DevSecOps with Kind

.dockerignore

@@ -0,0 +1,30 @@
+# Exclude non-essential files from Docker build context
+# This speeds up builds and reduces the attack surface
+
+# Kubernetes/Helm/GitOps (not needed in image)
+charts/
+gitops/
+scripts/
+
+# Documentation and screenshots
+screenshots/
+*.md
+HELP.md
+
+# CI/CD configs
+.github/
+
+# Build output (will be rebuilt inside Docker)
+target/
+
+# IDE and OS files
+.idea/
+.vscode/
+*.iml
+*.iws
+.git/
+
+# Local dev files
+docker-compose.yml
+app-tier.yml
+.env

.github/workflows/build.yml

@@ -4,7 +4,6 @@ on:
   workflow_call:
 
 permissions:
-  id-token: write  # Required for OIDC
   contents: read
 
 jobs:
@@ -77,31 +76,27 @@ jobs:
           path: trivy-report.txt
 
   # ============================================================
-  # GATE 7: PUSH TO ECR
+  # GATE 7: PUSH TO DOCKER HUB
   # ============================================================
-  push_to_ecr:
-    name: Push to ECR
+  push_to_dockerhub:
+    name: Push to Docker Hub
     runs-on: ubuntu-latest
     needs: image_scan
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
 
-      - name: Configure AWS Credentials (OIDC)
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
         with:
-          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
-          aws-region: ${{ secrets.AWS_REGION }}
-
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build, Tag, and Push Image
         env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
+          DOCKERHUB_REPO: ${{ secrets.DOCKERHUB_REPO }}
           IMAGE_TAG: ${{ github.sha }}
         run: |
-          docker build --pull -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker build --pull -t $DOCKERHUB_REPO:$IMAGE_TAG .
+          docker push $DOCKERHUB_REPO:$IMAGE_TAG
+

.github/workflows/cd.yml

@@ -1,94 +1,34 @@
-name: CD - Deploy & DAST
-
+name: CD - GitOps Sync
+  
 on:
   workflow_call:
 
-permissions:
-  id-token: write  # Required for OIDC
-  contents: read
-
 jobs:
-
   # ============================================================
-  # GATE 8: DEPLOY
+  # GATE 8: GITOPS UPDATE
   # ============================================================
-  deploy:
-    name: Deploy to EC2 via SSH
+  gitops-update:
+    name: Update Helm Values for ArgoCD
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
         uses: actions/checkout@v4
-
-      - name: Create Deployment Directory
-        uses: appleboy/ssh-action@master
-        with:
-          host: ${{ secrets.EC2_HOST }}
-          username: ${{ secrets.EC2_USER }}
-          key: ${{ secrets.EC2_SSH_KEY }}
-          script: mkdir -p ~/bankapp
-
-      - name: Copy app-tier.yml to EC2
-        uses: appleboy/scp-action@master
-        with:
-          host: ${{ secrets.EC2_HOST }}
-          username: ${{ secrets.EC2_USER }}
-          key: ${{ secrets.EC2_SSH_KEY }}
-          source: "app-tier.yml"
-          target: "~/bankapp"
-
-      - name: Deploy via SSH
-        uses: appleboy/ssh-action@master
         with:
-          host: ${{ secrets.EC2_HOST }}
-          username: ${{ secrets.EC2_USER }}
-          key: ${{ secrets.EC2_SSH_KEY }}
-          script: |
-            # Login to ECR
-            aws ecr get-login-password --region ${{ secrets.AWS_REGION }} | docker login --username AWS --password-stdin ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com
+          token: ${{ secrets.GITHUB_TOKEN }} # contents: write permission is set above — no PAT needed
 
-            cd ~/bankapp
+      - name: Update Image Tag in Helm values.yaml
+        run: |
+          sed -i 's/tag: .*/tag: "${{ github.sha }}"/' charts/bankapp/values.yaml
 
-            # Fetch secrets from Secrets Manager and create .env
-            aws secretsmanager get-secret-value --secret-id bankapp/prod-secrets --query SecretString --output text > secrets.json
-
-            # Extract variables and write to .env
-            echo "DB_HOST=$(jq -r .DB_HOST secrets.json)" > .env
-            echo "DB_PORT=$(jq -r .DB_PORT secrets.json)" >> .env
-            echo "DB_NAME=$(jq -r .DB_NAME secrets.json)" >> .env
-            echo "DB_USER=$(jq -r .DB_USER secrets.json)" >> .env
-            echo "DB_PASSWORD=$(jq -r .DB_PASSWORD secrets.json)" >> .env
-            echo "OLLAMA_URL=$(jq -r .OLLAMA_URL secrets.json)" >> .env
-            echo "ECR_REGISTRY=${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com" >> .env
-            echo "ECR_REPOSITORY=${{ secrets.ECR_REPOSITORY }}" >> .env
-            echo "IMAGE_TAG=${{ github.sha }}" >> .env
-
-            # Clean up
-            rm secrets.json
-
-            # Pull and Deploy using the app-tier.yml transferred via SCP
-            docker compose -f app-tier.yml pull
-            docker compose -f app-tier.yml up -d --build
+      - name: Commit and Push Changes
+        run: |
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+          git add charts/bankapp/values.yaml
+          git commit -m "chore: update image tag to ${{ github.sha }} [skip ci]"
+          git push
 
   # ============================================================
-  # GATE 9: DAST - Dynamic Application Security Testing
+  # GATE 9: ARGOCD SYNC (Optional, ArgoCD can auto-sync)
   # ============================================================
-  dast:
-    name: DAST - OWASP ZAP Baseline Scan
-    runs-on: ubuntu-latest
-    needs: deploy
-    steps:
-      - name: Run OWASP ZAP Baseline Scan
-        uses: zaproxy/[email protected]
-        continue-on-error: true  # Workaround for ZAP's internal artifact upload bug
-        with:
-          target: 'http://${{ secrets.EC2_HOST }}:8080'
-          artifact_name: zapreport
-          fail_action: false
-          allow_issue_writing: false
-
-      - name: Upload ZAP Report
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: zap-dast-report
-          path: report_html.html
+  # Note: ArgoCD is configured to auto-sync in its manifest

.github/workflows/ci.yml

@@ -105,4 +105,4 @@ jobs:
         if: always()
         with:
           name: owasp-dependency-check-report
-          path: target/dependency-check-report.html
+          path: target/dependency-check-report.html

.github/workflows/devsecops-main.yml

@@ -2,7 +2,7 @@ name: DevSecOps Main Pipeline
 
 on:
   push:
-    branches: [ main, devsecops, k8s ]
+    branches: [ main ]
     paths-ignore:
       - '**.md'
       - '.gitignore'
@@ -11,8 +11,7 @@ on:
       - 'scripts/**'
 
 permissions:
-  id-token: write
-  contents: read
+  contents: write  # Required: cd.yml pushes updated values.yaml back to repo (workflow_call inherits this)
   security-events: write
 
 jobs:
@@ -24,15 +23,15 @@ jobs:
     secrets: inherit
 
   # ============================================================
-  # STAGE 2: Build - Maven + Trivy + ECR Push
+  # STAGE 2: Build - Maven + Trivy + Docker Hub Push
   # ============================================================
   build:
     needs: ci
     uses: ./.github/workflows/build.yml
     secrets: inherit
 
   # ============================================================
-  # STAGE 3: CD - Deploy + DAST
+  # STAGE 3: CD - GitOps Sync (ArgoCD)
   # ============================================================
   cd:
     needs: build