A hands-on DevSecOps security lab built as part of my M.S. IT coursework at Deakin University.
This project uses a deliberately vulnerable Node.js application to demonstrate real-world security scanning, CI/CD pipeline integration, and containerised deployment.
Node.js JavaScript Docker Jenkins Snyk SonarQube MongoDB
- Vulnerability scanning — using Snyk to detect known CVEs in npm dependencies
- Static code analysis — SonarQube integration via
sonar-project.properties - CI/CD pipeline — automated build, test, and security scan via
Jenkinsfile - Docker — containerised app with
Dockerfileanddocker-compose.yml - Security exploits demonstrated:
- NoSQL Injection
- Cross-site Scripting (XSS)
- Open Redirect
- Command Injection
- Hardcoded secrets
- Directory Traversal
# Clone the repo
git clone https://github.com/SinghAkashdeep16/8.2CDevSecOps.git
cd 8.2CDevSecOps
# Install dependencies
npm install
# Start MongoDB (requires MongoDB 3)
docker run --rm -p 27017:27017 mongo:3
# Run the app
npm startApp runs at: http://localhost:3001
docker-compose up --build
docker-compose down# Install Snyk
npm install -g snyk
# Run vulnerability scan
snyk test
# Scan Docker image
snyk test --docker node:6-stretch --file=Dockerfile├── routes/ # Express routes
├── views/ # Handlebars/EJS templates
├── exploits/ # Exploit demonstration scripts
├── tests/ # Test files
├── entity/ # Data entities
├── service/ # Business logic
├── Dockerfile # Container definition
├── Jenkinsfile # CI/CD pipeline
└── docker-compose.yml
Akashdeep Singh — github.com/SinghAkashdeep16
M.S. Information Technology | Deakin University, Melbourne