This repository demonstrates a complete DevSecOps automation pipeline developed as part of an Advanced Cloud Computing course.
The project automates the entire lifecycle of a Node.js application β from source code commit to secure deployment β while enforcing security at every stage using a Shift-Left DevSecOps approach.
The pipeline runs on a Self-Hosted GitHub Actions Runner and deploys the application to a local Kubernetes cluster (Minikube).
β Fully automated CI/CD pipeline
β Integrated security scanning (DevSecOps)
β Containerized application delivery
β Kubernetes-based deployment
β Real-world cloud-native workflow
graph LR
A[π» Developer Pushes Code] --> B[π¨ Build Docker Image]
B --> C{π‘οΈ Trivy Security Scan}
C -->|Pass| D[π¦ Push Image to GHCR]
C -->|Fail| X[β Pipeline Stops]
D --> E[π Deploy to Kubernetes]
E --> F[π Application Exposed]
-
Source Code Commit
Developer pushes code to GitHub. -
Semantic Versioning
Automatically generates version tags (e.g.v1.0.1) based on commit history. -
Docker Image Build
Builds a lightweight and optimized container image. -
Security Scanning (Trivy)
- Scans image for CRITICAL and HIGH vulnerabilities
- Pipeline fails immediately if vulnerabilities are detected
-
Image Registry (GHCR)
Securely pushes verified images to GitHub Container Registry. -
Kubernetes Deployment
Performs rolling updates on Minikube using Kubernetes manifests.
| Layer | Technology | Purpose |
|---|---|---|
| Source Control | GitHub | Version control & collaboration |
| CI/CD | GitHub Actions | Automated pipeline |
| Containerization | Docker | Application packaging |
| Registry | GHCR | Secure image storage |
| Orchestration | Kubernetes (Minikube) | Container deployment |
| Security | Trivy | Vulnerability scanning |
| Backend | Node.js + Express | Application logic |
| Runner | Self-Hosted Runner | Full environment control |
Ensure the following tools are installed:
- Docker
- Minikube
- kubectl
- Git
# Clone the repository
git clone https://github.com/RoshaneAnees/devsecops.git
cd devsecops
# Start Minikube
minikube start --driver=docker
# Verify cluster
kubectl get nodesDeployment is fully automated via GitHub Actions.
For manual testing:
kubectl apply -f k8s/Security is embedded, not optional.
- π Scanner: Trivy (Aqua Security)
- π― Target: Docker image
- π¨ Severity Gate: CRITICAL & HIGH
- β Policy: Pipeline stops on detection
This ensures no vulnerable container reaches production.
kubectl get podsminikube service devsecops-svc --urlkubectl port-forward svc/devsecops-svc 3000:3000Visit:
π http://localhost:3000
devsecops/
βββ .github/workflows/
β βββ cicd.yaml # βοΈ CI/CD Pipeline
βββ app/
β βββ Dockerfile # π³ Docker image definition
β βββ package.json # π¦ Dependencies
β βββ index.js # β‘ Application entry point
βββ k8s/
β βββ deployment.yaml # βΈοΈ Kubernetes deployment
β βββ service.yaml # π Service exposure
βββ README.md # π Documentation
This project directly maps to industry-grade cloud practices:
- Mirrors enterprise DevSecOps pipelines
- Implements container security gates
- Uses cloud-native orchestration
- Demonstrates CI/CD + Kubernetes integration
- Applies Shift-Left security principles
Traditional DevOps focuses on speed.
DevSecOps adds trust, safety, and compliance.
This project proves:
- Security can be automated
- CI/CD can be secure by design
- Cloud deployments can be reliable & scalable
β If you found this project useful, consider starring the repository!