diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index f8607dd..e23cfae 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -123,7 +123,7 @@ jobs: customHeaders: '{"Accept": "application/json", "Authorization": "Bearer ${{ secrets.RENDER_API_KEY }}"}' - name: Sentry Release (Staging) - uses: getsentry/action-release@v1 + uses: getsentry/action-release@v2 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ secrets.SENTRY_ORG }} @@ -132,7 +132,7 @@ jobs: environment: staging version: ${{ github.sha }} set_commits: auto - extra_args: --ignore-missing + ignore_missing: true deploy-prod: @@ -153,7 +153,7 @@ jobs: customHeaders: '{"Accept": "application/json", "Authorization": "Bearer ${{ secrets.RENDER_API_KEY }}"}' - name: Sentry Release (Production) - uses: getsentry/action-release@v1 + uses: getsentry/action-release@v2 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: ${{ secrets.SENTRY_ORG }} @@ -162,7 +162,7 @@ jobs: environment: production version: ${{ github.sha }} set_commits: auto - extra_args: --ignore-missing + ignore_missing: true #set to true notify: diff --git a/README.md b/README.md index b51fd31..b58fcde 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,5 @@ # πŸš€ FullStack DevSecOps Demo -A production-grade fullstack pipeline showcasing modern DevSecOps practices β€” from secure CI/CD to observability and Infrastructure-as-Code (IaC). -This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies. - ---- - -## 🌟 Highlights - - **CI/CD Pipeline**: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan - **Secure Containerization**: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions - **Runtime Security**: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities) @@ -20,7 +13,6 @@ This project demonstrates how to take a simple Node.js/Express app and wrap it w - Production: auto-deploy on `main` - **IaC Versioning**: Full `render.yaml` and Helm manifests for portability to Kubernetes (k3s, GKE, EKS) ---- ## πŸ—οΈ Architecture @@ -66,24 +58,11 @@ Slack messages for staging/prod deployments with build status: --- -# πŸ“Š Observability -## Prometheus -- Scrapes app `/metrics` endpoint (via `prom-client`) -- Collects: - - Default Node.js process metrics - - `http_requests_total` counter - - Latency histogram πŸ”— **See live link here**: [Your Prometheus URL Here] -## Grafana Dashboards -Includes panels for: -- CPU % -- Memory usage -- HTTP requests/sec -- 5xx error rate -- 95th percentile latency + πŸ”— **See live link here**: [Your Grafana URL Here] @@ -99,7 +78,6 @@ Includes panels for: - Tied to GitHub Actions release versions - Shows "Deployed to Staging/Prod" in release timeline ---- ## πŸ“Έ Project in Action @@ -118,19 +96,13 @@ Includes panels for: ### πŸ”” Slack Notifications ![Slack Notifications](docs/images/SLACK-NOTIFY.png) -### πŸ“Š Observability with Prometheus & Grafana -![Prometheus Dashboard](docs/images/Prometheus-dashh.png) - -# 🐳 Docker Hardening - All service images include: - `HEALTHCHECK` instructions - Non-root user execution - Minimal base images (`node:18-alpine`, `alpine:3.20`, etc.) ---- # ☸️ Kubernetes (Future-Ready) @@ -176,29 +148,17 @@ Secrets managed via K8s Secret resources (Slack webhook, Grafana admin password) β”œβ”€β”€ .github/workflows/ # CI/CD pipelines β”œβ”€β”€ render.yaml # Render IaC config └── Dockerfile # App Dockerfile -``` 🎯 Why This Matters -| Feature | Benefit | -| ----------------------- | --------------------------------------------------------- | -| Full DevSecOps pipeline | Integrated security, monitoring, and alerting | -| Cloud-native ready | Helm charts β†’ easy migration to Kubernetes | -| Production realism | Error tracking, observability, secrets mgmt, IaC scanning | -| Team collaboration | Slack notifications + Sentry releases β†’ transparency | -| Hands-on expertise | End-to-end modern DevSecOps toolchain experience | - - - -πŸ“¬ Contact Interested in how I can bring end-to-end DevSecOps expertise to your team? Let’s connect! -
-**Built with ❀️ to demonstrate modern DevSecOps practices** [![GitHub stars](https://img.shields.io/github/stars/wizzfi1/fullstack-devsecops-demo?style=social)](https://github.com/wizzfi1/fullstack-devsecops-demo) [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) +
+ diff --git a/docs/images/Grafana-dashh.png b/docs/images/Grafana-dashh.png new file mode 100644 index 0000000..0ee22b9 Binary files /dev/null and b/docs/images/Grafana-dashh.png differ diff --git a/docs/images/Lint test.png b/docs/images/Lint test.png new file mode 100644 index 0000000..5be1d65 Binary files /dev/null and b/docs/images/Lint test.png differ diff --git a/docs/images/Prod-url.png b/docs/images/Prod-url.png new file mode 100644 index 0000000..8baade2 Binary files /dev/null and b/docs/images/Prod-url.png differ diff --git a/docs/images/Prometheus-dashh.png b/docs/images/Prometheus-dashh.png new file mode 100644 index 0000000..bb5463b Binary files /dev/null and b/docs/images/Prometheus-dashh.png differ diff --git a/docs/images/Render-staging.png b/docs/images/Render-staging.png new file mode 100644 index 0000000..2153e7b Binary files /dev/null and b/docs/images/Render-staging.png differ