Board Status
Release Status
The goal is to simulate a real DevOps IT Infrastructure which is a methodology that is becoming much more prevalent
You can see weekly updates on the development of this project here
This project will demonstrate simple vulnerable web application(s) being scanned and rejected by CI/CD pipeline through various testers and linters and then demonstrate a "fixed" application successfully being passed throughout the pipeline.
The "main" branch will host the insecure application. The "fixedbranch" hosts all of my fixes for the main branch. For demonstration purposes, merge the fixedbranch into a clone of the main branch and watch it go through the pipeline after modifying the triggers.
- CI/CD: Azure DevOps
- Code Repository: GitHub
- Cloud Provider: Microsoft Azure - App Service (PaaS)
- Container Registry: Docker Hub,
Microsoft Container Registry(Issue Shown here) - Containerization: Docker
- Monitoring: DataDog
- Notifications: Slack (Datadog, GitHub, Azure Boards / Pipelines)
- DevOps Collaboration / Agile: Azure Boards, Azure Dashboard
- Unit Tests: pytest
- SAST: WhiteSource Bolt (Open Source Package Vulnerability Scanner), Bandit (Python SAST Linter), Hadolint (Dockerfile Linter)
- DAST: [Nikto]https://github.com/sullo/nikto)(Open Source Web Server Scanner), OWASP Zap code sourced and modified from UKHO
- Secret Scanning: Talisman Pre-Commit
- Application: Python Flask
As per my project proposal, the main goal of this project is your average CI/CD pipeline that automatically takes and builds code from a repository into a container and pushes it to a server. However, there are some optional features that I want to include:
- Heavy SAST/DAST Scanning: Shifting left is the name of the game nowadays and companies are introducing security into their pipeline as a requirement. While this is not one of the main goals, I definitely want to include a lot of testing into my pipeline if I get the chance.
- Will Add After Presentation Dec 8th
Container Orchestration: Kubernetes is a really interesting technology and employers would love to see experience with it. If I have time, I would like to include kubernetes as an optional stretch goal.Infrastructure as Code: Terraform. If you automate application deployments, then why not automate the infrastructure you deploy to? Terraform would be another great addition to my project.
The application(s) utilized in this capstone is/are sourced from skf-labs, which is a collection if intentionally vulnerable web applications using Flask. These applications are a good fit for my pipeline as they provide only a single vulnerability and documentation for resolution which will allow me to demonstrate me fixing the vulnerability!
My original prototype utilized OWASP JuiceShop but due to the size of the application, I will not be able to fix it, so I had to move on.