Share
## https://sploitus.com/exploit?id=D3BA681F-25B7-5CDE-8532-142C06F98FC5
# DevOps Security Pipeline POC

A security-integrated CI/CD pipeline framework demonstrating automated security scanning,
infrastructure-as-code, and containerized deployments. Built as a proof-of-concept for
enterprise-grade DevOps practices aligned with financial services compliance requirements.

---

## Architecture

```
+-------------------+       +---------------------+       +-------------------+
|   Source Code      |       |   Security Gates     |       |   Deployment       |
|   (GitLab)        |       |                     |       |   Targets          |
+--------+----------+       +----------+----------+       +--------+----------+
         |                             |                            |
         v                             v                            v
+--------+----------+       +----------+----------+       +--------+----------+
| GitLab CI/CD      |       | SonarQube (SAST)    |       | Azure AKS         |
| Pipeline Runner   +------>+ Semgrep (Pattern)   +------>+ (Kubernetes)      |
|                   |       | Dep. Vuln Scanner   |       |                   |
+--------+----------+       +----------+----------+       +--------+----------+
         |                             |                            |
         v                             v                            v
+--------+----------+       +----------+----------+       +--------+----------+
| Docker Build      |       | Security Reports    |       | Azure Container   |
| Multi-Stage       |       | Quality Gate Check  |       | Registry (ACR)    |
+--------+----------+       +----------+----------+       +--------+----------+
         |                             |                            |
         v                             v                            v
+--------+----------+       +----------+----------+       +--------+----------+
| Terraform IaC     |       | Compliance Audit    |       | Monitoring &      |
| (Azure Provider)  |       | Trail & Artifacts   |       | Alerting          |
+-------------------+       +---------------------+       +-------------------+
```

### Pipeline Flow

```
 [Commit] --> [Lint] --> [Security Scan] --> [Build] --> [Staging] --> [Production]
                              |                                           |
                        Quality Gate                               Manual Approval
                        (Fail on Critical)                         (Required)
```

---

## Features

- **Automated Security Scanning**: Integrated SonarQube SAST analysis and Semgrep pattern-based scanning with configurable severity thresholds.
- **Quality Gate Enforcement**: Pipeline fails automatically when critical or high-severity vulnerabilities exceed configurable thresholds.
- **Infrastructure as Code**: Terraform-managed Azure infrastructure (AKS, ACR, Resource Groups) with drift detection and cost estimation.
- **Multi-Stage CI/CD**: GitLab CI pipeline with lint, security, build, staging, and production stages with manual approval gates.
- **Containerized Deployments**: Multi-stage Docker builds pushed to Azure Container Registry and deployed to AKS.
- **Config-Driven Pipeline**: YAML-based configuration for pipeline behavior, security thresholds, and cloud provider settings.
- **Dependency Vulnerability Checking**: Automated scanning of project dependencies against known CVE databases.
- **Comprehensive Logging**: Structured logging throughout all pipeline stages for audit trail compliance.
- **Dual Cloud Support**: Architecture supports both Azure (primary) and AWS providers via abstracted infrastructure management.
- **Local Development**: Docker Compose setup with SonarQube for local security scanning and development.

---

## Tech Stack

| Category              | Technology                          |
|-----------------------|-------------------------------------|
| **CI/CD**             | GitLab CI/CD                        |
| **Security - SAST**   | SonarQube, Semgrep                  |
| **IaC**               | Terraform (Azure Provider)          |
| **Containerization**  | Docker, Docker Compose              |
| **Orchestration**     | Kubernetes (Azure AKS)              |
| **Cloud**             | Microsoft Azure (primary), AWS      |
| **Registry**          | Azure Container Registry (ACR)      |
| **Language**          | Python 3.10+                        |
| **Configuration**     | YAML, HCL                           |
| **Testing**           | pytest, unittest                    |

---

## Project Structure

```
devops-security-pipeline-poc/
|-- .env.example                 # Environment variable template
|-- .gitignore                   # Git ignore rules
|-- .gitlab-ci.yml               # GitLab CI/CD pipeline definition
|-- Dockerfile                   # Multi-stage container build
|-- docker-compose.yml           # Local development environment
|-- pipeline_config.yaml         # Pipeline configuration
|-- README.md                    # This file
|-- requirements.txt             # Python dependencies
|-- src/
|   |-- __init__.py
|   |-- infra_manager.py         # Terraform / cloud infrastructure management
|   |-- pipeline_orchestrator.py # Main pipeline orchestration engine
|   |-- security_scanner.py      # Security scanning integrations
|-- terraform/
|   |-- main.tf                  # Core infrastructure definitions
|   |-- outputs.tf               # Terraform output values
|   |-- variables.tf             # Terraform variable declarations
|-- tests/
|   |-- __init__.py
|   |-- test_pipeline.py         # Pipeline orchestrator unit tests
|   |-- test_security.py         # Security scanner unit tests
```

---

## Setup Instructions

### Prerequisites

- Python 3.10 or later
- Docker and Docker Compose
- Terraform >= 1.5
- Azure CLI (authenticated)
- GitLab account with CI/CD runner configured

### 1. Clone and Install Dependencies

```bash
git clone https://gitlab.com/your-org/devops-security-pipeline-poc.git
cd devops-security-pipeline-poc
python -m venv .venv
source .venv/bin/activate    # Linux/macOS
# .venv\Scripts\activate     # Windows
pip install -r requirements.txt
```

### 2. Configure Environment Variables

```bash
cp .env.example .env
# Edit .env with your actual credentials and configuration values
```

### 3. Start Local Development Environment

```bash
docker-compose up -d
# SonarQube will be available at http://localhost:9000 (default: admin/admin)
```

### 4. Run the Pipeline Locally

```bash
# Run the full pipeline
python -m src.pipeline_orchestrator run-pipeline --config pipeline_config.yaml

# Run only the security scan stage
python -m src.pipeline_orchestrator security-scan --config pipeline_config.yaml

# Run infrastructure deployment
python -m src.pipeline_orchestrator deploy-infra --config pipeline_config.yaml --environment staging
```

### 5. Provision Infrastructure with Terraform

```bash
cd terraform
terraform init
terraform plan -var="environment=staging" -var="region=uksouth"
terraform apply -var="environment=staging" -var="region=uksouth"
```

### 6. Run Tests

```bash
pytest tests/ -v --tb=short
```

---

## Configuration

All pipeline behavior is controlled via `pipeline_config.yaml`. Key sections:

- **security.thresholds**: Maximum allowed vulnerabilities per severity level before the quality gate fails.
- **cloud.provider**: Toggle between `azure` and `aws` infrastructure providers.
- **pipeline.stages**: Enable or disable individual pipeline stages.
- **notifications**: Configure Slack, email, or webhook notifications for pipeline events.

See the configuration file for all available options and their defaults.

---

## Security Compliance

This pipeline framework is designed with financial services compliance in mind:

- All security scan results are persisted as pipeline artifacts for audit trails.
- Quality gates enforce zero tolerance for critical vulnerabilities.
- Infrastructure changes are tracked through Terraform state with drift detection.
- Manual approval is required for production deployments.
- Container images are scanned before being pushed to the registry.

---

## License

Internal use only. Proprietary and confidential.