Skip to content

Latest commit

 

History

History
36 lines (29 loc) · 1.55 KB

File metadata and controls

36 lines (29 loc) · 1.55 KB

Multi-language DevSecOps Demo — ALL SCANS + Signing + SBOM + ECS (Fargate)

Languages: Python (Flask), Node (Express), Java (Spring Boot)

Deliberate demo vulns in hello apps:

  • Python: yaml.load with yaml.Loader + urllib3==1.25.8, PyYAML==5.1
  • Node: lodash@4.17.19 + /vuln route using eval
  • Java: log4j-core:2.14.1 + /vuln route logging user input

⚠️ Demo only. Do not deploy these versions to production.

GitLab CI pipeline

Stages: prepare → SAST (GitLab + Bandit) → Dependency (GitLab + pip-audit) → Secrets (GitLab + Gitleaks) → IaC (tfsec + Checkov) → tests → build → SBOM (Syft SPDX) → Container scan (GitLab + Trivy) → Sign & Attest (Cosign keyless + SBOM + provenance) → push → Deploy (Terraform → ECS Fargate + ALB).

Setup

  1. Import to GitLab.
  2. CI/CD Variables:
    • VPC_ID — e.g., vpc-xxxx in ap-southeast-2
    • SUBNET_A, SUBNET_B — two public subnets in that VPC
  3. Choose language by pipeline var LANG = python | node | java.
  4. Push to develop → dev deploy; merge to main → manual prod deploy.

Local smoke (Python)

docker build -f docker/Dockerfile.python -t local/hello-python:dev .
docker run --rm -p 5000:5000 local/hello-python:dev
curl 'http://localhost:5000/'
curl 'http://localhost:5000/vuln?p=a:1'   # demo endpoint

Verify signatures / SBOM (after CI)

export COSIGN_EXPERIMENTAL=1
cosign verify <registry>/<group>/<project>/hello-demo:1.0.0-<sha>
cosign verify-attestation --type spdx <image-ref>