Share
## https://sploitus.com/exploit?id=4DECD7B9-71F8-5A3C-8697-4B0C7D8AC722
# Typeform DevSecOps Pipeline POC







A comprehensive DevSecOps security automation framework demonstrating CI/CD pipeline security gates, container vulnerability scanning, IaC compliance enforcement, STRIDE threat modeling, automated incident response, and AI/ML workload security validation.
---
## Architecture
```
+-----------------------------------------------------------------------+
| CI/CD Pipeline Security Gates |
| |
| +--------+ +--------+ +------+ +--------+ +---------+ |
| | SAST | | DAST | | SCA | | Secret | | Supply | |
| | Gate | | Gate | | Gate | | Detect | | Chain | |
| +---+----+ +---+----+ +--+---+ +---+----+ +----+----+ |
| | | | | | |
| +------+-----+----+----+-----+----+------+------+ |
| | | | | |
| v v v v |
| +------+-----+ +-+--------++ +---------+--------+ |
| | Container | | IaC | | Threat Model | |
| | Scanner | | Compliance| | (STRIDE Engine) | |
| +------+-----+ +----+-----+ +---------+---------+ |
| | | | |
| +-------+------+--------+---------+ |
| | | |
| v v |
| +-------+------+ +------+----------+ |
| | Incident | | AI/ML Workload | |
| | Responder | | Security | |
| +--------------+ +-----------------+ |
+-----------------------------------------------------------------------+
|
v
+----------+-----------+
| Pipeline Report |
| (pass/fail verdict |
| + findings summary) |
+----------------------+
```
---
## Modules
| Module | File | Description |
|--------|------|-------------|
| **Pipeline Security** | `src/pipeline_security.py` | Multi-gate CI/CD security framework (SAST, DAST, SCA, secrets, supply chain) |
| **Container Scanner** | `src/container_scanner.py` | Dockerfile lint, base-image CVE lookup, SBOM generation |
| **IaC Compliance** | `src/iac_compliance.py` | Terraform security scanner with CIS benchmark mapping |
| **Threat Model** | `src/threat_model.py` | STRIDE-based threat modeling with risk scoring |
| **Incident Responder** | `src/incident_responder.py` | Alert classification, containment playbooks, post-incident reports |
| **AI Workload Security** | `src/ai_workload_security.py` | Model serving security, prompt injection detection, data pipeline validation |
---
## Quick Start
```bash
# Clone the repository
git clone https://github.com/ramagopalb/typeform-devsecops-pipeline-poc.git
cd typeform-devsecops-pipeline-poc
# Install dependencies
pip install -r requirements.txt
# Run all tests
python -m pytest tests/ -q
# Run the full demo
python demo.py
# Run a specific demo module
python demo.py pipeline # CI/CD security gates
python demo.py container # Container vulnerability scanner
python demo.py iac # Terraform compliance checker
python demo.py threat # STRIDE threat modeling
python demo.py incident # Incident response orchestrator
python demo.py ai # AI/ML workload security
```
---
## Example Output
### Pipeline Security Gate Summary
```
Pipeline ID: typeform-main-build-042
Overall Verdict: PASS
Gate: SAST โ PASS (0.1ms)
Gate: DAST โ PASS (0.1ms)
Gate: SCA โ FAIL (0.1ms)
[HIGH] Vulnerable dependency: lodash@4.17.15
Gate: SECRET_DET โ PASS (0.0ms)
Gate: SUPPLY_CHAIN โ PASS (0.0ms)
Total findings: 6
Severity breakdown: CRITICAL=0, HIGH=1, MEDIUM=2, LOW=0, INFO=3
```
### Container Scan Findings
```
Image: typeform/form-service:latest
Risk Score: 41.0
[CRITICAL] Hardcoded secret in Dockerfile
[HIGH] Container running as root
[HIGH] SSH port exposed in container
[MEDIUM] Using 'latest' tag for base image
[CRITICAL] CVE-2023-4911 in glibc (Looney Tunables)
SBOM: 4 packages (libc6, openssl, bash, flask)
```
### IaC Compliance Report
```
Source: infra/main.tf
Compliance Score: 0.0%
[HIGH] TF001: Security group allows ingress from 0.0.0.0/0
[CRITICAL] TF003: S3 bucket configured with public-read ACL
[CRITICAL] TF005: IAM policy with wildcard Action
[HIGH] TF007: EKS cluster API endpoint publicly accessible
[HIGH] TF004: RDS instance storage not encrypted
```
### STRIDE Threat Model
```
System: Typeform Platform
Components: 4 | Data Flows: 3 | Total Threats: 18
Top threats:
[CRITICAL] (score=20) Information disclosure: form-api -> response-db
[HIGH] (score=16) DoS vulnerability on form-api
[HIGH] (score=15) Privilege escalation risk on ml-inference
[HIGH] (score=12) Identity spoofing on ml-inference
```
---
## Tech Stack
- **Language:** Python 3.9+
- **Testing:** pytest
- **Security Frameworks:** STRIDE, CIS Benchmarks, OWASP ML Top 10, SLSA
- **IaC Coverage:** Terraform (AWS provider: S3, IAM, SG, RDS, EKS, CloudTrail)
- **Container Coverage:** Dockerfile best practices, CVE simulation, CycloneDX-style SBOM
- **AI/ML Security:** Prompt injection detection, model integrity, serving endpoint hardening
---
## Project Structure
```
typeform-devsecops-pipeline-poc/
โโโ README.md # This file
โโโ requirements.txt # Python dependencies
โโโ .gitignore # Git ignore rules
โโโ demo.py # Interactive CLI demo
โโโ src/
โ โโโ __init__.py
โ โโโ pipeline_security.py # CI/CD security gate framework
โ โโโ container_scanner.py # Container vulnerability scanner
โ โโโ iac_compliance.py # Terraform/IaC compliance checker
โ โโโ threat_model.py # STRIDE threat modeling engine
โ โโโ incident_responder.py # Incident response orchestrator
โ โโโ ai_workload_security.py # AI/ML workload security validator
โโโ tests/
โโโ __init__.py
โโโ test_pipeline_security.py # Pipeline gate tests
โโโ test_container_scanner.py # Container scanner tests
โโโ test_iac_compliance.py # IaC compliance tests
โโโ test_threat_model.py # Threat model tests
```
---
## Author
**Ram Gopal Reddy Basireddy**
- GitHub: [ramagopalb](https://github.com/ramagopalb)
- LinkedIn: [ram-ba-29b110261](https://www.linkedin.com/in/ram-ba-29b110261/)