Skip to content

of3r/devsecops-artifactory-lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

26 Commits
.github/workflows
.github/workflows
Β 
Β 
contrib
contrib
Β 
Β 
docker
docker
Β 
Β 
docs
docs
Β 
Β 
scan-results
scan-results
Β 
Β 
scripts
scripts
Β 
Β 
src
src
Β 
Β 
terraform
terraform
Β 
Β 
test
test
Β 
Β 
.env.demo
.env.demo
Β 
Β 
.env.example
.env.example
Β 
Β 
.gitignore
.gitignore
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
COVER-LETTER.md
COVER-LETTER.md
Β 
Β 
GITHUB-SETUP.md
GITHUB-SETUP.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
PROJECT-OVERVIEW.md
PROJECT-OVERVIEW.md
Β 
Β 
PROJECT-SUMMARY.md
PROJECT-SUMMARY.md
Β 
Β 
README-PORTABLE.md
README-PORTABLE.md
Β 
Β 
README.md
README.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
docker-compose.yml
docker-compose.yml
Β 
Β 
package.json
package.json
Β 
Β 
quick-start.sh
quick-start.sh
Β 
Β 
test-comprehensive.sh
test-comprehensive.sh
Β 
Β 
test-terraform.sh
test-terraform.sh
Β 
Β 

Repository files navigation

DevSecOps Artifactory Lab

Comprehensive DevSecOps Pipeline with Security Scanning & Policy Gates

DEMO PROJECT NOTICE: This lab uses hardcoded demo credentials (admin/DevSecOps2024!) for educational purposes. NEVER use these credentials in production! See SECURITY.md for details. License Docker Security CI/CD DevSecOps Enterprise-grade DevSecOps pipeline demonstrating security-first CI/CD with Nexus Repository, automated vulnerability scanning, and policy-based deployment gates.

🎯 Perfect for: Security engineers, DevOps practitioners, students, and organizations implementing DevSecOps practices

🎯 Overview

This lab demonstrates enterprise-grade DevSecOps practices using 100% free and open-source tools:

  • Repository Management: Nexus Repository OSS
  • Infrastructure as Code: Complete Terraform deployment automation
  • Security Scanning: Trivy, Grype, Syft
  • Policy Enforcement: Custom security gates with bypass controls
  • CI/CD Integration: GitHub Actions with 6-stage pipeline
  • Compliance: SBOM generation, audit trails, vulnerability reporting

πŸ—οΈ Architecture

Architecture Diagram

Pipeline Flow

Developer β†’ GitHub β†’ CI/CD Pipeline β†’ Security Gates β†’ Nexus Repository β†’ Production
                         ↓
                   [Trivy/Grype/Syft] β†’ [Policy Evaluation] β†’ [Pass/Fail/Bypass]

πŸš€ Quick Start (25-minute setup)

Prerequisites

  • Docker Desktop with WSL2 (Windows) or Docker (Linux/Mac)
  • Node.js 18+ and npm
  • Git
  • Terraform (optional, for Infrastructure as Code)
  • 8GB RAM, 20GB disk space

Node.js Installation (Ubuntu/WSL)

If you encounter Node.js/npm dependency conflicts:

# Remove conflicting packages
sudo apt remove --purge nodejs npm

# Install via NodeSource (recommended)
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs

# Verify installation
node --version
npm --version

1. Clone and Setup

git clone https://github.com/YOUR_USERNAME/devsecops-artifactory-lab.git
cd devsecops-artifactory-lab

# One-command setup (recommended)
./quick-start.sh

# OR run complete setup phases
./setup-all-phases.sh

2. Start Nexus Repository

# Start Nexus container
docker run -d -p 8081:8081 -p 8082:8082 \
  --name nexus \
  -v nexus-data:/nexus-data \
  sonatype/nexus3:latest

# Wait for startup (2-3 minutes)
# Access: http://localhost:8081 (admin/DevSecOps2024!)

3. Test the Pipeline

# Build and test sample application
./scripts/simulate-ci.sh

# Run integrated security pipeline
./scripts/security/integrate-gate.sh localhost:8082/devsecops-app:latest

4. Infrastructure as Code (Optional)

# Deploy with Terraform
cd terraform
terraform init
terraform plan
terraform apply

# Access deployed services
terraform output

πŸ“‹ Implementation Phases

βœ… Phase 1: Environment Setup

  • Nexus Repository OSS configuration
  • WSL2 Ubuntu + Docker Desktop integration
  • Project structure and credentials

βœ… Phase 2: Repository Automation

  • REST API automation scripts
  • Docker and generic repository creation
  • Metadata system with JSON companion files
  • Integration testing (31/32 tests passing)

βœ… Phase 3: Sample Application

  • Vulnerable Node.js Express application
  • Intentional security vulnerabilities for testing
  • Multi-stage Dockerfile with security labels
  • Container registry integration

βœ… Phase 4: Security Scanning

  • Trivy (primary) and Grype (alternative) scanners
  • Syft for SBOM generation (SPDX/CycloneDX formats)
  • Comprehensive vulnerability reporting
  • 755 components detected in sample app

βœ… Phase 5: Policy Gates & Security Controls

  • Configurable severity thresholds
  • Emergency bypass mechanism with audit trail
  • Integration with existing scan pipeline
  • Nexus metadata updates

βœ… Phase 6: CI/CD Pipeline Integration

  • Complete GitHub Actions workflow
  • 6-stage security-first pipeline
  • Pull request integration with security comments
  • Local testing simulator

βœ… Phase 7: Documentation & Reporting

  • Architecture diagrams and comprehensive documentation
  • API reference and troubleshooting guides
  • Compliance and audit reporting

βœ… Phase 8: Testing & Validation

  • End-to-end testing in clean environment
  • Acceptance criteria validation
  • Performance and security benchmarks

βœ… Phase 9: Infrastructure as Code

  • Complete Terraform configuration (8 files)
  • Automated Nexus deployment with Docker provider
  • Network isolation and security controls
  • Multi-environment support with variables
  • Production-ready infrastructure patterns

πŸ›‘οΈ Security Features

Vulnerability Scanning

  • Trivy: Primary scanner for containers and dependencies
  • Grype: Alternative scanner with different vulnerability database
  • Syft: Software Bill of Materials (SBOM) generation
  • Multi-format support: SPDX, CycloneDX

Policy Gates

# Default security thresholds
GATE_FAIL_ON_CRITICAL: true    # Zero tolerance
GATE_MAX_HIGH: 5               # Maximum 5 high-severity
GATE_FAIL_ON_MEDIUM: false     # Allow medium-severity
GATE_BYPASS_ENABLED: true      # Emergency override

Compliance & Audit

  • Complete audit trail for all security decisions
  • SBOM generation and storage
  • Vulnerability report archival
  • Policy bypass documentation

Infrastructure as Code

  • Terraform Configuration: 8 comprehensive configuration files
  • Network Isolation: Custom Docker networks with subnet management
  • Service Deployment: Automated Nexus and security tools deployment
  • Multi-Environment: Development, staging, production configurations
  • Resource Management: Persistent volumes, health checks, monitoring
  • Documentation: Self-documenting infrastructure with examples

πŸ”§ Configuration

Environment Variables (.env)

# Nexus Configuration
NEXUS_URL=http://localhost:8081
NEXUS_USERNAME=admin
NEXUS_PASSWORD=DevSecOps2024!
NEXUS_DOCKER_REGISTRY=localhost:8082

# Security Gate Policies
GATE_FAIL_ON_CRITICAL=true
GATE_MAX_HIGH=5
GATE_BYPASS_ENABLED=true

# Scanner Configuration
PRIMARY_SCANNER=trivy
SCANNER_TIMEOUT=300

Terraform Variables (terraform/terraform.tfvars)

# Infrastructure Configuration
nexus_admin_password = "DevSecOps2024!"
nexus_web_port      = 8081
nexus_registry_port = 8082
nexus_memory        = 2048

# Environment Settings
project_environment = "development"
enable_security_scanning = true
auto_start_containers = true

GitHub Secrets (for CI/CD)

  • NEXUS_URL: Repository URL
  • NEXUS_USERNAME: Authentication username
  • NEXUS_PASSWORD: Authentication password
  • NEXUS_DOCKER_REGISTRY: Docker registry endpoint

πŸ“Š Usage Examples

Manual Security Scan

# Scan specific image
./scripts/security/scan.sh myapp:latest

# Run policy gate evaluation
./scripts/security/policy-gate.sh -s trivy

# Integrated scan + gate
./scripts/security/integrate-gate.sh myapp:latest

Repository Operations

# Create repositories
./scripts/api/create-repos.sh

# Upload artifact with metadata
./scripts/api/upload-artifact.sh /path/to/file

# Query artifacts
./scripts/api/query-artifacts.sh --build-name myapp

Infrastructure as Code Operations

# Initialize Terraform
cd terraform
terraform init

# Plan deployment
terraform plan

# Deploy infrastructure
terraform apply

# Get connection information
terraform output

# Destroy infrastructure
terraform destroy

CI/CD Pipeline

# Local simulation
./scripts/simulate-ci.sh

# GitHub Actions (automatic on push/PR)
git push origin main

# Manual trigger with bypass
# Use GitHub UI: Actions β†’ DevSecOps Pipeline β†’ Run workflow

πŸ“ˆ Monitoring & Reporting

Generated Reports

  • Security Scan Reports: Detailed vulnerability analysis
  • Policy Gate Reports: Pass/fail decisions with rationale
  • SBOM Reports: Complete software inventory
  • Audit Logs: All security decisions and bypasses

Integration Points

  • GitHub Actions: Workflow status and PR comments
  • Slack: Configurable notifications (optional)
  • Email: Alert integration (optional)

πŸ” Troubleshooting

Common Issues

Security Gate Fails

# Check vulnerability counts
cat scan-results/trivy-results.json | jq '.Results[].Vulnerabilities | group_by(.Severity)'

# Review policy thresholds
grep GATE_ .env

# Use emergency bypass
export GATE_BYPASS_TOKEN="emergency-$(date +%s)"
export GATE_BYPASS_REASON="Critical production fix"

Nexus Connection Issues

# Test connectivity
curl -u admin:DevSecOps2024! http://localhost:8081/service/rest/v1/status

# Check container status
docker logs nexus

# Restart if needed
docker restart nexus

Docker Build Failures

# Check build context
ls -la src/

# Verify Dockerfile location
find . -name "Dockerfile"

# Test build manually
docker build -f src/Dockerfile -t test:latest .

πŸ“š Documentation

🀝 Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make changes with tests
  4. Submit pull request
  5. Security scans will run automatically

πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ™ Acknowledgments

  • Nexus Repository OSS - Sonatype
  • Trivy - Aqua Security
  • Grype & Syft - Anchore
  • GitHub Actions - Microsoft
  • Docker - Docker Inc.

πŸ” Troubleshooting

Common Issues

Node.js/npm Dependency Conflicts

# Solution: Use NodeSource installation
sudo apt remove --purge nodejs npm
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs

Missing .env File

# Solution: Create .env file manually
cp .env.example .env
# Or let quick-start.sh create it automatically

Repository Creation Failed

# Check Nexus is running
curl -u admin:DevSecOps2024! http://localhost:8081/service/rest/v1/status

# Recreate repositories
./scripts/api/create-repos.sh

Security Gate Failures

# Check scan results exist
ls -la scan-results/

# Run scan manually
trivy image --format json --output scan-results/trivy-results.json alpine:latest

# Test policy gate
./scripts/security/policy-gate.sh -s trivy

πŸ§ͺ Testing & Validation

Comprehensive Test Suite

# Run complete test suite (all components)
./test-comprehensive.sh

# Run Terraform-specific tests
./test-terraform.sh

# Test individual components
./scripts/test-integration.sh

Test Categories

Prerequisites Testing:

  • Docker installation and daemon
  • Node.js 18+ and npm
  • Git and Terraform availability
  • Security tools accessibility

Infrastructure Testing:

  • Project structure validation
  • Docker Compose configuration
  • Terraform configuration validation
  • Network and volume creation

Functional Testing:

  • Service connectivity (Nexus web/API)
  • Repository creation and management
  • Security scanning integration
  • CI pipeline simulation

Integration Testing:

  • End-to-end pipeline execution
  • Data persistence validation
  • Multi-environment compatibility

Expected Results

Excellent (90%+): Production-ready deployment Good (75-89%): Minor issues to address Fair (50-74%): Several improvements needed Needs Work (<50%): Major issues to resolve

🀝 Contributing

We welcome contributions! Please see our Contributing Guide for details.

Quick Contribution Setup

# Fork the repo, then:
git clone https://github.com/YOUR_USERNAME/devsecops-artifactory-lab.git
cd devsecops-artifactory-lab
./quick-start.sh --test-only  # Verify everything works

πŸ“ž Support & Community

  • πŸ› Issues: GitHub Issues for bug reports and feature requests
  • πŸ’¬ Discussions: GitHub Discussions for questions and ideas
  • πŸ”’ Security: See SECURITY.md for reporting security issues
  • πŸ“š Documentation: Comprehensive guides in the docs/ directory

⭐ Show Your Support

If this project helped you, please consider:

  • ⭐ Starring this repository
  • 🍴 Forking to contribute improvements
  • πŸ“’ Sharing with your network
  • πŸ’Ό Using in your organization (with proper attribution)

πŸ“ˆ Project Stats

  • πŸ›‘οΈ Security Tools: 4 (Trivy, Grype, Syft, OPA)
  • πŸ“¦ Container Images: 5 pre-built services
  • πŸ§ͺ Test Coverage: 90% (10/11 tests passing)
  • πŸ“š Documentation: 8 comprehensive guides
  • πŸš€ Setup Time: 15 minutes from clone to running

Built with ❀️ for the DevSecOps community

Helping organizations implement security-first development practices with practical, hands-on examples.

This lab demonstrates production-ready DevSecOps practices using enterprise-grade tools and methodologies.

About

πŸ›‘οΈ Enterprise DevSecOps pipeline with Nexus Repository, security scanning, and policy gates

Topics

docker security nexus ci-cd compliance devsecops vulnerability-scanning syft sbom trivy grype policy-gates

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

DevSecOps Lab v1.0.0 - Complete Implementation Latest
Oct 4, 2025

Packages

 
 
 

Contributors

Languages