A comprehensive DevSecOps demonstration project featuring OWASP Juice Shop with integrated security practices, container hardening, Kubernetes deployment, and Infrastructure as Code using Terraform.
This project demonstrates enterprise-grade DevSecOps practices by implementing security throughout the entire software development lifecycle. It uses the intentionally vulnerable OWASP Juice Shop application as a training platform to showcase various security controls and best practices.
- 🔒 Security-First CI/CD with automated scanning and gates
- 🐳 Container Hardening with non-root user and read-only filesystem
- ☸️ Kubernetes Security with RBAC, network policies, and security contexts
- 🏗️ Infrastructure as Code with cloud-agnostic Terraform (local/example configuration) and security validation
- 🎨 Modern UI Theme with cyberpunk purple hacker aesthetic
- 📊 Comprehensive Monitoring and security reporting
Before running this project, ensure you have all required tools installed. See requirements.txt for detailed system requirements and installation instructions.
- OS: Linux, macOS, or Windows 10+
- RAM: 8GB minimum, 16GB recommended
- Disk: 20GB free space
- Network: Stable internet connection
- Git ≥ 2.30.0
- Node.js ≥ 16.0.0 (18.x LTS recommended)
- Docker ≥ 20.10.0
- kubectl ≥ 1.24.0
- Terraform ≥ 1.0.0
- AWS CLI ≥ 2.0.0
- Trivy ≥ 0.40.0 (Container scanning)
- Semgrep ≥ 1.0.0 (SAST)
- Gitleaks ≥ 8.0.0 (Secret detection)
- OWASP Dependency-Check ≥ 7.0.0
- tfsec ≥ 1.28.0 (IaC security)
# Clone the repository
git clone https://github.com/aaitplus/devsecops-vulnerable-app.git
cd devsecops-vulnerable-app
# Clone OWASP Juice Shop
cd app
chmod +x clone.sh
./clone.sh
cd ..# Build the hardened container
chmod +x scripts/build.sh
./scripts/build.sh
# Run locally
docker run -d -p 3000:3000 --name juice-shop juice-shop:latest
# Apply cyberpunk theme
chmod +x scripts/apply-theme.sh
./scripts/apply-theme.sh# Initialize Terraform
cd terraform
terraform init
terraform plan
terraform apply
# Deploy to Kubernetes
cd ..
chmod +x scripts/deploy.sh
./scripts/deploy.shdevsecops-vulnerable-app/
├── app/ # OWASP Juice Shop source code
│ ├── clone.sh # Repository cloning script
│ └── custom-theme.css # Cyberpunk theme styles
├── docker/ # Container configurations
│ └── Dockerfile # Hardened container image
├── k8s/ # Kubernetes manifests
│ ├── service.yml # Service configuration
│ ├── networkpolicy.yml # Network security policies
│ └── rbac.yml # Role-based access control
├── terraform/ # Infrastructure as Code
│ ├── main.tf # AWS infrastructure
│ ├── variables.tf # Configuration variables
│ └── outputs.tf # Output definitions
├── scripts/ # Automation scripts
│ ├── build.sh # Build automation
│ ├── deploy.sh # Deployment automation
│ └── apply-theme.sh # Theme injection script
├── .github/workflows/ # CI/CD pipelines
│ └── ci-cd.yml # GitHub Actions workflow
├── reports/ # Security scan reports
│ └── README.md # Report documentation
├── requirements.txt # System requirements
├── .gitignore # Git ignore rules
└── README.md # This file
- Static Application Security Testing (SAST) with Semgrep
- Software Composition Analysis (SCA) with OWASP Dependency-Check
- Container Security Scanning with Trivy
- Secret Detection with Gitleaks
- Infrastructure as Code Security with tfsec
- Automated Security Gates preventing deployment of vulnerable code
- Non-root user execution (user: node, uid: 1000)
- Read-only filesystem for immutable containers
- Minimal base image (node:18-alpine)
- Security hardening with proper environment variables
- Health checks and resource limits
- Security Contexts with privilege escalation prevention
- Network Policies implementing zero-trust networking
- RBAC with principle of least privilege
- Pod Security Standards enforcement
- Resource quotas and limits
- Secure VPC configuration with flow logs
- Encrypted storage and communication
- IAM least privilege access
- Security group hardening
- Infrastructure scanning with tfsec
The application features a modern purple hacker-style frontend with:
- Neon purple gradients and glowing effects
- Matrix rain animations and glitch effects
- Terminal-style elements and security badges
- Responsive design with custom scrollbars
- Dark cyberpunk aesthetic for professional demonstrations
All security scans generate detailed reports in the reports/ directory:
dependency-check-report.html- Dependency vulnerabilitiestrivy-results.sarif- Container vulnerabilitiessemgrep.sarif- Code security issuestfsec-report.json- Infrastructure security issues
Reports are automatically uploaded to GitHub Security tab for integrated vulnerability management.
# Run security scans locally
trivy fs ./app
semgrep --config p/default ./app
gitleaks detect --verbose --redact --config .gitleaks.toml .
# Test container build
docker build -t juice-shop:test ./docker
trivy image juice-shop:test
# Test Kubernetes manifests
kubectl apply --dry-run=client -f k8s/The GitHub Actions workflow automatically runs on:
- Push to
mainordevelopbranches - Pull requests to
mainbranch
Monitor the Actions tab for security scan results and deployment status.
- Never deploy to production environments
- Use only in isolated, controlled environments
- Regularly update dependencies to learn about new vulnerabilities
- Follow security best practices when implementing fixes
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow security best practices in all code changes
- Update documentation for any new features
- Ensure all security scans pass before merging
- Test changes in isolated environments
This project is licensed under the MIT License - see the LICENSE file for details.
- OWASP Juice Shop - The vulnerable application
- OWASP - Security best practices and tools
- Aqua Security - Trivy and tfsec
- Semgrep - Code analysis platform
- GitLeaks - Secret detection
For questions or issues:
- Check the troubleshooting guide
- Review existing GitHub Issues
- Create a new issue with detailed information
Docker build fails:
# Check Docker version
docker --version
# Ensure Docker daemon is running
docker info
# Clean up old images
docker system prune -fKubernetes deployment fails:
# Check cluster connection
kubectl cluster-info
# Verify manifests syntax
kubectl apply --dry-run=client -f k8s/
# Check pod status
kubectl get pods -n defaultTerraform issues:
# Reinitialize Terraform
terraform init
# Check plan
terraform plan
# Validate configuration
terraform validateSecurity scan failures:
- Review scan output for specific issues
- Update dependencies to fix vulnerabilities
- Check tool versions in requirements.txt
Enable verbose logging for troubleshooting:
# Build script debug
DEBUG=1 ./scripts/build.sh
# Deploy script debug
DEBUG=1 ./scripts/deploy.sh- Multi-cloud support (Azure, GCP)
- Advanced monitoring with Prometheus/Grafana
- Automated remediation workflows
- Integration with security ticketing systems
- Performance optimization and scaling
I build security-first systems that automate detection, simulation, and remediation across the SDLC.