feat(security): devsecops modernization for projects 01-25 (2026 standards)

- IAM & Networking: Enforced Zero Trust across AWS Security Groups (Projects 01, 11) and Azure Network Rules (Project 20). Replaced IAM wildcards with explicit boundaries (Project 22).
- Containerization: Remediated root-execution risks. Implemented multi-stage, unprivileged user builds for Docker workloads (Projects 05, 18, 21, 23).
- CI/CD & SCA: Purged third-party repository checkout vulnerabilities (Project 19). Parameterized hardcoded images/credentials (Projects 09, 21). Implemented automated Trivy container scanning pre-push.
- GitHub Actions: Upgraded legacy Node 12/16 dependent plugins (actions/checkout, upload-artifact) to v4 across Android and .NET pipelines (Projects 14, 24).
- Kubernetes: Hardened application pods by defining precise compute resource capabilities (CPU/Mem limits) and dropping all kernel escalations via rigid security contexts (Projects 04, 08, 18, 19, 24).
- Documentation: Pushed deprecation warnings for retired cloud features, updated markdown dependencies, and finalized global Security/Contributing policies.

Author: lioneltchami

.github/workflows/global-security.yml

@@ -0,0 +1,68 @@
+name: Global Repository Security & Linting
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    branches: [ "main", "master" ]
+  schedule:
+    - cron: '0 0 * * 0' # Run weekly on Sunday
+
+jobs:
+  secret-scanning:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      
+      # TruffleHog is a free, powerful secret scanner
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.pull_request.base.sha }}
+          head: ${{ github.ref }}
+          extra_args: --debug --only-verified
+
+  iac-security:
+    name: IaC Security Scan (Trivy)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      # Trivy is free and excellent for IaC and container scanning
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
+          format: 'table'
+          exit-code: '0' # Set to 1 in later phases to block PRs
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+  linting:
+    name: Super-Linter
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # Super-linter supports multiple languages and is free
+      - name: Lint Code Base
+        uses: github/super-linter@v5
+        env:
+          VALIDATE_ALL_CODEBASE: false
+          DEFAULT_BRANCH: "main"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Disable linters that might be too noisy initially
+          VALIDATE_JSCPD: false
+          VALIDATE_KUBERNETES_KUBEVAL: false

.gitignore

@@ -1,5 +1,74 @@
+# -------------------------------------------------------------------
+# DevOps-Projects Global .gitignore
+# -------------------------------------------------------------------
+
+# OS & Environment
+.DS_Store
+Thumbs.db
+.env
+.venv/
+venv/
+ENV/
+
+# IDE & Editors
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Git/Review artifacts
 IMPROVEMENTS.md
 REVIEW-PLAN.md
 REVIEW-UPDATES.md
+
+# Application Dependencies
+node_modules/
 __pycache__/
 *.pyc
+*.pyo
+target/
+build/
+bin/
+obj/
+dist/
+
+# Terraform / OpenTofu
+.terraform/
+*.tfstate
+*.tfstate.*
+crash.log
+crash.*.log
+*.tfvars
+*.tfvars.json
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraformrc
+terraform.rc
+
+# Credentials & Secrets (NEVER COMMIT)
+*.pem
+*.key
+*.cert
+*.cer
+*.crt
+*.pfx
+*.p12
+secret*.yaml
+credentials
+id_rsa
+id_rsa.pub
+
+# Build Artifacts & Archives
+*.tgz
+*.tar.gz
+*.zip
+*.jar
+*.war
+*.ear
+
+# Databases
+*.sqlite3
+db.sqlite3
+*.db

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+Currently, the `main` branch of `devops-projects` is the only supported version.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| `main`    | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability within this repository, please do not disclose it publicly.
+
+Instead, please send an email to the repository owner or open a private security advisory via GitHub. We will address the issue as promptly as possible.
+
+## Security Tools Used in this Repository
+
+This repository serves as a learning resource and implements modern DevSecOps practices. We heavily feature the following **free** security tools that students can use in their own projects:
+
+- **[TruffleHog](https://github.com/trufflesecurity/trufflehog):** Scans for exposed secrets, passwords, and API keys.
+- **[Trivy](https://aquasecurity.github.io/trivy/):** A comprehensive and versatile security scanner for containers, Infrastructure as Code (IaC), and software dependencies.
+- **[SonarQube Community](https://www.sonarqube.org/):** Used for static application security testing (SAST) and code quality analysis.
+- **[Checkov](https://www.checkov.io/):** Static code analysis tool for infrastructure-as-code.
+- **[Super-Linter](https://github.com/github/super-linter):** GitHub's versatile linting framework.

project-01-java-aws-3tier/README.md

@@ -26,6 +26,7 @@ Goal of this project is to deploy scalable, highly available and secured Java ap
 3. Migrate Java Source Code to your own GitHub repository
 4. Create account in Sonarcloud.
 5. Create account in Jfrog cloud.
+6. **Security Mandate**: Find your public IP address and replace `YOUR_IP_ADDRESS/32` in `terraform/bastion.tf`, `terraform/apache-ec2.tf`, and `terraform/nginx-ec2.tf` before deploying.
 
 ## Pre-Deployment
 

project-01-java-aws-3tier/terraform/apache-ec2.tf

@@ -85,14 +85,16 @@ resource "aws_security_group" "tomcat_sg" {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["YOUR_IP_ADDRESS/32"] # REPLACE THIS with your actual IP address
+    description = "Allow SSH from administrator IP"
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all outbound traffic"
   }
 
   tags = {

project-01-java-aws-3tier/terraform/bastion.tf

@@ -81,18 +81,21 @@ resource "aws_security_group" "bastion_sg" {
   description = "Security group for Bastion host"
   vpc_id      = aws_vpc.bastion_vpc.id
 
+  # SECURITY FIX: Removed open 0.0.0.0/0. Recommend standardizing on VPN or explicit admin IP.
   ingress {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["YOUR_IP_ADDRESS/32"] # REPLACE THIS with your actual IP address
+    description = "Allow SSH from administrator IP"
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all outbound traffic"
   }
 
   tags = {
@@ -107,4 +110,5 @@ resource "aws_security_group_rule" "bastion_to_rds" {
   protocol          = "tcp"
   cidr_blocks       = [aws_vpc.app_vpc.cidr_block]
   security_group_id = aws_security_group.bastion_sg.id
+  description       = "Allow Bastion to connect to RDS"
 }

project-01-java-aws-3tier/terraform/nginx-ec2.tf

@@ -86,14 +86,16 @@ resource "aws_security_group" "nginx_sg" {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["YOUR_IP_ADDRESS/32"] # REPLACE THIS with your actual IP address
+    description = "Allow SSH from administrator IP"
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all outbound traffic"
   }
 
   tags = {

project-01-java-aws-3tier/terraform/rds.tf

@@ -5,19 +5,21 @@ resource "aws_db_subnet_group" "mysql" {
 }
 
 resource "aws_db_instance" "mysql" {
-  identifier             = "myapp-mysql"
-  engine                 = "mysql"
-  engine_version         = "8.0"
-  instance_class         = "db.t3.medium"
-  allocated_storage      = 20
-  storage_type           = "gp2"
-  multi_az               = true
-  db_name                = "myapp"
-  username               = "admin"
-  password               = var.db_password
-  db_subnet_group_name   = aws_db_subnet_group.mysql.name
-  vpc_security_group_ids = [aws_security_group.mysql_sg.id]
-  skip_final_snapshot    = true
+  identifier                  = "myapp-mysql"
+  engine                      = "mysql"
+  engine_version              = "8.0"
+  instance_class              = "db.t3.medium"
+  allocated_storage           = 20
+  storage_type                = "gp2"
+  multi_az                    = true
+  db_name                     = "myapp"
+  username                    = "admin"
+  password                    = var.db_password
+  db_subnet_group_name        = aws_db_subnet_group.mysql.name
+  vpc_security_group_ids      = [aws_security_group.mysql_sg.id]
+  skip_final_snapshot         = true
+  publicly_accessible         = false # SECURITY FIX: Explicitly disable public access
+  storage_encrypted           = true  # SECURITY FIX: Enable encryption at rest
 }
 
 resource "aws_security_group" "mysql_sg" {
@@ -30,12 +32,14 @@ resource "aws_security_group" "mysql_sg" {
     to_port     = 3306
     protocol    = "tcp"
     cidr_blocks = [aws_vpc.bastion_vpc.cidr_block, aws_vpc.app_vpc.cidr_block]
+    description = "Allow MySQL access from App and Bastion VPCs"
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all outbound traffic"
   }
 }

project-02-aws-vpc-architecture/VPC Architecture/s3-policy.json

@@ -10,8 +10,8 @@
                 "s3:GetBucketLocation"
             ],
             "Resource": [
-                "arn:aws:s3::: YOUR_BUCKET_NAME/*",
-                "arn:aws:s3::: YOUR_BUCKET_NAME"
+                "arn:aws:s3:::YOUR_BUCKET_NAME/*",
+                "arn:aws:s3:::YOUR_BUCKET_NAME"
             ]
         }
     ]

project-04-django-aws-ecs/Dockerfile

@@ -1,26 +1,36 @@
-# importing base image
-FROM python:3.9
+# Use slim Python 3.11 image for a smaller, secure footprint
+FROM python:3.11-slim
 
-# updating docker host or host machine
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    && rm -rf /var/lib/apt/lists/*
+# Prevent Python from writing .pyc files and enable unbuffered output
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+
+# Create a non-root user for security
+RUN groupadd -r django && useradd -r -g django django
 
-# changing current working directory to /usr/src/app
+# Set working directory
 WORKDIR /usr/src/app
 
-# copying requirement.txt file to present working directory
-COPY requirements.txt ./
+# Install system dependencies (clearing cache afterwards)
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends gcc libpq-dev \
+    && rm -rf /var/lib/apt/lists/*
 
-# installing dependency in container
-RUN pip install -r requirements.txt
+# Copy requirements and install
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt gunicorn
 
-# copying all the files to present working directory
+# Copy application code
 COPY . .
 
-# informing Docker that the container listens on the
-# specified network ports at runtime i.e 8000.
+# Change ownership to the non-root user
+RUN chown -R django:django /usr/src/app /var/log
+
+# Switch to non-root user
+USER django
+
+# Expose port
 EXPOSE 8000
 
-# running server
-CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]
+# Run server using gunicorn instead of the development runserver
+CMD ["gunicorn", "--bind", "0.0.0.0:8000", "--workers", "3", "hello_world_django_app.wsgi:application"]