This project simulates and implements a complete DevSecOps workflow, focusing on automating security testing within the CI/CD process. The entire pipeline is built on GitLab CI/CD and GitHub Actions, covering multiple security validation stages including SAST, SCA, Image Scan, and DAST.
The pipeline represents a realistic DevSecOps workflow — from source code commit to testing, packaging, vulnerability scanning, and application deployment.
DevSecOps Workflow:
- Commit: Developers push code to the Git repository.
- SAST (Static Application Security Testing): Analyze source code to detect potential security vulnerabilities.
- SCA (Software Composition Analysis): Check third-party dependencies for known vulnerabilities.
- Build: Compile and package the application.
- Artifact: Store verified and tested build packages.
- Image Scan: Scan Docker images for vulnerabilities.
- Deploy: Deploy containers to a local or cloud environment.
- DAST (Dynamic Application Security Testing): Perform dynamic security testing on the running application.
| Purpose | Tools / Technologies |
|---|---|
| CI/CD | GitLab CI/CD, GitHub Actions |
| Static Analysis (SAST) | Snyk |
| Dependency Scan (SCA) | Trivy, OWASP Dependency-Check |
| Image Security | Aqua Trivy |
| Dynamic Testing (DAST) | OWASP ZAP, Arachni |
| Containerization | DockerHub, JFrog, Harbor |
| Language / Runtime | Node.js, .NET 6, Java, Linux |
👉 Built and deployed the project using a custom Dockerfile
👉 Version running on GitLab Server using .gitlab-ci.yml
👉 Version running on GitHub Actions:
🔗 DevSecOps GitHub Actions Pipeline
Push on DockerHub: anphuc2370
All reports generated during pipeline execution are stored in HTML format for easy viewing or download.
- SAST: Snyk Report
- SCA: Trivy Report
- Image Scan: Trivy Docker Image Report
- DAST: OWASP ZAP Report / Arachni Report
GitLab Pipeline Workflow Result:
GitLab Variables:
Harbor Private Registry:
JFrog Artifacts:
Application After Deployment:
- Completed a full DevSecOps pipeline on both GitLab and GitHub Actions.
- Automated security scans for source code, dependencies, and container images.
- Integrated dynamic application security testing (DAST) before deployment.
- Fully automated the CI/CD process — from build and test to deployment.
- Implemented and pushed container images to a Harbor private registry for secure storage and management.
-
Integrate K6 for performance testing.
-
Expand deployment to AWS, leveraging services such as:
- ECR for Docker image storage.
- ECS / EKS for containerized application deployment.
- CloudWatch for log and performance monitoring.
-
Add Secret Scanning and Infrastructure as Code Security (IaC Scan).
-
Build a centralized monitoring dashboard with Grafana + Prometheus.
Author: Nguyễn An Phúc (@Bel7phegor)
- Profiles: LinkedIn: nguyen-an-phuc | GitHub: Bel7phegor | Portfolio: anphuc.site
- Email: nguyenanphuc12032002@gmail.com