This repository demonstrates a production-style DevSecOps CI/CD pipeline for a containerized Node.js application using GitHub Actions, Docker, and Trivy.
The pipeline integrates automated testing, Docker image builds, vulnerability scanning, security gates, SARIF security reporting, artifact management, and deployment automation.
The pipeline follows a Shift-Left DevSecOps approach, where vulnerabilities are identified and blocked before deployment.
- Backend: Node.js & Express
- Containerization: Docker
- CI/CD: GitHub Actions
- Security: Trivy, SARIF
- Build: success
- Docker: Success
- Image: v1.0.74-091e8e1
- Version: v1.0.74
- Commit: 091e8e1
- Trivy Scan: CRITICAL/HIGH enforced
Build → Test → Docker → Scan → Tag → Deploy
🚀 System is production ready
| Severity | Package | Vulnerability | Installed Version | Fixed Version |
|---|
This section is automatically updated by CI/CD pipeline using Trivy scan results.
- Build completed successfully
- Docker image built and pushed
- Trivy scan completed
- README auto updated
flowchart TD
A[Developer Push] --> B[GitHub Actions Trigger]
B --> C[Build & Test]
C --> D[Docker Build]
D --> E[Trivy Security Scan]
E -->|FAIL HIGH/CRITICAL| X[Block Pipeline ❌]
E -->|PASS| F[Docker Image Tagging]
F --> G[Generate Reports]
G --> H[Security Gate]
H -->|PASS| I[Deploy]
Main Pipeline: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26508117638
PR Pipeline: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26409652989
Trivy Scan: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26501954363
Trivy SARIF results are uploaded directly into GitHub Code Scanning Alerts for centralized vulnerability visibility.
Dependency Review: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26462725296
Docker Container Scheduled Health Check: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26586977687
Website: https://shettymalathib.github.io/github-actions-capstone/
pages build and deployment: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26508117155
Pin Commit SHA: https://github.com/malathi-shetty/github-actions-capstone/actions/runs/26507329633
- Reusable GitHub Actions workflows
- Automated Docker image build & push
- Trivy vulnerability scanning (JSON + SARIF)
- GitHub Code Scanning integration
- Security gate enforcement for HIGH/CRITICAL CVEs
- Automated artifact generation
- Dependency review checks
- Scheduled Docker health checks
- GitHub Pages deployment
- Shift-Left DevSecOps implementation
This project was developed as part of the 90 Days of DevOps learning journey and further extended with additional production-style DevSecOps practices and CI/CD automation.
The implementation includes enhancements such as:
- Reusable GitHub Actions workflows
- Docker image build and version tagging
- Trivy vulnerability scanning
- DevSecOps security integration with Trivy
- SARIF-based GitHub Code Scanning integration
- Security gate enforcement for HIGH/CRITICAL vulnerabilities
- Structured artifact generation and reporting
- Automated reporting workflows
- Dependency review checks
- Scheduled Docker health checks
- Scheduled health monitoring
- GitHub Pages deployment automation