This repository contains an end-to-end DevSecOps pipeline for the Spring PetClinic sample application, demonstrating automated security practices integrated into the software development lifecycle.
The project utilizes the Spring PetClinic application, a well-known sample application built using Spring Boot. The pipeline automates the build, test, security scanning, and deployment processes, ensuring a secure and efficient delivery of the application.
Spring PetClinic Description:
The Spring PetClinic application is a Spring Boot application built using Maven or Gradle. You can build a jar file and run it from the command line (it should work just as well with Java 17 or newer). This project uses it as a sample application to demonstrate a complete DevSecOps pipeline.
https://github.com/vishwas337/DevSecOps.git
- Automated Build: Uses Maven or Gradle to build the Spring PetClinic application.
- Automated Unit and Integration Testing: Executes comprehensive tests to ensure code quality.
- Static Application Security Testing (SAST): Integrates tools like SonarQube or similar to perform static code analysis and identify security vulnerabilities.
- Software Composition Analysis (SCA): Uses tools like OWASP Dependency-Check or similar to scan dependencies for known vulnerabilities.
- Containerization: Builds a Docker image of the application for consistent deployment.
- Container Security Scanning: Scans the Docker image for vulnerabilities using tools like Trivy or similar.
- Infrastructure as Code (IaC): Uses tools like Terraform or CloudFormation (if applicable) to provision and manage infrastructure.
- Continuous Integration/Continuous Deployment (CI/CD): Implements a CI/CD pipeline using GitHub Actions, Jenkins, or similar to automate the entire process.
- Dynamic Application Security Testing (DAST): (Optional) Integrates DAST tools to test the running application for vulnerabilities.
- Deployment: Deploys the application to a target environment (e.g., Kubernetes, AWS, Azure, GCP).
- Monitoring and Logging: Implements monitoring and logging to track application performance and security events.
- Spring Boot: Application framework.
- Maven/Gradle: Build tools.
- Docker: Containerization.
- GitHub Actions/Jenkins: CI/CD.
- SonarQube/Similar: SAST.
- OWASP Dependency-Check/Similar: SCA.
- Trivy/Similar: Container security scanning.
- Terraform/CloudFormation (Optional): IaC.
- Java 17+
-
Clone the repository:
git clone [https://github.com/vishwas337/DevSecOps.git](https://github.com/vishwas337/DevSecOps.git) cd DevSecOps -
Build the application:
./mvnw clean install # or ./gradlew clean build -
Run the application:
java -jar target/*.jar -
Configure the CI/CD pipeline:
- Set up the necessary environment variables and credentials in your CI/CD tool.
- Configure the pipeline to run the build, test, and security scanning steps.
- Setup your target environment to deploy the docker image.
-
Run the pipeline:
- Trigger the pipeline to build and deploy the application.
- Observe the results of the security scans and address any identified vulnerabilities.
- Implement DAST for runtime security testing.
- Integrate more advanced security tools and practices.
- Enhance monitoring and logging capabilities.
- Implement automatic remediation of security vulnerabilities.
- Add more detailed documentation for each stage of the pipeline.
- Add Infrastructure as code to deploy to cloud environments.
Contributions are welcome! Please feel free to submit pull requests or open issues to suggest improvements.
MIT License (or the appropriate license for your project)