-level error monitoring and release tracking +- **Environments**: + - Staging: auto-deploy on `develop` + - Production: auto-deploy on `main` +- **IaC Versioning**: Full `render.yaml` and Helm manifests for portability to Kubernetes (k3s, GKE, EKS) +## πŸ—οΈ Architecture -CI/CD Pipeline: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan. - - -Secure Containerization: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions. - - -Runtime Security: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities). - - -Observability Stack: - -Prometheus for metrics collection - -Grafana dashboards (CPU %, memory, HTTP request rates, error rate, latency) - -Alertmanager + Slack for real-time alerts - -Sentry for application-level error monitoring and release tracking - - -Environments: - -Staging: auto-deploy on develop - -Production: auto-deploy on main - - -IaC Versioning: Full render.yaml and Helm manifests for portability to Kubernetes (k3s, GKE, EKS). - -πŸ—οΈ Architecture - -``` +```mermaid flowchart TD A[GitHub Push] -->|GitHub Actions| B[CI/CD Pipeline] B -->|Docker Build + Scan| C[Docker Hub] @@ -48,7 +29,6 @@ flowchart TD F --> G[Grafana Dashboards] F --> H[Alertmanager -> Slack] E -->|Errors| I[Sentry] - ``` πŸ”„ CI/CD Workflow @@ -89,12 +69,11 @@ Notify Slack messages for staging/prod deployments with build status - πŸ“Š Observability Prometheus -Scrapes app /metrics endpoint (via prom-client). +Scrapes app /metrics endpoint (via prom-client) Collects: @@ -104,7 +83,6 @@ http_requests_total counter Latency histogram - Grafana Preprovisioned dashboards: @@ -119,10 +97,9 @@ HTTP requests/sec 95th percentile latency - Alertmanager -Sends alerts to Slack via webhook. +Sends alerts to Slack via webhook Starter rules: @@ -130,15 +107,13 @@ CPU > 80% for 2 minutes Error rate > 5% over 5 minutes - Sentry -Captures unhandled exceptions. +Captures unhandled exceptions -Tied to GitHub Actions release versions. - -Shows β€œDeployed to Staging/Prod” in release timeline. +Tied to GitHub Actions release versions +Shows "Deployed to Staging/Prod" in release timeline 🐳 Docker Hardening @@ -150,7 +125,6 @@ Non-root user execution Minimal base images (node:18-alpine, alpine:3.20, etc.) - ☸️ Kubernetes (Future-Ready) Helm charts included for: @@ -189,38 +163,47 @@ Push to develop β†’ staging deploy Merge to main β†’ production deploy -πŸ“‚ Repo Structure +πŸ“‚ Repository Structure ``` -. -β”œβ”€β”€ src/ # Node.js app (Express + Sentry + Prometheus metrics) -β”œβ”€β”€ infra/ # Infra services +β”œβ”€β”€ src/ # Node.js app (Express + Sentry + Prometheus metrics) +β”œβ”€β”€ infra/ # Infra services β”‚ β”œβ”€β”€ prometheus/ β”‚ β”œβ”€β”€ grafana/ β”‚ └── alertmanager/ -β”œβ”€β”€ helm/ # Helm charts for k8s migration -β”œβ”€β”€ .github/workflows/ # CI/CD pipelines -β”œβ”€β”€ render.yaml # Render IaC config -└── Dockerfile # App Dockerfile +β”œβ”€β”€ helm/ # Helm charts for k8s migration +β”œβ”€β”€ .github/workflows/ # CI/CD pipelines +β”œβ”€β”€ render.yaml # Render IaC config +└── Dockerfile # App Dockerfile ``` +🎯 Why This Matters -Why This Matters +Feature Benefit -βœ… Full DevSecOps pipeline: not just CI/CD, but integrated security, monitoring, and alerting. +Full DevSecOps pipeline Not just CI/CD, but integrated security, monitoring, and alerting -βœ… Cloud-native ready: Helm charts β†’ easy migration to Kubernetes. +Cloud-native ready Helm charts β†’ easy migration to Kubernetes -βœ… Production realism: covers error tracking, observability, secrets management, IaC scanning. +Production realism Covers error tracking, observability, secrets management, IaC scanning -βœ… Team collaboration: Slack notifications + Sentry releases β†’ transparent deployments. +Team collaboration Slack notifications + Sentry releases β†’ transparent deployments -βœ… Hands-on expertise across Node.js, Docker, GitHub Actions, Sentry, Prometheus, Grafana, Alertmanager, Checkov, Terrascan, Render, Helm. +Hands-on expertise End-to-end experience across modern DevSecOps toolchain -This repo is my portfolio centerpiece: a showcase of how I’d run secure, observable, cloud-ready software delivery in a real engineering org. - +This repo serves as my portfolio centerpiece: a showcase of how I'd run secure, observable, cloud-ready software delivery in a real engineering organization. πŸ“¬ Contact -If you’re interested in how I can bring end-to-end DevSecOps expertise to your team. \ No newline at end of file +Interested in how I can bring end-to-end DevSecOps expertise to your team? Let's connect! + +
+ +Built with ❀️ to demonstrate modern DevSecOps practices + +https://img.shields.io/github/stars/yourusername/fullstack-devsecops-demo?style=social +https://img.shields.io/badge/License-MIT-blue.svg + +
``` + diff --git a/docs/images/Grafana-dashh.png b/docs/images/Grafana-dashh.png new file mode 100644 index 0000000..0ee22b9 Binary files /dev/null and b/docs/images/Grafana-dashh.png differ diff --git a/docs/images/Lint test.png b/docs/images/Lint test.png new file mode 100644 index 0000000..5be1d65 Binary files /dev/null and b/docs/images/Lint test.png differ diff --git a/docs/images/Prod-url.png b/docs/images/Prod-url.png new file mode 100644 index 0000000..8baade2 Binary files /dev/null and b/docs/images/Prod-url.png differ diff --git a/docs/images/Prometheus-dashh.png b/docs/images/Prometheus-dashh.png new file mode 100644 index 0000000..bb5463b Binary files /dev/null and b/docs/images/Prometheus-dashh.png differ diff --git a/docs/images/Render-staging.png b/docs/images/Render-staging.png new file mode 100644 index 0000000..2153e7b Binary files /dev/null and b/docs/images/Render-staging.png differ