Skip to content

created terraform #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
manishvishwakarma89 wants to merge 33 commits into
base: main
Choose a base branch
from
Open

created terraform #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
21faabf
Create outputs.tf
manishvishwakarma89 May 19, 2026
6613eff
build and testing code-quality-check.yml
manishvishwakarma89 May 20, 2026
bbb97aa
Create secret-scan.yml
manishvishwakarma89 May 20, 2026
c7e7d12
Create dependency-scan.yml
manishvishwakarma89 May 20, 2026
438bcc9
Create docker-lint.yml
manishvishwakarma89 May 20, 2026
d782154
Create devsecops-pipeline.yml
manishvishwakarma89 May 20, 2026
4425041
Create image-scan.yml
manishvishwakarma89 May 20, 2026
74d0365
Update devsecops-pipeline.yml
manishvishwakarma89 May 20, 2026
6b4c582
Create tests.yml
manishvishwakarma89 May 20, 2026
6b62387
Create deploy-to-server.yml
manishvishwakarma89 May 20, 2026
169b100
Create docker-build-push.yml
manishvishwakarma89 May 20, 2026
43a2dc6
Create playbook.yml
manishvishwakarma89 May 20, 2026
0b7cd18
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
135d33d
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
eef392f
Update go-version
manishvishwakarma89 May 20, 2026
918f30d
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
5af7b19
Update large go-version
manishvishwakarma89 May 20, 2026
ea1538a
Update code-quality
manishvishwakarma89 May 20, 2026
faaa4dd
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
75573fc
Update go.mod
manishvishwakarma89 May 20, 2026
f71a036
Updated ci registry pipeline
manishvishwakarma89 May 20, 2026
5fce991
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
3f19b5b
Updated go-lang
manishvishwakarma89 May 20, 2026
a8d254b
Update go lang dependencies
manishvishwakarma89 May 20, 2026
59d4e1b
Update go matrix
manishvishwakarma89 May 21, 2026
4424b28
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
8c7103e
Update go-lint
manishvishwakarma89 May 21, 2026
d2f8b75
Update go.mod
manishvishwakarma89 May 21, 2026
71f6604
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
2fcf285
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
472dd2c
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
fdd9a5d
Update go.mod
manishvishwakarma89 May 21, 2026
854381c
Update main.go
manishvishwakarma89 May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 84 additions & 20 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: CI
name: CI Pipeline

on:
push:
Expand All @@ -7,35 +7,99 @@ on:
- 'k8s/**'
- 'docs/**'
- '**/*.md'
- terraform/**
workflow_dispatch:

permissions:
id-token: write
contents: read
Comment on lines +13 to +15
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope id-token: write to the job that needs it.

id-token: write is set at the workflow level but only the build-scan-push job requires OIDC for AWS credentials. The security job doesn't need this permission. Move it to job-level permissions to follow least-privilege.

Proposed fix 
 permissions:
-  id-token: write
   contents: read

 ...

   build-scan-push:
     name: Build, Scan & Push
     runs-on: ubuntu-latest
     needs: security
+    permissions:
+      id-token: write
+      contents: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
id-token: write
contents: read
permissions:
contents: read
...
build-scan-push:
name: Build, Scan & Push
runs-on: ubuntu-latest
needs: security
permissions:
id-token: write
contents: read
🧰 Tools
🪛 zizmor (1.25.2)

[error] 14-14: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level

(excessive-permissions)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 13 - 15, Remove id-token: write from
the top-level permissions and add it only to the build-scan-push job-level
permissions; keep contents: read at the appropriate scope (either workflow or
job) but ensure the security job does not get id-token. Locate the workflow
permissions block and the job definitions for build-scan-push and security,
delete the global id-token: write entry, and insert id-token: write under the
build-scan-push job's permissions block so only that job can request OIDC
tokens.


env:
REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com

jobs:
build-and-push:
security:
name: Security Gate
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- uses: docker/setup-buildx-action@v4
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2

- uses: docker/login-action@v4
if: ${{ vars.DEPLOY_ENABLED == 'true' }}
- name: Hadolint Backend
uses: hadolint/hadolint-action@v3.1.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
dockerfile: backend/Dockerfile

- name: Build and push backend
uses: docker/build-push-action@v7
- name: Hadolint Frontend
uses: hadolint/hadolint-action@v3.1.0
with:
context: ./backend
push: ${{ vars.DEPLOY_ENABLED == 'true' }}
tags: |
${{ secrets.DOCKERHUB_USERNAME != '' && format('{0}/skillpulse-backend:latest', secrets.DOCKERHUB_USERNAME) || 'skillpulse-backend:latest' }}
${{ secrets.DOCKERHUB_USERNAME != '' && format('{0}/skillpulse-backend:{1}', secrets.DOCKERHUB_USERNAME, github.sha) || format('skillpulse-backend:{0}', github.sha) }}
dockerfile: frontend/Dockerfile

- name: Build and push frontend
uses: docker/build-push-action@v7
- name: Setup Go
uses: actions/setup-go@v5
with:
context: ./frontend
push: ${{ vars.DEPLOY_ENABLED == 'true' }}
go-version-file: backend/go.mod
cache: true

- name: Run govulncheck
run: |
cd backend
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

build-scan-push:
name: Build, Scan & Push
runs-on: ubuntu-latest
needs: security

strategy:
fail-fast: false
matrix:
service: [backend, frontend]

steps:
- uses: actions/checkout@v4

- uses: docker/setup-buildx-action@v3

- name: Set TAG
run: echo "TAG=${GITHUB_SHA:0:7}" >> $GITHUB_ENV

- name: Configure AWS (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ secrets.AWS_REGION }}

- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2

- name: Build image
uses: docker/build-push-action@v6
with:
context: ./${{ matrix.service }}
load: true
push: false
tags: |
${{ secrets.DOCKERHUB_USERNAME != '' && format('{0}/skillpulse-frontend:latest', secrets.DOCKERHUB_USERNAME) || 'skillpulse-frontend:latest' }}
${{ secrets.DOCKERHUB_USERNAME != '' && format('{0}/skillpulse-frontend:{1}', secrets.DOCKERHUB_USERNAME, github.sha) || format('skillpulse-frontend:{0}', github.sha) }}
${{ env.REGISTRY }}/skillpulse-${{ matrix.service }}:${{ env.TAG }}
${{ env.REGISTRY }}/skillpulse-${{ matrix.service }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/skillpulse-${{ matrix.service }}:${{ env.TAG }}
format: table
severity: CRITICAL,HIGH
exit-code: 1
ignore-unfixed: true
Comment on lines +92 to +99
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the latest version of aquasecurity/trivy-action GitHub Action?

💡 Result:

As of May 21, 2026, the latest version of the aquasecurity/trivy-action GitHub Action is v0.36.0, which was released on April 22, 2026 [1][2]. Users are advised to pin their GitHub Action versions to specific commit SHAs rather than using tags to ensure security and immutability, particularly in light of supply chain security incidents that occurred in March 2026 involving the compromise of several action tags [3][4][5].

Citations:

Avoid aquasecurity/trivy-action@master in CI

aquasecurity/trivy-action@master is mutable and can change without notice; pin the action to an immutable ref. Latest release is v0.36.0 (tag it to at least this version, or better pin a commit SHA).

Proposed fix 
       - name: Trivy Scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.36.0
         with:
🧰 Tools
🪛 zizmor (1.25.2)

[error] 93-93: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 92 - 99, The CI step named "Trivy
Scan" currently uses the mutable ref aquasecurity/trivy-action@master; update
the Trivy action reference in the Trivy Scan step (look for the "Trivy Scan"
job/name and the uses: aquasecurity/trivy-action@master line) to a stable,
immutable ref such as a release tag (e.g., v0.36.0) or a specific commit SHA,
and ensure any documentation/comments reflect the chosen pin to prevent
accidental drift.


- name: Push Images
run: |
IMAGE=$REGISTRY/skillpulse-${{ matrix.service }}
docker push $IMAGE:$TAG
docker push $IMAGE:latest
59 changes: 59 additions & 0 deletions .github/workflows/code-quality-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Go lint

on:
push:
branches: [main,feat/dev]
workflow_dispatch:
#pull_request:
#branches:[feat/dev]
#
jobs:
validate:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
go-version: ["1.26"]
defaults:
run:
working-directory: ./backend
steps:
- name: checkout code
uses: actions/checkout@v4

- name: setup Go ${{ matrix.go-version}}
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version}}
cache: true
cache-dependency-path: backend/go.sum

- name: verify dependencies
run: go mod verify

- name: download dependencies
run: go mod download

- name: run go fmt check
run: |
if [ -n "$(gofmt -l .)" ]; then
echo "Go files must be formatted with gofmt"
gofmt -l .
exit 1
fi

- name: run go vet
run: go vet ./...

- name: run staticcheck
run: |
go install honnef.co/go/tools/cmd/staticcheck@latest
staticcheck ./...

- name: run golangci-lint
# Skip golangci-lint for Go 1.26 due to compatibility issues
if: matrix.go-version != '1.26'
uses: golangci/golangci-lint-action@v4
with:
version: latest
working-directory: backend
97 changes: 97 additions & 0 deletions .github/workflows/dependency-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: Dependency Vulnerability Scan

on:
workflow_call:

jobs:
dependency-scan:
runs-on: ubuntu-latest

strategy:
fail-fast: false

matrix:
go-version: ["1.21", "1.22", "1.23"]

steps:

# ==============================
# Checkout Repository
# ==============================

- name: Checkout Code
uses: actions/checkout@v4
Comment on lines +22 to +23
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/dependency-scan.yml

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 3075

Pin actions to commit SHAs and disable checkout token persistence.

All uses: statements use version tags (v4, v5, 0.24.0) instead of commit SHAs, which leaves a supply-chain gap that zizmor flags. Additionally, actions/checkout@v4 persists the GITHUB_TOKEN to git config by default, but since all subsequent steps only read from the repository (never push), this token is unnecessary and should be disabled via persist-credentials: false.

Also applies to: 29-32, 77-79, 91-93

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 22-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-scan.yml around lines 22 - 23, Replace all
GitHub Action uses: entries that reference version tags (e.g.,
actions/checkout@v4, actions/setup-node@v5, docker/build-push-action@0.24.0)
with their corresponding commit SHAs to remove supply-chain ambiguity, and for
the checkout step(s) (the job step using actions/checkout) add
persist-credentials: false so the GITHUB_TOKEN is not written to git config
since we only read the repo; update the other occurrences called out (the steps
around lines 29-32, 77-79, 91-93) similarly to use pinned SHAs and, where they
are checkout steps, set persist-credentials: false.


# ==============================
# Setup Go Environment
# ==============================

- name: Setup Go ${{ matrix.go-version }}
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}

# ==============================
# Verify Go Installation
# ==============================

- name: Verify Go Version
run: go version

# ==============================
# Verify go.mod Exists
# ==============================

- name: Check go.mod
run: |
if [ ! -f go.mod ]; then
echo "go.mod file not found!"
exit 1
fi

# ==============================
# Install Dependencies
# ==============================

- name: Install Dependencies
run: |
go mod tidy
go mod download

# ==============================
# Run govulncheck
# ==============================

- name: Install govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest

- name: Run Dependency Vulnerability Scan
run: |
govulncheck ./...

# ==============================
# Run Trivy Filesystem Scan
# ==============================

- name: Run Trivy Filesystem Scan
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: fs
scan-ref: .
format: table
exit-code: 1
ignore-unfixed: true
severity: CRITICAL,HIGH

# ==============================
# Upload Trivy Report (Optional)
# ==============================

- name: Upload Trivy Report
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy-dependency-report
path: trivy-results.sarif
if-no-files-found: ignore
Comment on lines +77 to +97
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

trivy-action aquasecurity format table output files

💡 Result:

To generate a table-formatted output file using aquasecurity/trivy-action, you must configure both the format and output inputs within your workflow step [1][2][3]. By default, trivy-action outputs the results to the job logs in a human-readable table format [4][5]. To capture this output into a file instead of (or in addition to) seeing it in the logs, set the format input to table and provide a file path via the output input [1][2]. Example workflow configuration: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@v0.36.0 with: image-ref: 'your-image:tag' format: 'table' output: 'trivy-results.txt' Because the table format uses characters that may not render correctly in GitHub's markdown-based Step Summaries or PR comments, it is a common practice to wrap the file content in a markdown code block if you intend to post it to a PR or summary [6][7]. For example, when posting the results as a comment: - name: Format Trivy Scan Result run: | if [ -s trivy-results.txt ]; then echo -e "## Vulnerability Scan Results\n\n```\n$(cat trivy-results.txt)\n```" > formatted-trivy-result.md fi This ensures that the table remains aligned and readable within the GitHub interface [6][7].

Citations:

🌐 Web query:

trivy-action@0.24.0 SARIF format output filename

💡 Result:

In trivy-action, including version 0.24.0, the SARIF format output filename is not determined by a hardcoded default; rather, it is specified by the user using the output input parameter [1][2][3]. To generate a SARIF report and save it to a specific filename, you must explicitly configure the format and output parameters within your workflow step [3][4]: - format: 'sarif' - output: 'filename.sarif' Common usage involves defining a filename, such as trivy-results.sarif, and then referencing that same filename in subsequent steps, such as when uploading to the GitHub Security tab via the codeql-action [1][5][6]. Example configuration: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'fs' format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' Please note that for trivy-action versions (including 0.24.0), there is an input parameter called limit-severities-for-sarif [2][3][4]. By default, this is false, meaning SARIF output will include all detected vulnerabilities regardless of the configured severity filters [5][7][3]. If you wish to enforce your severity filters in the SARIF output, you must set limit-severities-for-sarif: true [2][3].

Citations:

Trivy scan with format: table will not produce the trivy-results.sarif file.

The scan is configured to output in table format without specifying an output parameter. This causes Trivy to write only to the job logs, not to any file. Lines 95–96 attempt to upload trivy-results.sarif, but since no file is created, the upload step silently no-ops due to if-no-files-found: ignore. Scan findings are never preserved as artifacts.

To fix, set format: sarif and specify the output filename:

Proposed fix 
       - name: Run Trivy Filesystem Scan
         uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: fs
           scan-ref: .
-          format: table
+          format: sarif
+          output: trivy-results.sarif
           exit-code: 1
           ignore-unfixed: true
           severity: CRITICAL,HIGH
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run Trivy Filesystem Scan
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: fs
scan-ref: .
format: table
exit-code: 1
ignore-unfixed: true
severity: CRITICAL,HIGH
# ==============================
# Upload Trivy Report (Optional)
# ==============================
- name: Upload Trivy Report
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy-dependency-report
path: trivy-results.sarif
if-no-files-found: ignore
- name: Run Trivy Filesystem Scan
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
exit-code: 1
ignore-unfixed: true
severity: CRITICAL,HIGH
# ==============================
# Upload Trivy Report (Optional)
# ==============================
- name: Upload Trivy Report
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy-dependency-report
path: trivy-results.sarif
if-no-files-found: ignore
🧰 Tools
🪛 zizmor (1.25.2)

[error] 78-78: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 93-93: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-scan.yml around lines 77 - 97, The Trivy scan
step ("Run Trivy Filesystem Scan") currently uses format: table and no output,
so it doesn't generate trivy-results.sarif for the "Upload Trivy Report" step;
change the scan step to use format: sarif and add an output parameter to write
the SARIF to trivy-results.sarif (e.g., set output: trivy-results.sarif) so the
"Upload Trivy Report" upload step can find and persist the report; ensure only
the scan step settings (format and output filename) and any related path
references are updated, leaving the "Upload Trivy Report" step intact.

52 changes: 52 additions & 0 deletions .github/workflows/deploy-to-server.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# this will deploy the safe / secure / tested app to Prod server
name: Deploy To Server

on:
workflow_call:


jobs:
deploy:
runs-on: ubuntu-latest
env:
DOCKERHUB_USER: ${{ vars.DOCKERHUB_USER }}
DOCKER_TAG: ${{ github.sha }}

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: SSH to Prod server & create app folder
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
script: |
echo "Installing required packages & folders"
sudo apt-get update && sudo apt-get install docker.io docker-compose-v2 -y
sudo usermod -aG docker $USER
mkdir -p devops

- name: Copy the docker-compose file
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
source: docker-compose.yml
target: ~/devops

- name: SSH to Prod server & run the app
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
script: |
echo "Running App"

export DOCKERHUB_USER=${{ vars.DOCKERHUB_USER }}
export DOCKER_TAG=${{ github.sha }}
echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login --username ${{ vars.DOCKERHUB_USER }} --password-stdin
cd ~/devops && docker compose down && docker compose up -d --build --force-recreate --pull always
Comment on lines +31 to +52
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the full deploy-to-server.yml workflow
cat -n .github/workflows/deploy-to-server.yml

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 2456

🏁 Script executed:

# Check if docker-compose.yml exists and examine its content
if [ -f docker-compose.yml ]; then
  echo "=== docker-compose.yml ===" 
  cat -n docker-compose.yml
else
  echo "docker-compose.yml not found in root"
  # Search for docker-compose files
  find . -name "docker-compose*.yml" -o -name "docker-compose*.yaml" | head -20
fi

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 1733

🏁 Script executed:

# Check for Docker build workflows in the repo
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) | head -20

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 505

Remove --build flag—the server doesn't have the build contexts.

The docker-compose.yml defines build: ./backend and build: ./frontend, but the workflow only copies the compose file itself. When Docker Compose runs with --build, it will fail trying to locate those directories on the server. Since images are already built in CI and pushed to DockerHub (per docker-build-push.yml), use --pull always to fetch pre-built images instead.

Proposed fix 
-                 cd ~/devops && docker compose down && docker compose up -d --build --force-recreate --pull always
+                 cd ~/devops && docker compose down && docker compose up -d --force-recreate --pull always
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Copy the docker-compose file
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
source: docker-compose.yml
target: ~/devops
- name: SSH to Prod server & run the app
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
script: |
echo "Running App"
export DOCKERHUB_USER=${{ vars.DOCKERHUB_USER }}
export DOCKER_TAG=${{ github.sha }}
echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login --username ${{ vars.DOCKERHUB_USER }} --password-stdin
cd ~/devops && docker compose down && docker compose up -d --build --force-recreate --pull always
- name: Copy the docker-compose file
uses: appleboy/scp-action@v1
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
source: docker-compose.yml
target: ~/devops
- name: SSH to Prod server & run the app
uses: appleboy/ssh-action@v1.0.3
with:
host: ${{ secrets.EC2_SSH_HOST }}
username: ${{ secrets.EC2_SSH_USER }}
key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
script: |
echo "Running App"
export DOCKERHUB_USER=${{ vars.DOCKERHUB_USER }}
export DOCKER_TAG=${{ github.sha }}
echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login --username ${{ vars.DOCKERHUB_USER }} --password-stdin
cd ~/devops && docker compose down && docker compose up -d --force-recreate --pull always
🧰 Tools
🪛 zizmor (1.25.2)

[info] 49-49: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

[info] 51-51: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-to-server.yml around lines 31 - 52, In the "SSH to
Prod server & run the app" step, remove the --build flag from the docker compose
up command in the script (the line currently running cd ~/devops && docker
compose down && docker compose up -d --build --force-recreate --pull always) so
Compose doesn't try to build local contexts; keep --pull always (and
--force-recreate, -d) so the server pulls the pre-built images pushed by CI and
recreates containers from those images.

46 changes: 46 additions & 0 deletions .github/workflows/devsecops-pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: DevSecOps End To End Pipeline

on:
push:
branches:
- main
- feat/dev

jobs:
Comment on lines +3 to +9
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit workflow permissions to enforce least privilege.

Without a permissions: block, token scope is left to repo/org defaults, which is weaker than explicit least-privilege.

Suggested patch 
 on: 
     push:
         branches: 
           - main
           - feat/dev
+
+permissions:
+    contents: read
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on:
push:
branches:
- main
- feat/dev
jobs:
on:
push:
branches:
- main
- feat/dev
permissions:
contents: read
jobs:
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/devsecops-pipeline.yml around lines 3 - 9, Add an explicit
top-level GitHub Actions permissions block (placed at the workflow root
alongside the existing "on: push" and before "jobs:") that enumerates only the
token scopes your pipeline needs; update the workflow to replace implicit
repo/org defaults with least-privilege entries (for example set contents: read
and any other minimal scopes required by your jobs such as id-token: write only
if using OIDC, or checks: write if you create checks), and ensure the
permissions list is kept minimal and aligned to the actions run in the jobs
section.

# CI (Continous Integration with Security Scanning)
code-quality:
uses: ./.github/workflows/code-quality-check.yml

secrets-scan:
uses: ./.github/workflows/secret-scan.yml
secrets: inherit

dependency-scan:
uses: ./.github/workflows/dependency-scan.yml

docker-scan:
uses: ./.github/workflows/docker-lint.yml

# Build once the security scans and tests are complete
build:
needs: [code-quality, secrets-scan, dependency-scan, docker-scan]
uses: ./.github/workflows/docker-build-push.yml
secrets: inherit

tests:
uses: ./.github/workflows/tests.yml

# Image scan
trivy:
needs: [build]
uses: ./.github/workflows/image-scan.yml
secrets: inherit


# CD : Deploy to Production
deploy:
needs: [trivy]
uses: ./.github/workflows/deploy-to-server.yml
Comment on lines +24 to +43
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Gate build/deploy on tests to prevent shipping unverified code.

tests is not in the dependency chain for build/trivy/deploy, so deployment can proceed even if tests fail.

Suggested patch 
     # Build once the security scans and tests are complete
     build:
-        needs: [code-quality, secrets-scan, dependency-scan, docker-scan]
+        needs: [code-quality, secrets-scan, dependency-scan, docker-scan, tests]
         uses: ./.github/workflows/docker-build-push.yml
         secrets: inherit
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Build once the security scans and tests are complete
build:
needs: [code-quality, secrets-scan, dependency-scan, docker-scan]
uses: ./.github/workflows/docker-build-push.yml
secrets: inherit
tests:
uses: ./.github/workflows/tests.yml
# Image scan
trivy:
needs: [build]
uses: ./.github/workflows/image-scan.yml
secrets: inherit
# CD : Deploy to Production
deploy:
needs: [trivy]
uses: ./.github/workflows/deploy-to-server.yml
# Build once the security scans and tests are complete
build:
needs: [code-quality, secrets-scan, dependency-scan, docker-scan, tests]
uses: ./.github/workflows/docker-build-push.yml
secrets: inherit
tests:
uses: ./.github/workflows/tests.yml
# Image scan
trivy:
needs: [build]
uses: ./.github/workflows/image-scan.yml
secrets: inherit
# CD : Deploy to Production
deploy:
needs: [trivy]
uses: ./.github/workflows/deploy-to-server.yml
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 25-28: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

[warning] 30-33: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

[warning] 34-40: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

[warning] 27-27: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

[warning] 36-36: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

[warning] 43-43: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/devsecops-pipeline.yml around lines 24 - 43, The pipeline
currently allows build/trivy/deploy to run before the tests job completes;
update the job dependencies so tests are required before building/deploying by
adding the tests job to the build job's needs array (i.e., change build's needs
to include "tests" alongside code-quality, secrets-scan, dependency-scan,
docker-scan) so that build -> trivy -> deploy cannot run unless tests succeed.

secrets: inherit


Loading