Taofeeqib
diff --git a/‎.github/workflows/devsecops-pipeline.yml‎
Lines changed: 180 additions & 0 deletions b/‎.github/workflows/devsecops-pipeline.yml‎
Lines changed: 180 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 48 additions & 33 deletions b/‎README.md‎
Lines changed: 48 additions & 33 deletions
diff --git a/‎defectdojo/docker-compose.yml‎
Lines changed: 76 additions & 0 deletions b/‎defectdojo/docker-compose.yml‎
Lines changed: 76 additions & 0 deletions
@@ -0,0 +1,180 @@
+name: DevSecOps Pipeline
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  secrets-scanning:
+    name: Secrets Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@v3.63.7
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+
+  sast-scanning:
+    name: Static Application Security Testing
+    runs-on: ubuntu-latest
+    needs: secrets-scanning
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Semgrep scan
+        uses: semgrep/semgrep-action@v1
+        with:
+          config: >-
+            p/javascript
+            p/angular
+            p/nodejsscan
+            ./xss/semgrep.yaml
+            ./semgrep-custom-rules.yaml
+          output: semgrep-results.sarif
+          
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: semgrep-results.sarif
+
+  sca-scanning:
+    name: Software Composition Analysis
+    runs-on: ubuntu-latest
+    needs: sast-scanning
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: OWASP Dependency-Check Scan - Backend
+        uses: dependency-check/Dependency-Check_Action@main
+        with:
+          project: 'Angular-XSS-Backend'
+          path: './xss/api'
+          format: 'SARIF'
+          out: './reports'
+          args: >-
+            --suppression ./dependency-check-suppressions.xml
+            --scan-config ./dependency-check-config.json
+          
+      - name: OWASP Dependency-Check Scan - Frontend
+        uses: dependency-check/Dependency-Check_Action@main
+        with:
+          project: 'Angular-XSS-Frontend'
+          path: './xss/frontend'
+          format: 'SARIF'
+          out: './reports'
+          args: >-
+            --suppression ./dependency-check-suppressions.xml
+            --scan-config ./dependency-check-config.json
+          
+      - name: Upload SARIF files
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: './reports/'
+          
+  sbom-generation:
+    name: Software Bill of Materials
+    runs-on: ubuntu-latest
+    needs: sca-scanning
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Generate SBOM with CycloneDX
+        uses: CycloneDX/gh-node-module-generatebom@master
+        with:
+          path: './xss'
+          output: './angular-xss-sbom.json'
+          
+      - name: Upload SBOM as artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: angular-xss-sbom
+          path: './angular-xss-sbom.json'
+
+  dast-scanning:
+    name: Dynamic Application Security Testing
+    runs-on: ubuntu-latest
+    needs: sbom-generation
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Start Angular XSS application with Docker Compose
+        run: |
+          cd ./xss
+          docker-compose build
+          docker-compose up -d
+          # Wait for application to be ready
+          sleep 60
+          
+      - name: ZAP Baseline Scan
+        uses: zaproxy/action-baseline@v0.11.0
+        with:
+          target: 'http://localhost:4200'
+          allow_issue_writing: true
+          cmd_options: '-a -j -T 10'
+          rules_file_name: './zap-rules.tsv'
+          issue_title: 'ZAP Baseline Scan Report'
+          markdown_report: true
+          
+      - name: ZAP Full Scan
+        uses: zaproxy/action-full-scan@v0.8.0
+        with:
+          target: 'http://localhost:4200'
+          allow_issue_writing: true
+          cmd_options: '-a -j -T 10'
+          rules_file_name: './zap-rules.tsv'
+          issue_title: 'ZAP Full Scan Report'
+          markdown_report: true
+          
+      - name: Upload ZAP Report
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: zap-reports
+          path: |
+            baseline-report.md
+            full-scan-report.md
+            
+      - name: Stop Docker Containers
+        if: always()
+        run: |
+          cd ./xss
+          docker-compose down
+          
+  defectdojo-import:
+    name: Import Results to DefectDojo
+    runs-on: ubuntu-latest
+    needs: [secrets-scanning, sast-scanning, sca-scanning, sbom-generation, dast-scanning]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
+      - name: Download all artifacts
+        uses: actions/download-artifact@v3
+        with:
+          path: ./artifacts
+          
+      - name: Import to DefectDojo
+        run: |
+          chmod +x ./defectdojo/import-results.sh
+          ./defectdojo/import-results.sh ${{ secrets.DEFECTDOJO_URL }} ${{ secrets.DEFECTDOJO_API_KEY }} ${{ secrets.DEFECTDOJO_ENGAGEMENT_ID }}
+        env:
+          DEFECTDOJO_URL: ${{ secrets.DEFECTDOJO_URL }}
+          DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
+          DEFECTDOJO_ENGAGEMENT_ID: ${{ secrets.DEFECTDOJO_ENGAGEMENT_ID }}
@@ -1,55 +1,70 @@
-## Cross Site Scripting
+# DevSecOps Pipeline for Angular XSS Application
 
-* Step 1: Open terminal and switch to project directory
+This project implements a comprehensive DevSecOps pipeline for a deliberately vulnerable Angular application to demonstrate security scanning capabilities in CI/CD.
 
-```bash
-cd /root/angular-xss/xss
-```
+## Pipeline Architecture
 
-* Step 2: Build the docker images for both frontend and the API
+The pipeline includes the following security stages:
 
-```bash
-docker-compose build
-```
+1. **Secrets Scanning** - Using TruffleHog OSS to detect exposed credentials
+2. **Static Application Security Testing (SAST)** - Using Semgrep with JavaScript, Angular, and Node.js rulesets
+3. **Software Composition Analysis (SCA)** - Using OWASP Dependency-Check to identify vulnerable dependencies
+4. **Software Bill of Materials (SBOM)** - Using CycloneDX to generate a comprehensive inventory of components
+5. **Dynamic Application Security Testing (DAST)** - Using OWASP ZAP to perform runtime security testing
+6. **Vulnerability Reporting** - Aggregating all findings in DefectDojo
 
-* Step 3: Start the app
+![DevSecOps Pipeline Architecture](./docs/images/pipeline-architecture.png)
 
-```bash
-docker-compose up -d
-```
+## Setup Instructions
 
-* Step 4: Access the app on `http://<your-server-ip>:4200`
+### Prerequisites
 
-> **Note:** To fetch server ip type in `serverip` in the terminal
+- GitHub account
+- Docker and Docker Compose installed
+- Access to DefectDojo instance (or run locally using provided docker-compose file)
 
-* Step 5: Signup as an admin, Enter some random email id and password, also enable the `Signup as an admin` checkbox
+### Running the Pipeline
 
-* Step 6: Now it's time to login as an Admin, While logging in as an Admin enable `Signin as an admin` flag
+1. Push your code to GitHub to trigger the workflow
+2. Manually trigger the workflow from the GitHub Actions tab
 
-* Step 7: After successful login you should see `Add New Movies` option in the Navigation bar
+### Running DefectDojo Locally
 
-* Step 8: Now create some movies using that option
+```bash
+cd defectdojo
+docker-compose up -d
+```
 
-* Step 9: While creating a new movies entry in the `Movie Link` input you can add an XSS payload like `javascript:alert("Hacked!")` 
+Access DefectDojo at http://localhost:8080 with credentials:
+- Username: admin
+- Password: admin
 
-* Step 10: If you are successful in creating the movie now access the `Movies` tab
+## Vulnerability Findings
 
-* Step 11: Now click on the `Click Here` button to see an attack taking place, This should pop up with an alert box stating that it is `Hacked!`
+The pipeline is designed to detect:
 
-* Step 12: You can repeat from `Step 9` this time you try with a different payload like `javascript:alert(window.localStorage.getItem('token'))`
+1. Secrets and credentials exposed in code
+2. XSS vulnerabilities in Angular code
+3. Vulnerable dependencies in both frontend and backend
+4. Other security issues defined in Semgrep rules
 
-* Step 13: If you are successful in the attack then you should see an alert box with a JWT token value.
+## Integration with DefectDojo
 
-### Teardown
+Scan results from all security tools are aggregated in DefectDojo for:
+- Centralized vulnerability management
+- Tracking remediation progress
+- Generating comprehensive reports
+- Historical security trend analysis
 
-* Step 1: Switch to project directory
+## Screenshots
 
-```bash
-cd /root/angular-xss/xss
-```
+See the `docs/screenshots` directory for:
+- Successful SAST scan results
+- Identified XSS vulnerabilities
+- DefectDojo dashboard
 
-* Step 2: Bring down the app
+## Future Enhancements
 
-```bash
-docker-compose down
-```
+- Implement container scanning
+- Add automated security regression testing
+- Enhance Semgrep rules for custom vulnerabilities
@@ -0,0 +1,76 @@
+version: '3.7'
+
+services:
+  mysql:
+    image: mysql:8.0
+    environment:
+      MYSQL_DATABASE: defectdojo
+      MYSQL_USER: defectdojo
+      MYSQL_PASSWORD: defectdojo
+      MYSQL_ROOT_PASSWORD: defectdojo
+    volumes:
+      - defectdojo-mysql-data:/var/lib/mysql
+    restart: always
+
+  rabbitmq:
+    image: rabbitmq:3-management
+    environment:
+      RABBITMQ_DEFAULT_USER: defectdojo
+      RABBITMQ_DEFAULT_PASS: defectdojo
+    restart: always
+    volumes:
+      - defectdojo-rabbitmq-data:/var/lib/rabbitmq
+
+  defectdojo:
+    image: defectdojo/defectdojo-django:latest
+    depends_on:
+      - mysql
+      - rabbitmq
+    environment:
+      DD_DATABASE_URL: mysql://defectdojo:defectdojo@mysql:3306/defectdojo
+      DD_CELERY_BROKER_URL: amqp://defectdojo:defectdojo@rabbitmq:5672/
+      DD_ADMIN_USER: admin
+      DD_ADMIN_PASSWORD: admin
+      DD_ADMIN_MAIL: admin@localhost
+      DD_ALLOWED_HOSTS: "*"
+      DD_DEBUG: 'False'
+    restart: always
+    ports:
+      - "8080:8080"
+    volumes:
+      - defectdojo-media:/app/media
+
+  celerybeat:
+    image: defectdojo/defectdojo-django:latest
+    depends_on:
+      - mysql
+      - rabbitmq
+    environment:
+      DD_DATABASE_URL: mysql://defectdojo:defectdojo@mysql:3306/defectdojo
+      DD_CELERY_BROKER_URL: amqp://defectdojo:defectdojo@rabbitmq:5672/
+      DD_ADMIN_USER: admin
+      DD_ADMIN_PASSWORD: admin
+      DD_ADMIN_MAIL: admin@localhost
+      DD_ALLOWED_HOSTS: "*"
+    restart: always
+    entrypoint: ['/entrypoint-celery-beat.sh']
+
+  celeryworker:
+    image: defectdojo/defectdojo-django:latest
+    depends_on:
+      - mysql
+      - rabbitmq
+    environment:
+      DD_DATABASE_URL: mysql://defectdojo:defectdojo@mysql:3306/defectdojo
+      DD_CELERY_BROKER_URL: amqp://defectdojo:defectdojo@rabbitmq:5672/
+      DD_ADMIN_USER: admin
+      DD_ADMIN_PASSWORD: admin
+      DD_ADMIN_MAIL: admin@localhost
+      DD_ALLOWED_HOSTS: "*"
+    restart: always
+    entrypoint: ['/entrypoint-celery-worker.sh']
+
+volumes:
+  defectdojo-mysql-data:
+  defectdojo-rabbitmq-data:
+  defectdojo-media: