Share
## https://sploitus.com/exploit?id=4DECD7B9-71F8-5A3C-8697-4B0C7D8AC722
# Typeform DevSecOps Pipeline POC

![Python](https://img.shields.io/badge/Python-3.9%2B-blue)
![Security](https://img.shields.io/badge/Security-STRIDE%20%7C%20CIS%20%7C%20OWASP-red)
![IaC](https://img.shields.io/badge/IaC-Terraform-purple)
![Container](https://img.shields.io/badge/Container-Docker%20%7C%20K8s-blue)
![CI/CD](https://img.shields.io/badge/CI%2FCD-Pipeline%20Security-green)
![AI/ML](https://img.shields.io/badge/AI%2FML-Workload%20Security-orange)
![Tests](https://img.shields.io/badge/Tests-pytest-brightgreen)

A comprehensive DevSecOps security automation framework demonstrating CI/CD pipeline security gates, container vulnerability scanning, IaC compliance enforcement, STRIDE threat modeling, automated incident response, and AI/ML workload security validation.

---

## Architecture

```
+-----------------------------------------------------------------------+
|                      CI/CD Pipeline Security Gates                     |
|                                                                       |
|   +--------+  +--------+  +------+  +--------+  +---------+          |
|   |  SAST  |  |  DAST  |  | SCA  |  | Secret |  | Supply  |          |
|   | Gate   |  | Gate   |  | Gate |  | Detect |  | Chain   |          |
|   +---+----+  +---+----+  +--+---+  +---+----+  +----+----+          |
|       |            |          |          |             |               |
|       +------+-----+----+----+-----+----+------+------+              |
|              |           |         |            |                      |
|              v           v         v            v                      |
|       +------+-----+  +-+--------++  +---------+--------+            |
|       | Container  |  |   IaC     |  |    Threat Model   |            |
|       | Scanner    |  | Compliance|  |   (STRIDE Engine) |            |
|       +------+-----+  +----+-----+  +---------+---------+            |
|              |              |                  |                       |
|              +-------+------+--------+---------+                      |
|                      |               |                                |
|                      v               v                                |
|              +-------+------+ +------+----------+                     |
|              |  Incident    | | AI/ML Workload  |                     |
|              |  Responder   | | Security        |                     |
|              +--------------+ +-----------------+                     |
+-----------------------------------------------------------------------+
                               |
                               v
                    +----------+-----------+
                    | Pipeline Report      |
                    | (pass/fail verdict   |
                    |  + findings summary) |
                    +----------------------+
```

---

## Modules

| Module | File | Description |
|--------|------|-------------|
| **Pipeline Security** | `src/pipeline_security.py` | Multi-gate CI/CD security framework (SAST, DAST, SCA, secrets, supply chain) |
| **Container Scanner** | `src/container_scanner.py` | Dockerfile lint, base-image CVE lookup, SBOM generation |
| **IaC Compliance** | `src/iac_compliance.py` | Terraform security scanner with CIS benchmark mapping |
| **Threat Model** | `src/threat_model.py` | STRIDE-based threat modeling with risk scoring |
| **Incident Responder** | `src/incident_responder.py` | Alert classification, containment playbooks, post-incident reports |
| **AI Workload Security** | `src/ai_workload_security.py` | Model serving security, prompt injection detection, data pipeline validation |

---

## Quick Start

```bash
# Clone the repository
git clone https://github.com/ramagopalb/typeform-devsecops-pipeline-poc.git
cd typeform-devsecops-pipeline-poc

# Install dependencies
pip install -r requirements.txt

# Run all tests
python -m pytest tests/ -q

# Run the full demo
python demo.py

# Run a specific demo module
python demo.py pipeline    # CI/CD security gates
python demo.py container   # Container vulnerability scanner
python demo.py iac         # Terraform compliance checker
python demo.py threat      # STRIDE threat modeling
python demo.py incident    # Incident response orchestrator
python demo.py ai          # AI/ML workload security
```

---

## Example Output

### Pipeline Security Gate Summary

```
Pipeline ID: typeform-main-build-042
Overall Verdict: PASS

Gate: SAST        โ€” PASS (0.1ms)
Gate: DAST        โ€” PASS (0.1ms)
Gate: SCA         โ€” FAIL (0.1ms)
  [HIGH] Vulnerable dependency: lodash@4.17.15
Gate: SECRET_DET  โ€” PASS (0.0ms)
Gate: SUPPLY_CHAIN โ€” PASS (0.0ms)

Total findings: 6
Severity breakdown: CRITICAL=0, HIGH=1, MEDIUM=2, LOW=0, INFO=3
```

### Container Scan Findings

```
Image: typeform/form-service:latest
Risk Score: 41.0

[CRITICAL] Hardcoded secret in Dockerfile
[HIGH]     Container running as root
[HIGH]     SSH port exposed in container
[MEDIUM]   Using 'latest' tag for base image
[CRITICAL] CVE-2023-4911 in glibc (Looney Tunables)

SBOM: 4 packages (libc6, openssl, bash, flask)
```

### IaC Compliance Report

```
Source: infra/main.tf
Compliance Score: 0.0%

[HIGH]     TF001: Security group allows ingress from 0.0.0.0/0
[CRITICAL] TF003: S3 bucket configured with public-read ACL
[CRITICAL] TF005: IAM policy with wildcard Action
[HIGH]     TF007: EKS cluster API endpoint publicly accessible
[HIGH]     TF004: RDS instance storage not encrypted
```

### STRIDE Threat Model

```
System: Typeform Platform
Components: 4 | Data Flows: 3 | Total Threats: 18

Top threats:
  [CRITICAL] (score=20) Information disclosure: form-api -> response-db
  [HIGH]     (score=16) DoS vulnerability on form-api
  [HIGH]     (score=15) Privilege escalation risk on ml-inference
  [HIGH]     (score=12) Identity spoofing on ml-inference
```

---

## Tech Stack

- **Language:** Python 3.9+
- **Testing:** pytest
- **Security Frameworks:** STRIDE, CIS Benchmarks, OWASP ML Top 10, SLSA
- **IaC Coverage:** Terraform (AWS provider: S3, IAM, SG, RDS, EKS, CloudTrail)
- **Container Coverage:** Dockerfile best practices, CVE simulation, CycloneDX-style SBOM
- **AI/ML Security:** Prompt injection detection, model integrity, serving endpoint hardening

---

## Project Structure

```
typeform-devsecops-pipeline-poc/
โ”œโ”€โ”€ README.md                         # This file
โ”œโ”€โ”€ requirements.txt                  # Python dependencies
โ”œโ”€โ”€ .gitignore                        # Git ignore rules
โ”œโ”€โ”€ demo.py                           # Interactive CLI demo
โ”œโ”€โ”€ src/
โ”‚   โ”œโ”€โ”€ __init__.py
โ”‚   โ”œโ”€โ”€ pipeline_security.py          # CI/CD security gate framework
โ”‚   โ”œโ”€โ”€ container_scanner.py          # Container vulnerability scanner
โ”‚   โ”œโ”€โ”€ iac_compliance.py             # Terraform/IaC compliance checker
โ”‚   โ”œโ”€โ”€ threat_model.py               # STRIDE threat modeling engine
โ”‚   โ”œโ”€โ”€ incident_responder.py         # Incident response orchestrator
โ”‚   โ””โ”€โ”€ ai_workload_security.py       # AI/ML workload security validator
โ””โ”€โ”€ tests/
    โ”œโ”€โ”€ __init__.py
    โ”œโ”€โ”€ test_pipeline_security.py     # Pipeline gate tests
    โ”œโ”€โ”€ test_container_scanner.py     # Container scanner tests
    โ”œโ”€โ”€ test_iac_compliance.py        # IaC compliance tests
    โ””โ”€โ”€ test_threat_model.py          # Threat model tests
```

---

## Author

**Ram Gopal Reddy Basireddy**
- GitHub: [ramagopalb](https://github.com/ramagopalb)
- LinkedIn: [ram-ba-29b110261](https://www.linkedin.com/in/ram-ba-29b110261/)