Mission: Stop vulnerable code before it ever reaches the production server. This project demonstrates "Shift-Left" security by integrating Dynamic Application Security Testing (DAST) directly into the continuous integration workflow.
What you are watching: The pipeline actively attacking the staging environment. ZAP detects a High-Severity Cross-Site Scripting (XSS) vulnerability, immediately fails the build, and blocks the deployment.
Click the image below to watch a live demonstration of the DevSecOps security pipeline ⬇️
The Flow: GitHub ➡️ AWS CodeBuild ➡️ OWASP ZAP ➡️ Elastic Beanstalk
Think of this pipeline like a VIP bouncer at a nightclub.
- The Guest Arrives (Source): A developer pushes new application code to GitHub.
- The ID Check (Build & Scan): AWS CodeBuild spins up a secure Docker container and unleashes the OWASP ZAP scanner to attack the new code.
- The Quality Gate (Decision):
- ✅ Access Granted: ZAP finds zero critical vulnerabilities. The code is safe and deploys to Elastic Beanstalk.
- ❌ Access Denied: ZAP detects a vulnerability. It triggers a system failure (Exit Code 1), immediately halting the pipeline and bouncing the bad code out.
When ZAP attacks the code, it doesn't just fail the build—it generates a comprehensive HTML medical chart (zap_report.html) detailing exactly what went wrong.
During the recorded test, the pipeline automatically identified and mitigated the following risk:
- 🛑 Identified Threat: Cross-Site Scripting (Reflected)
⚠️ Risk Level: High- 🛡️ Automated Action: Deployment Blocked. CodeBuild marked as
FAILED.
Want to test this security gate yourself? You can pull the code directly from this repository.
1. Clone the secure repository:
git clone https://github.com/shreyaskatta/aws-devsecops-pipeline.git
cd aws-devsecops-pipeline