A production-grade fullstack pipeline showcasing modern DevSecOps practices — from secure CI/CD to observability and Infrastructure-as-Code (IaC).
This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies.
- CI/CD Pipeline: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan
- Secure Containerization: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions
- Runtime Security: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities)
- Observability Stack:
- Prometheus for metrics collection
- Grafana dashboards (CPU %, memory, HTTP request rates, error rate, latency)
- Alertmanager + Slack for real-time alerts
- Sentry for application-level error monitoring and release tracking
- Environments:
- Staging: auto-deploy on
develop - Production: auto-deploy on
main
- Staging: auto-deploy on
- IaC Versioning: Full
render.yamland Helm manifests for portability to Kubernetes (k3s, GKE, EKS)
flowchart TD
A[GitHub Push] -->|GitHub Actions| B[CI/CD Pipeline]
B -->|Docker Build + Scan| C[Docker Hub]
B -->|IaC Scans| D[Checkov & Terrascan]
B -->|Deploy| E[Render Staging/Prod]
E -->|App Metrics| F[Prometheus]
F --> G[Grafana Dashboards]
F --> H[Alertmanager -> Slack]
E -->|Errors| I[Sentry]
- ESLint → code quality
- Jest → unit tests
- npm audit - dependency vulnerabilities
- Trivy - container vulnerabilities
- Gitleaks - secrets detection
- CodeQL - static analysis
- Checkov + Terrascan - IaC security
- Docker image pushed to Docker Hub with commit + latest tags
🔗 Live Staging App: https://mydev-staging.onrender.com
🔗 Live Production App: https://mydev-prod.onrender.com
Slack messages for staging/prod deployments with build status:
- Scrapes app
/metricsendpoint (viaprom-client) - Collects:
- Default Node.js process metrics
http_requests_totalcounter- Latency histogram
🔗 See live link here: https://prometheus-4d0b.onrender.com
Includes panels for:
- CPU %
- Memory usage
- HTTP requests/sec
- 5xx error rate
- 95th percentile latency
🔗 See live link here: https://grafana-iyio.onrender.com
- Sends alerts to Slack via webhook
- Starter rules:
- CPU > 80% for 2 minutes
- Error rate > 5% over 5 minutes
- Captures unhandled exceptions
- Tied to GitHub Actions release versions
- Shows "Deployed to Staging/Prod" in release timeline
All service images include:
HEALTHCHECKinstructions- Non-root user execution
- Minimal base images (
node:18-alpine,alpine:3.20, etc.)
myapp(Node.js/Express)- Prometheus
- Grafana
- Alertmanager
Secrets managed via K8s Secret resources (Slack webhook, Grafana admin password).
- Local dev: k3s / kind
- Cloud: GKE, EKS, AKS
- Fork this repo
- Set GitHub Actions secrets:
DOCKERHUB_USERNAME,DOCKERHUB_TOKENRENDER_API_KEY,RENDER_SERVICE_ID,RENDER_SERVICE_ID_PRODSENTRY_AUTH_TOKEN,SENTRY_ORG,SENTRY_PROJECTSLACK_WEBHOOK_URL
- Push to
develop→ staging deploy - Merge to
main→ production deploy
📂 Repository Structure
├── src/ # Node.js app (Express + Sentry + Prometheus metrics)
├── infra/ # Infra services
│ ├── prometheus/
│ ├── grafana/
│ └── alertmanager/
├── helm/ # Helm charts for k8s migration
├── .github/workflows/ # CI/CD pipelines
├── render.yaml # Render IaC config
└── Dockerfile # App Dockerfile
🎯 Why This Matters
| Feature | Benefit |
|---|---|
| Full DevSecOps pipeline | Integrated security, monitoring, and alerting |
| Cloud-native ready | Helm charts → easy migration to Kubernetes |
| Production realism | Error tracking, observability, secrets mgmt, IaC scanning |
| Team collaboration | Slack notifications + Sentry releases → transparency |
| Hands-on expertise | End-to-end modern DevSecOps toolchain experience |
📬 Contact
Interested in how I can bring end-to-end DevSecOps expertise to your team? Let’s connect!
Built with ❤️ to demonstrate modern DevSecOps practices