Initial import

.github/dependabot.yaml

@@ -0,0 +1,25 @@
+version: 2
+updates:
+  - package-ecosystem: "terraform"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10

.github/workflows/security-scan.yml

@@ -0,0 +1,221 @@
+name: Terraform Security Scan
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**.tf"
+      - "**.tfvars"
+      - "**.py"
+      - "**.yml" # WIP: Workaround while debugging
+  pull_request:
+    branches: [main]
+    paths:
+      - "**.tf"
+      - "**.tfvars"
+  schedule:
+    - cron: "0 0 * * 0" # Run weekly on Sunday
+
+permissions: write-all
+
+jobs:
+  security-scan:
+    name: Infrastructure-as-Code Security Scan
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.10.2"
+
+      - name: Terraform init
+        run: cd infra; terraform init
+
+      - name: Run Terrascan
+        uses: tenable/[email protected]
+        with:
+          iac_dir: "infra"
+          iac_type: "terraform"
+          iac_version: "v14"
+          policy_type: "aws"
+          only_warn: true
+          sarif_upload: true
+          non_recursive: true
+        continue-on-error: true
+
+      - name: Run tfsec
+        uses: aquasecurity/[email protected]
+        with:
+          working_directory: infra
+          sarif_file: tfsec.sarif
+        continue-on-error: true
+
+      - name: Run Checkov scan
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: infra
+          framework: terraform
+          output_format: sarif
+          output_file_path: .
+          skip_check: CKV_AWS_1,CKV_AWS_2 # Add checks to skip if needed
+        continue-on-error: true
+
+      # - name: Upload Checkov SARIF report
+      #   if: success() || failure()
+      #   uses: github/codeql-action/upload-sarif@v3
+      #   with:
+      #     sarif_file: results_sarif.sarif
+      #     wait-for-processing: true
+      #     category: checkov
+
+      - name: Build Severity Mapper container
+        run: docker build -t checkov-severity-mapper -f mapper/Dockerfile mapper/
+
+      - name: Run Severity Calibration
+        run: |
+          docker run --rm -v $(pwd):/data/ checkov-severity-mapper
+
+      - name: Upload calibrated Checkov SARIF report
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov_findings_high_critical.sarif
+          wait-for-processing: true
+          category: checkov
+
+      - name: Upload Terrascan SARIF report
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: terrascan.sarif
+          wait-for-processing: true
+          category: terrascan
+
+      - name: Upload tfsec SARIF report
+        if: success() || failure()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tfsec.sarif
+          wait-for-processing: true
+          category: tfsec
+
+      - name: Upload Reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: infra-scan-results
+          path: ./*.sarif
+
+  check-dependabot-alerts:
+    name: Code Dependencies Scan
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check for Dependabot Alerts
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GH_PAT }}
+          script: |
+            const alerts = await github.rest.dependabot.listAlertsForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              headers: {
+                'Accept': 'application/vnd.github+json'
+              }
+            });
+            if (alerts.data.length > 0) {
+              console.error(`Found ${alerts.data.length} open Dependabot alerts:`);
+              alerts.data.forEach(alert => {
+                console.error(`- Severity: ${alert.security_advisory.severity}`);
+                console.error(`  Summary: ${alert.security_advisory.summary}`);
+                console.error(`  Package: ${alert.dependency.package.name}`);
+              });
+              // Explicitly fail the workflow
+              core.setFailed(`${alerts.data.length} open Dependabot alerts found`);
+            }
+
+  owasp:
+    name: Web Security Scan
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Start Web Application
+        run: |
+          docker compose -f web-app/docker-compose.yml up -d
+
+      - name: Create reports directory
+        run: |
+          mkdir -p reports
+          chmod -R 777 reports
+        
+      - name: ZAP Automation Framework Scan
+        uses: zaproxy/[email protected]
+        with:
+          plan: '.github/workflows/zap/plan.yml'         # Path to the automation framework plan
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'  # Optional: specify ZAP Docker image
+
+      - name: Fix SARIF URIs
+        if: always()
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          # Convert http URLs to file URLs and update the SARIF file
+          jq '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= "file://" + .' reports/zap-scan-report.json > reports/zap-scan-report.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: reports/zap-scan-report.sarif
+
+      - name: Stop Web Application
+        if: always()
+        run: docker compose -f web-app/docker-compose.yml down
+
+      - name: Upload ZAP Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-scan-results
+          path: |
+            reports/zap-scan-report.sarif
+
+  code-scan:
+    name: Python Security Scan
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install bandit bandit-sarif-formatter
+
+      - name: Run Bandit security scan
+        run: |
+          bandit -r python-app -f sarif -o bandit-results.sarif
+
+      - name: Upload SARIF results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()  # Upload results whether the scan passed or failed
+        with:
+          sarif_file: bandit-results.sarif
+          category: Bandit
+
+      - name: Upload Reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: infra-scan-results
+          path: bandit-results.sarif

.github/workflows/zap/plan.yml

@@ -0,0 +1,32 @@
+env:
+  contexts:
+    - name: "Default Context"
+      urls: ["http://localhost:8081"]
+  parameters:
+    failOnError: true
+    progressToStdout: true
+
+jobs:
+  - name: "passiveScan-config"
+    type: "passiveScan-config"
+    parameters:
+      scanOnlyInScope: true
+
+  - name: "spider"
+    type: "spider"
+    parameters:
+      context: "Default Context"
+      maxDuration: 0
+
+  - name: "active-scan"
+    type: "activeScan"
+    parameters:
+      context: "Default Context"
+
+  - name: "report"
+    type: "report"
+    parameters:
+      template: "sarif-json"
+      reportDir: "/zap/wrk/reports/"    # This directory is mapped to GITHUB_WORKSPACE
+      reportFile: "zap-scan-report"
+      reportTitle: "ZAP Scan Report"

.gitignore

@@ -0,0 +1,2 @@
+findings.json
+embedded-static-server

README.md

@@ -0,0 +1,48 @@
+# DevSecOps Pipeline Showcase
+
+This repository serves as a reference implementation for integrating security practices into your development pipeline using GitHub Actions. It demonstrates how to implement a comprehensive DevSecOps approach in a modern web application stack.
+
+## Architecture Overview
+
+The repository contains a complete application stack:
+
+- Frontend: React-based web application
+- Backend: Python FastAPI service
+- Infrastructure: Terraform configurations for AWS deployment
+
+## Security Pipeline Features
+
+Our security pipeline implements industry best practices for continuous security testing:
+
+- Static Application Security Testing (SAST)
+  - Python code analysis using Bandit
+  - Infrastructure code scanning using tfsec
+- Software Composition Analysis (SCA)
+  - Dependency scanning with Dependabot
+- Container Security
+  - Base image vulnerability assessment
+- Infrastructure as Code (IaC) Security
+  - Checkov analysis with calibrated outputs
+- Security Testing
+  - Front-end security testing with OWASP ZAP
+
+All security findings are exported in SARIF format and integrated with GitHub Security dashboard.
+
+## Repository Structure
+
+```
+├── .github/
+│   └── workflows/         # GitHub Actions pipeline definitions
+├── web-app/               # React web application
+├── python-app/            # Python FastAPI service
+├── infra/                # Terraform configurations
+└── tests/                # Test suites including security tests
+```
+
+## Pipeline Configuration
+
+The security pipeline is defined in `.github/workflows/security-scan.yml`
+
+**Note**: This is a demonstration repository intended to showcase DevSecOps practices. While the security controls are real, the application code is simplified for educational purposes.
+
+**Note**: This repository requires PAT called GH_PAT with repository and security access