🧪 DevSecOps Pipeline Lab

Lab Overview

This comprehensive lab exercise will guide you through building a complete DevSecOps pipeline that integrates security at every stage of the software development lifecycle. You'll implement automated security testing, container security scanning, infrastructure as code security, and continuous security monitoring.

🎯 Learning Objectives

• Implement automated security testing in CI/CD pipelines
• Configure container security scanning and vulnerability management
• Set up infrastructure as code security with automated scanning
• Integrate secrets management into development workflows
• Implement security monitoring and observability
• Configure compliance automation and policy enforcement

🏗️ Lab Environment Setup

git clone https://github.com/your-org/devsecops-lab.git
cd devsecops-lab

# Copy environment template
cp .env.template .env

# Edit with your configuration
nano .env

# Initialize Terraform
terraform init
terraform plan
terraform apply

📋 Lab Exercises

name: DevSecOps Pipeline
on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    
    - name: Run CodeQL Analysis
      uses: github/codeql-action/init@v2
      with:
        languages: javascript, python
    
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
    
    - name: Run OWASP ZAP Scan
      uses: zaproxy/action-full-scan@v0.4.0
      with:
        target: 'https://your-app.com'
        rules_file_name: '.zap/rules.tsv'

# Multi-stage build for security
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

FROM node:18-alpine AS runtime
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nodejs -u 1001
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY --chown=nodejs:nodejs . .
USER nodejs
EXPOSE 3000
CMD ["node", "server.js"]

# Secure S3 bucket configuration
resource "aws_s3_bucket" "secure_bucket" {
  bucket = "my-secure-bucket-${random_string.suffix.result}"
  
  # Enable versioning
  versioning {
    enabled = true
  }
  
  # Enable server-side encryption
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
  
  # Block public access
  public_access_block {
    block_public_acls       = true
    block_public_policy     = true
    ignore_public_acls      = true
    restrict_public_buckets = true
  }
}

# GitHub Actions secret retrieval
- name: Retrieve secrets from Vault
  uses: hashicorp/vault-action@v2
  with:
    url: ${{ secrets.VAULT_URL }}
    token: ${{ secrets.VAULT_TOKEN }}
    secrets: |
      secret/data/app config | CONFIG_FILE
      secret/data/app api-key | API_KEY

- name: Use retrieved secrets
  run: |
    echo "Config: $CONFIG_FILE"
    echo "API Key: $API_KEY"

# Falco rules for container security
- rule: Unauthorized Process in Container
  desc: Detect unauthorized processes in containers
  condition: >
    spawned_process and container and
    not proc.name in (nginx, apache, node, python)
  output: >
    Unauthorized process in container
    (user=%user.name command=%proc.cmdline container=%container.name)
  priority: WARNING

# Prometheus security metrics
security_vulnerabilities_total{severity="critical"}
security_vulnerabilities_total{severity="high"}
security_vulnerabilities_total{severity="medium"}
security_vulnerabilities_total{severity="low"}

🧪 Lab Validation

📚 Additional Resources

• OWASP DevSecOps Maturity Model - Framework for measuring DevSecOps maturity
• Secure Code Warrior - Developer security training platform
• Checkov - Infrastructure as code security scanning
• Trivy - Comprehensive vulnerability scanner
• Falco - Runtime security monitoring
• Open Policy Agent - Policy as code framework