An enterprise-grade DevSecOps CI/CD security pipeline built using GitHub Actions.
This project demonstrates secure software supply chain practices by integrating multiple automated security controls directly into the CI/CD workflow.
The following diagram illustrates the security controls embedded across the CI/CD pipeline.
The pipeline performs end-to-end security validation including:
- Secrets detection
- Static code analysis
- Dependency vulnerability scanning
- Software Bill of Materials generation
- Container security scanning
- Dynamic application security testing
- Policy enforcement via a security gate
- Secure container artifact promotion
The goal of this project is to demonstrate production-grade DevSecOps practices used in modern cloud-native organizations.
Modern software delivery pipelines must integrate security from the earliest development stages.
This approach, known as DevSecOps, ensures vulnerabilities are identified and mitigated before reaching production environments.
This repository implements a multi-layer security pipeline designed to:
- Detect leaked secrets
- Identify insecure coding patterns
- Detect vulnerable dependencies
- Generate a software bill of materials
- Scan container images for vulnerabilities
- Perform runtime web security testing
- Enforce security policies before artifact promotion
By embedding these controls into CI/CD, organizations can significantly reduce security risks within their software supply chain.
This project follows the Shift-Left Security approach where security validation is integrated into every stage of the CI/CD pipeline.
Security controls are implemented using a defense-in-depth model:
- Source code security
- Dependency security
- Container security
- Runtime security testing
- Policy enforcement
This layered approach ensures vulnerabilities are detected early and insecure artifacts are prevented from reaching production environments.
Security is treated as a first-class citizen in the software delivery lifecycle.
The CI/CD pipeline automatically executes the following security stages:
| Stage | Security Control | Tool |
|---|---|---|
| 1 | Secrets Scanning | Gitleaks |
| 2 | Static Application Security Testing (SAST) | Semgrep |
| 3 | Software Composition Analysis (SCA) | Trivy |
| 4 | SBOM Generation | Syft |
| 5 | SBOM Vulnerability Analysis | Grype |
| 6 | Container Build | Docker |
| 7 | Container Image Security Scan | Trivy |
| 8 | Dynamic Application Security Testing (DAST) | OWASP ZAP |
| 9 | Security Gate Policy Enforcement | Custom GitHub Workflow |
| 10 | Secure Container Promotion | GitHub Container Registry |
Only secure builds are allowed to progress through the pipeline.
Developer Push
↓
GitHub Repository
↓
GitHub Actions CI Pipeline
↓
Secrets Scan (Gitleaks)
↓
SAST (Semgrep)
↓
Dependency Scan (Trivy)
↓
SBOM Generation (Syft)
↓
SBOM Vulnerability Analysis (Grype)
↓
Docker Container Build
↓
Container Image Scan (Trivy)
↓
DAST Scan (OWASP ZAP)
↓
Security Gate
↓
Secure Container Push (GHCR)
| Tool | Purpose |
|---|---|
| Gitleaks | Detect hardcoded secrets and credentials |
| Semgrep | Static code security analysis |
| Trivy | Dependency vulnerability scanning and container scanning |
| Syft | Generate Software Bill of Materials (SBOM) |
| Grype | Analyze SBOM for known vulnerabilities |
| Docker | Containerization |
| OWASP ZAP | Dynamic web application security testing |
| GitHub Actions | CI/CD orchestration |
| Dependabot | Automated dependency vulnerability remediation |
The pipeline is implemented using GitHub Actions reusable workflows.
Key design principles:
- Modular security stages
- Automated vulnerability detection
- Policy-driven security enforcement
- Artifact promotion only after security validation
The pipeline is built using modular reusable GitHub Actions workflows.
Each workflow implements a dedicated security control and can be reused across multiple repositories or CI pipelines.
| Workflow File | Purpose |
|---|---|
reusable-secrets-scan.yml |
Detects hardcoded credentials and sensitive data using Gitleaks |
reusable-sast.yml |
Performs Static Application Security Testing (SAST) using Semgrep |
reusable-sca.yml |
Scans project dependencies for known vulnerabilities using Trivy |
reusable-sbom.yml |
Generates a Software Bill of Materials (SBOM) using Syft |
reusable-grype.yml |
Performs vulnerability analysis on the generated SBOM using Grype |
reusable-container.yml |
Builds the Docker container image and performs container vulnerability scanning |
reusable-dast.yml |
Executes Dynamic Application Security Testing (DAST) using OWASP ZAP |
reusable-security-gate.yml |
Enforces security policies and determines whether the build can proceed |
reusable-secure-push.yml |
Pushes the validated and secure container image to GitHub Container Registry (GHCR) |
These reusable workflows enable a clean, modular, and scalable DevSecOps architecture, allowing organizations to enforce consistent security policies across multiple CI/CD pipelines.
This modular architecture enables scalability and reuse across multiple repositories.
A Security Gate acts as the pipeline’s policy enforcement mechanism.
The gate evaluates vulnerability reports generated by security tools.
Pipeline behavior:
| Condition | Result |
|---|---|
| Critical vulnerabilities detected | Security Gate Failed |
| High severity vulnerabilities detected | Security Gate Failed |
| No critical issues | All security checks passed |
To demonstrate how the Security Gate enforces security policies, the following sections show real CI/CD pipeline executions.
The pipeline either fails when security issues are detected or passes when the application meets all security requirements.
These screenshots provide visual proof of the DevSecOps pipeline enforcement in action.
When high or critical vulnerabilities are detected in dependencies, containers, or source code, the Security Gate blocks the pipeline and prevents artifact promotion.
Example failure output:
This prevents insecure artifacts from entering the container registry.
- The pipeline execution stops if issues are detected.
- Container image is not pushed to the registry if vulnerabilities are found.
- Developers must fix vulnerabilities before deployment.
This ensures insecure builds never reach production artifacts.
If no high or critical vulnerabilities are detected, the Security Gate allows the pipeline to continue.
The container artifact is then securely promoted to the registry.
- Security policies are satisfied.
- The build is marked secure.
- The container image is pushed to GitHub Container Registry (GHCR).
This mechanism ensures that only security-compliant artifacts are promoted through the DevSecOps pipeline.
The following screenshot shows the complete successful execution of the DevSecOps pipeline in GitHub Actions.
All security stages completed successfully and the container artifact was promoted to the registry.
This pipeline aligns with several industry security frameworks and secure software development standards:
- NIST Secure Software Development Framework (SSDF)
- OWASP Top 10
- SLSA Supply Chain Security Model
- CIS Container Security Benchmark
These frameworks promote secure software supply chain practices and automated vulnerability management within CI/CD pipelines.
Container security is enforced through multiple layers:
- Secure container build process
- Container image vulnerability scanning
- Policy validation before registry push
The container image is pushed to GitHub Container Registry (GHCR) only if the security gate passes.
Registry:
ghcr.io/<repository>/pipeline-demo-app
This approach protects the software supply chain from vulnerable artifacts.
The repository integrates Dependabot to automatically detect vulnerable dependencies.
Capabilities include:
- Automatic dependency vulnerability monitoring
- Automated pull requests for version upgrades
- Continuous dependency security management
This ensures the project remains protected against newly discovered CVEs.
enterprise-devsecops-ci-cd-pipeline
│
├── app.py
├── requirements.txt
├── Dockerfile
│
├── .github
│ ├── workflows
│ │ ├── ci.yml
│ │ ├── reusable-secrets-scan.yml
│ │ ├── reusable-sast.yml
│ │ ├── reusable-sca.yml
│ │ ├── reusable-sbom.yml
│ │ ├── reusable-grype.yml
│ │ ├── reusable-container.yml
│ │ ├── reusable-dast.yml
│ │ ├── reusable-security-gate.yml
│ │ └── reusable-secure-push.yml
│ │
│ └── dependabot.yml
└── README.md
git clone https://github.com/hackyshadab/enterprise-devsecops-ci-cd-pipeline.git
cd enterprise-devsecops-ci-cd-pipelineBuild container locally
docker build -t pipeline-demo-app .Run the application
docker run -p 5000:5000 pipeline-demo-appPipeline execution occurs automatically on:
- Pull Requests
- Push to main branch
This project demonstrates real-world DevSecOps practices used by organizations operating cloud-native environments and microservice architectures.
- Shift-left security
- Software supply chain protection
- Automated vulnerability detection
- Policy-driven CI/CD security enforcement
- Container security best practices
- SBOM-based vulnerability analysis
These practices align with modern secure software development lifecycle (SSDLC) frameworks.
This project highlights expertise in:
- DevSecOps pipeline design
- Secure CI/CD architecture
- Container security
- Vulnerability management
- SBOM and supply chain security
- Security automation
- GitHub Actions workflow engineering
- Cloud-native security practices
Potential enhancements for production-scale environments:
- Slack security alert integrations
- Kubernetes deployment security scanning
- Infrastructure as Code (IaC) security scanning
- OPA policy-based security gates
- Runtime container security monitoring
- SARIF reporting integration with GitHub Security tab
This project demonstrates how a secure DevSecOps CI/CD pipeline can enforce automated security validation, protect the software supply chain, and ensure only secure container artifacts are promoted to production.
By following these practices, organizations can significantly reduce security risks and maintain enterprise-grade software delivery.