Share
## https://sploitus.com/exploit?id=D3BA681F-25B7-5CDE-8532-142C06F98FC5
# DevOps Security Pipeline POC
A security-integrated CI/CD pipeline framework demonstrating automated security scanning,
infrastructure-as-code, and containerized deployments. Built as a proof-of-concept for
enterprise-grade DevOps practices aligned with financial services compliance requirements.
---
## Architecture
```
+-------------------+ +---------------------+ +-------------------+
| Source Code | | Security Gates | | Deployment |
| (GitLab) | | | | Targets |
+--------+----------+ +----------+----------+ +--------+----------+
| | |
v v v
+--------+----------+ +----------+----------+ +--------+----------+
| GitLab CI/CD | | SonarQube (SAST) | | Azure AKS |
| Pipeline Runner +------>+ Semgrep (Pattern) +------>+ (Kubernetes) |
| | | Dep. Vuln Scanner | | |
+--------+----------+ +----------+----------+ +--------+----------+
| | |
v v v
+--------+----------+ +----------+----------+ +--------+----------+
| Docker Build | | Security Reports | | Azure Container |
| Multi-Stage | | Quality Gate Check | | Registry (ACR) |
+--------+----------+ +----------+----------+ +--------+----------+
| | |
v v v
+--------+----------+ +----------+----------+ +--------+----------+
| Terraform IaC | | Compliance Audit | | Monitoring & |
| (Azure Provider) | | Trail & Artifacts | | Alerting |
+-------------------+ +---------------------+ +-------------------+
```
### Pipeline Flow
```
[Commit] --> [Lint] --> [Security Scan] --> [Build] --> [Staging] --> [Production]
| |
Quality Gate Manual Approval
(Fail on Critical) (Required)
```
---
## Features
- **Automated Security Scanning**: Integrated SonarQube SAST analysis and Semgrep pattern-based scanning with configurable severity thresholds.
- **Quality Gate Enforcement**: Pipeline fails automatically when critical or high-severity vulnerabilities exceed configurable thresholds.
- **Infrastructure as Code**: Terraform-managed Azure infrastructure (AKS, ACR, Resource Groups) with drift detection and cost estimation.
- **Multi-Stage CI/CD**: GitLab CI pipeline with lint, security, build, staging, and production stages with manual approval gates.
- **Containerized Deployments**: Multi-stage Docker builds pushed to Azure Container Registry and deployed to AKS.
- **Config-Driven Pipeline**: YAML-based configuration for pipeline behavior, security thresholds, and cloud provider settings.
- **Dependency Vulnerability Checking**: Automated scanning of project dependencies against known CVE databases.
- **Comprehensive Logging**: Structured logging throughout all pipeline stages for audit trail compliance.
- **Dual Cloud Support**: Architecture supports both Azure (primary) and AWS providers via abstracted infrastructure management.
- **Local Development**: Docker Compose setup with SonarQube for local security scanning and development.
---
## Tech Stack
| Category | Technology |
|-----------------------|-------------------------------------|
| **CI/CD** | GitLab CI/CD |
| **Security - SAST** | SonarQube, Semgrep |
| **IaC** | Terraform (Azure Provider) |
| **Containerization** | Docker, Docker Compose |
| **Orchestration** | Kubernetes (Azure AKS) |
| **Cloud** | Microsoft Azure (primary), AWS |
| **Registry** | Azure Container Registry (ACR) |
| **Language** | Python 3.10+ |
| **Configuration** | YAML, HCL |
| **Testing** | pytest, unittest |
---
## Project Structure
```
devops-security-pipeline-poc/
|-- .env.example # Environment variable template
|-- .gitignore # Git ignore rules
|-- .gitlab-ci.yml # GitLab CI/CD pipeline definition
|-- Dockerfile # Multi-stage container build
|-- docker-compose.yml # Local development environment
|-- pipeline_config.yaml # Pipeline configuration
|-- README.md # This file
|-- requirements.txt # Python dependencies
|-- src/
| |-- __init__.py
| |-- infra_manager.py # Terraform / cloud infrastructure management
| |-- pipeline_orchestrator.py # Main pipeline orchestration engine
| |-- security_scanner.py # Security scanning integrations
|-- terraform/
| |-- main.tf # Core infrastructure definitions
| |-- outputs.tf # Terraform output values
| |-- variables.tf # Terraform variable declarations
|-- tests/
| |-- __init__.py
| |-- test_pipeline.py # Pipeline orchestrator unit tests
| |-- test_security.py # Security scanner unit tests
```
---
## Setup Instructions
### Prerequisites
- Python 3.10 or later
- Docker and Docker Compose
- Terraform >= 1.5
- Azure CLI (authenticated)
- GitLab account with CI/CD runner configured
### 1. Clone and Install Dependencies
```bash
git clone https://gitlab.com/your-org/devops-security-pipeline-poc.git
cd devops-security-pipeline-poc
python -m venv .venv
source .venv/bin/activate # Linux/macOS
# .venv\Scripts\activate # Windows
pip install -r requirements.txt
```
### 2. Configure Environment Variables
```bash
cp .env.example .env
# Edit .env with your actual credentials and configuration values
```
### 3. Start Local Development Environment
```bash
docker-compose up -d
# SonarQube will be available at http://localhost:9000 (default: admin/admin)
```
### 4. Run the Pipeline Locally
```bash
# Run the full pipeline
python -m src.pipeline_orchestrator run-pipeline --config pipeline_config.yaml
# Run only the security scan stage
python -m src.pipeline_orchestrator security-scan --config pipeline_config.yaml
# Run infrastructure deployment
python -m src.pipeline_orchestrator deploy-infra --config pipeline_config.yaml --environment staging
```
### 5. Provision Infrastructure with Terraform
```bash
cd terraform
terraform init
terraform plan -var="environment=staging" -var="region=uksouth"
terraform apply -var="environment=staging" -var="region=uksouth"
```
### 6. Run Tests
```bash
pytest tests/ -v --tb=short
```
---
## Configuration
All pipeline behavior is controlled via `pipeline_config.yaml`. Key sections:
- **security.thresholds**: Maximum allowed vulnerabilities per severity level before the quality gate fails.
- **cloud.provider**: Toggle between `azure` and `aws` infrastructure providers.
- **pipeline.stages**: Enable or disable individual pipeline stages.
- **notifications**: Configure Slack, email, or webhook notifications for pipeline events.
See the configuration file for all available options and their defaults.
---
## Security Compliance
This pipeline framework is designed with financial services compliance in mind:
- All security scan results are persisted as pipeline artifacts for audit trails.
- Quality gates enforce zero tolerance for critical vulnerabilities.
- Infrastructure changes are tracked through Terraform state with drift detection.
- Manual approval is required for production deployments.
- Container images are scanned before being pushed to the registry.
---
## License
Internal use only. Proprietary and confidential.