This is a production-grade DevSecOps pipeline for securely delivering containerized applications using GitHub Actions, AWS Fargate, and industry-standard security tools.
📺 Walkthrough Video
With this project I demonstrated how to build and deploy a secure, scalable, and observable CI/CD pipeline tailored for cloud-native applications in regulated or high-security environments such as banking or finance.
I integrated automated testing, static/dynamic code analysis, container orchestration, and multi-environment infrastructure provisioning—all using infrastructure-as-code and GitHub Actions.
Modern banking applications require:
- Zero-downtime deployments
- Infrastructure reproducibility
- Secure software supply chain
- Real-time security and code quality checks
This CI/CD project addresses all of these needs, serving as a robust template for real-world DevOps teams or production teams in regulated industries.
The pipeline consists of:
- Three GitHub Actions workflows (dev, stage, prod)
- Terraform-managed AWS infrastructure (modular)
- Security gates via SonarCloud (SAST) and OWASP ZAP (DAST)
- Container builds with Docker and hosted on DockerHub
- Fargate ECS deployments
- Slack notifications for deployment visibility
- Language/Framework: Python (Flask)
- Containerization: Docker
- CI/CD Automation: GitHub Actions
- Security Scanning:
- Static: SonarCloud
- Dynamic: OWASP ZAP
- Infrastructure as Code: Terraform
- Cloud Platform: AWS (ECS, VPC, IAM, S3, DynamoDB)
- State Management: S3 + DynamoDB locking
- Notifications: Slack
| Branch | Trigger Type | Actions Performed |
|---|---|---|
dev |
Push | Linting, SonarCloud, OWASP ZAP, Plan Only |
stage |
Push | Full scan, build, ECS deploy to staging |
main |
Push | Full scan, build, ECS production deploy + Slack |
.
├── app/ # Flask App
│ ├── app.py
│ └── Dockerfile
├── terraform/
│ ├── envs/
│ │ ├── dev/
│ │ ├── stage/
│ │ └── prod/
│ └── modules/
│ ├── ecs/
│ ├── vpc/
│ └── security/
├── .github/workflows/ # GitHub Actions Pipelines
│ ├── dev-pipeline.yml
│ ├── stage-pipeline.yml
│ └── prod-pipeline.yml
└── README.md| Secret Name | Description |
|---|---|
AWS_ACCESS_KEY_ID |
AWS IAM access for Terraform |
AWS_SECRET_ACCESS_KEY |
AWS IAM secret for Terraform |
SONAR_TOKEN |
Token for SonarCloud SAST integration |
SONAR_HOST_URL |
URL to SonarCloud API |
SLACK_WEBHOOK_URL |
Slack incoming webhook for notifications |
Included are all key screenshots for:
- ECS cluster and tasks running
- SonarCloud dashboard
- Slack deployment alert
- Terraform backend: S3 + DynamoDB
- GitHub Actions runs for each environment
Browse all related screenshots used in this project with explanations:
👉 Click here to view the full Gallery
- ❌ OWASP ZAP Failure to Scan Docker App (Exit Code 3) Error Message:
SonarQube & OWASP ZAP Scanning
failed to scan the target: Error: The process '/usr/bin/docker' failed with exit code 3
No files were found with the provided path: owasp-zap-report.html. No artifacts will be uploaded.
Cause: This issue occurred due to GitHub-hosted runners not being able to properly execute Docker-based scans under certain job constraints. The OWASP ZAP container scan couldn't bind to the exposed Flask app.
Resolution: ✅ Temporarily bypassed this by allowing the pipeline to continue (continue-on-error: true) while logging and preserving the error for future action.
🔧 Why it wasn’t resolved immediately: Because this project involved deploying real AWS infrastructure (ECS, S3, DynamoDB, etc.), I was mindful of incurring unnecessary AWS charges. I chose to defer deep debugging in order to decommission the stack quickly and avoid cost accumulation.
Ensure the Flask app is fully initialized before ZAP runs (via health checks or sleep).
Explore using Docker Compose to coordinate app and ZAP containers locally before deploying.
Test OWASP integration in a more cost-efficient sandbox environment.
- Successfully deployed a multi-environment infrastructure using modular Terraform
- Enabled DevSecOps best practices with automated SAST and DAST checks
- Fully integrated Slack notifications for release observability
- Delivered reproducible IaC provisioning via remote state and locking
- Demonstrated secure app deployment using ECS Fargate
- Introduce GitHub PR feedback via SonarCloud
- Add manual approval gates before production deploy
- Integrate Route53 domain and HTTPS via ACM + ALB
- Deploy more complex workloads (e.g., microservices)
This project is Created by @doyindevops — as part of a full-scale DevOps portfolio initiative.