Newesissrl · raunodepasquale · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025 · Oct 29, 2025
diff --git a/.github/workflows/security-pr-check.yml b/.github/workflows/security-pr-check.yml
@@ -0,0 +1,143 @@
+name: Security PR Check
+
+on:
+  pull_request:
+    branches: [ main ]
+
+permissions:
+  contents: read
+  security-events: write # To upload SARIF files
+  pull-requests: write   # To comment on PRs (tflint)
+  issues: read           # For tflint
+
+
+jobs:
+  # Job 1: SAST with CodeQL
+  codeql:
+    name: CodeQL SAST Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: csharp, javascript, python
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+
+  # Job 2: Trivy 
+  trivy:
+    name: Trivy (Config & Vuln) Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run Trivy filesystem scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          severity: 'HIGH,CRITICAL'
+          format: 'sarif'
+          output: 'trivy-fs.sarif'
+          exit-code: 1
+      - name: Upload Trivy SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-fs.sarif'
+          category: 'trivy-fs'
+
+  # Job 3: Gitleaks
+  gitleaks:
+    name: Gitleaks (Secret) Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        with:
+          report_format: sarif
+          report_path: gitleaks.sarif
+          fail: true
+      - name: Upload Gitleaks SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gitleaks.sarif
+          category: 'gitleaks'
+
+  # Job 4: Advanced IaC Scans
+  # This job runs Terraform-specific tools:
+  # - tfsec: Security best practices (SARIF)
+  # - checkov: Security & compliance (SARIF)
+  # - tflint: Linting and style (PR Comment)
+  iac-scans:
+    name: IaC Scans (tfsec, checkov, tflint)
+    runs-on: ubuntu-latest
+
+    # Permissions needed for SARIF upload and PR commenting
+    permissions:
+      contents: read
+      security-events: write 
+      pull-requests: write   
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # --- tfsec ---
+      - name: Run tfsec (SARIF)
+        uses: aquasecurity/tfsec-action@v1.2.0
+        with:
+          sarif_file: tfsec.sarif
+          working_directory: ./terraform
+          # Fail the job if issues are found
+          soft_fail: false 
+
+      - name: Upload tfsec SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tfsec.sarif
+          category: 'tfsec'
+
+      # --- checkov ---
+      - name: Run checkov (SARIF)
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: ./terraform
+          framework: terraform
+          output_format: sarif
+          output_file_path: "checkov.sarif"
+          # Fail the job if issues are found
+          soft_fail: false
+
+      - name: Upload checkov SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov.sarif
+          category: 'checkov'
+
+      # --- tflint ---
+      - name: Setup TFLint
+        uses: tflint-actions/setup-tflint@v4
+        with:
+          tflint_version: latest
+
+      - name: Init TFLint
+        # This initializes TFLint plugins
+        run: tflint --init
+        working-directory: ./terraform
+
+      - name: Run TFLint
+        uses: tflint-actions/tflint-action@v5
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          working_directory: ./terraform
+          # Post a comment to the PR
+          comment: true
+          # Fail the job if issues are found
+          error_on_fail: true
diff --git a/README.md b/README.md
@@ -176,22 +176,4 @@ packages/
 6. **Documentation** explaining architectural decisions and deployment strategies
 
 For detailed setup and configuration of individual services, see README files in each package directory.
-
-## How to Navigate the Evolution of the Project
-
-This repository is structured as a progressive learning path through different branches, each building upon the previous to demonstrate complete DevOps transformation:
-
-### **Branch Structure & Learning Path**
-
-- **`main`** - Starting point with pure application code (what developers deliver to DevOps teams)
-- **`phase1/containers`** - Basic containerization with Dockerfiles, docker-compose for local development, and GitHub Actions workflow for automated container builds and registry publishing
-- **`phase2/kubernetes`** - Kubernetes deployment manifests and basic orchestration setup
-- **`phase3/helm`** - Helm charts for templated Kubernetes deployments with environment management
-- **`phase4/devsecops`** - Security integration with SAST, container scanning, and infrastructure security validation
-- **`phase5/gitops`** - Complete GitOps implementation with Terraform infrastructure as code and automated deployments
-- **`phase6/secrets-management`** - SOPS encryption with AWS KMS for secure secrets management without long-lived credentials
-- **`phase7/versioning`** - Semantic versioning with GitVersion for automated release management, container tagging, and dependency management with Renovate - complete production-ready solution
-
-**Recommended Learning Sequence**: Start with `main` (raw application code) and progress through each phase to understand how DevOps practices transform a basic application into a production-ready system, culminating in the complete enterprise solution on `phase7/versioning` branch.
-
-**Disclaimer**: This project is designed for educational purposes to demonstrate DevOps automation workflows and best practices. While we strive for accuracy, we do not guarantee that every component will function flawlessly, as bugs may be present in the code examples.
+Line to force a commit
diff --git a/devops/terraform/.tflint.hcl b/devops/terraform/.tflint.hcl
@@ -0,0 +1,113 @@
+# TFLint Configuration for Terraform Security and Best Practices
+# This configuration enables comprehensive Terraform code analysis
+
+# TFLint Core Configuration
+config {
+  # Enable all available rules by default
+  disabled_by_default = false
+
+  # Enforce Terraform version constraints
+  force = false
+
+  # Enable colored output for better readability
+  format = "default"
+}
+
+# AWS Provider Plugin - Validates AWS-specific best practices
+plugin "aws" {
+  enabled = true
+  version = "0.27.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+
+  # Deep inspection mode for more thorough analysis
+  deep_check = true
+}
+
+# Terraform Core Rules - Language-specific validations
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+  format  = "snake_case"
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+# AWS-Specific Security Rules
+rule "aws_instance_invalid_type" {
+  enabled = true
+}
+
+rule "aws_instance_previous_type" {
+  enabled = true
+}
+
+rule "aws_route_specified_multiple_targets" {
+  enabled = true
+}
+
+rule "aws_security_group_rule_invalid_protocol" {
+  enabled = true
+}
+
+rule "aws_db_instance_invalid_type" {
+  enabled = true
+}
+
+rule "aws_elasticache_cluster_invalid_type" {
+  enabled = true
+}
+
+rule "aws_alb_invalid_security_group" {
+  enabled = true
+}
+
+rule "aws_alb_invalid_subnet" {
+  enabled = true
+}
+
+# Cost Optimization Rules
+rule "aws_instance_invalid_ami" {
+  enabled = true
+}
+
+rule "aws_launch_configuration_invalid_image_id" {
+  enabled = true
+}
+
+# Security Best Practices
+rule "aws_security_group_rule_invalid_cidr" {
+  enabled = true
+}
diff --git a/devops/terraform/backend/backend.enc.tfvars b/devops/terraform/backend/backend.enc.tfvars
@@ -0,0 +1,18 @@
+# This file is encrypted with SOPS - contains Terraform backend configuration secrets
+# To decrypt: sops -d backend.enc.tfvars
+# To edit: sops backend.enc.tfvars
+
+# S3 Backend Configuration (SOPS Encrypted)
+bucket = "terraform-state-123456789012-shared"
+region = "us-west-2"
+dynamodb_table = "terraform-state-lock"
+encrypt = true
+
+# KMS Key for State Encryption
+kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/12345678-90ab-cdef-1234-567890abcdef"
+
+# Access Configuration
+role_arn = "arn:aws:iam::123456789012:role/TerraformBackendRole"
+
+# Note: This is a template - actual file should be encrypted with SOPS
+# Run: sops -e -i backend.enc.tfvars to encrypt this file