This repository hosts a Full-Stack Web Application (Node.js + React) designed to showcase modern Software Engineering and DevOps practices.
- Automated Security Gates: Builds fail if vulnerabilities or secrets are detected.
- Container Security: Image scanning, signing, and verification.
- Legacy Remediation: A documented case study of fixing critical CVEs.
I used GitHub Actions to enforce security checks at every stage of the lifecycle. The pipeline ensures that no insecure code is built or deployed.
graph TD
A[Code Commit] -->|1. Secret Scan| B(Gitleaks)
B -->|2. SCA & SAST| C(Snyk)
C -->|3. Unit Tests| D(Jest/TDD)
D -->|4. Build| E[Docker Build]
E -->|5. Linting| F(Hadolint)
E -->|6. Image Scan| G(Trivy)
G -->|7. Sign & SBOM| H(Cosign & Syft)
H --> I[Registry Push]
| Stage | Tool | Purpose |
|---|---|---|
| 1. Secret Scanning | Gitleaks | Prevents hardcoded credentials/secrets from entering the repo. |
| 2. SCA & SAST | Snyk | Scans dependencies and code logic for known vulnerabilities. |
| 3. Testing (TDD) | Jest + Supertest | Validates application logic and API endpoints before build. |
| 4. Docker Linting | Hadolint | Enforces best practices in Dockerfile construction. |
| 5. Container Scan | Trivy | Scans the built Docker image for OS-level vulnerabilities. |
| 6. Image Signing | Cosign | Cryptographically signs the image to guarantee integrity (SLSA). |
| 7. SBOM Generation | Syft | Generates a Software Bill of Materials (SPDX) for transparency. |
Context: This section documents the initial security audit performed on the legacy codebase as part of the Application Security for Developers certification.
Before remediation, the application was scanned using Snyk. The report revealed a critical security debt in the dependency tree.
Common Vulnerabilities Detected:
- Cross-Site Scripting (XSS): Detected in older frontend libraries.
- Prototype Pollution: Found in backend utility packages.
- Arbitrary Code Execution: Critical flaw in a deep dependency.
I adopted a systematic approach to fix these issues:
- Direct Upgrades: Updated
package.jsonto move packages to safe versions suggested by Snyk. - Patches: Used
snyk wizardto apply patches where upgrades were not immediately possible. - Defensive Coding: Refactored backend logic to validate input and sanitize headers (OWASP Top 10).
After applying the fixes and re-running the CI/CD pipeline checks:
| Severity | Initial Count | Current Count | Status |
|---|---|---|---|
| Critical | 27 | 0 | ✅ Fixed |
| High | 116 | 0 | ✅ Fixed |
| Medium | 191 | 2 | |
| Low | 345 | 22 | ℹ️ Backlog |
| Initial Vulnerability Scan | Post-Fix Clean Scan |
|---|---|
 |
 |
- Node.js v18+
- Docker
git clone https://github.com/agslima/secure-app-analysis.git
cd secure-app-analysis
npm installThis project follows Test-Driven Development. To ensure the application logic and security headers are functioning correctly:
# Run unit and integration tests
npm test
# Run tests in watch mode (for development)
npm run test:watchTo verify the current security status of the application, follow these steps:
You need a Snyk account and CLI installed.
Download a standalone executable (for macOS, Linux, and Windows) of the Snyk CLI for your platform.
curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
chmod +x ./snyk
mv ./snyk /usr/local/bin/Authenticate your machine to associate it with your Snyk Account
# Authenticate
snyk auth
# Run the test
snyk testnpm start- Security by Design: Shifting security left in the SDLC.
- Security Policy: See SECURITY.md for reporting guidelines.
- Verification: Docker images pulled from this registry can be verified using the public key hosted in the repo.
- Frontend: React.js
- Backend: Node.js / Express
- Security Analysis: Snyk (Software Composition Analysis & SAST), Trivy, Gitleaks
- Supply Chain: Cosign, Syft
- Monitoring (Concept): Prometheus & Grafana methodologies
This project is licensed under the Apache 2 License. See the LICENSE file for details.