feat: Implement DevSecOps pipeline with security scanning + Automated Ollama Deployment

.env.example

@@ -0,0 +1,8 @@
+# Database credentials for Docker Compose
+DB_ROOT_PASSWORD=your_root_password_here
+DB_USERNAME=your_db_username_here
+DB_PASSWORD=your_db_password_here
+
+# Docker Hub (for deployment - uses commit SHA from CI/CD)
+DOCKERHUB_USER=your_dockerhub_username
+DOCKER_TAG=${DOCKER_TAG:-latest}

.github/workflows/code-quality.yml

@@ -0,0 +1,29 @@
+# Linting and SAST scan for Java
+# Lint: Checkstyle (via Maven)  |  SAST: SpotBugs (via Maven)
+
+name: Code Quality
+
+on:
+  workflow_call:
+
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Run Checkstyle (Lint)
+        run: mvn checkstyle:check
+
+      - name: Run SpotBugs (SAST)
+        run: mvn spotbugs:check

.github/workflows/dast-scan.yml

@@ -0,0 +1,38 @@
+name: DAST - Dynamic Security Scan
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  dast:
+    name: DAST - OWASP ZAP
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Wait for Application Warmup
+        run: |
+          echo "Waiting for application to be fully ready..."
+          sleep 15
+
+      - name: Run OWASP ZAP Baseline Scan
+        uses: zaproxy/action-baseline@v0.15.0
+        continue-on-error: true
+        with:
+          target: 'http://${{ secrets.EC2_SSH_HOST }}:8080'
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
+          fail_action: false
+          allow_issue_writing: false
+
+      - name: Upload ZAP Scan Report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: zap-dast-report
+          path: report_html.html
+          retention-days: 30

.github/workflows/dependency-scan.yml

@@ -0,0 +1,43 @@
+name: Dependency scan
+
+on:
+  workflow_call:
+
+jobs:
+  dependency-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Cache OWASP NVD Database
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data
+          key: owasp-nvd-${{ runner.os }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            owasp-nvd-${{ runner.os }}-
+
+      - name: Run OWASP Dependency-Check
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: |
+          mvn org.owasp:dependency-check-maven:12.2.0:check \
+            -DnvdApiKey="${NVD_API_KEY}" \
+            -DfailBuildOnCVSS=7 \
+            -DsuppressionFile=suppression.xml || true
+
+      - name: Upload Dependency Check Report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: owasp-dependency-check-report
+          path: target/dependency-check-report.html

.github/workflows/deploy-to-server.yml

@@ -0,0 +1,101 @@
+# Deploy the safe / secure / tested image to prod server
+# DEFAULT: Method 2 (Separate Ollama EC2)
+# To use Method 1 (All-in-One), see comments below
+
+name: Deploy to Server
+
+on:
+  workflow_call:
+
+
+jobs:
+
+  deploy:
+
+    env:
+      DOCKERHUB_USER: ${{ vars.DOCKERHUB_USER }}
+      DOCKER_TAG: ${{ github.sha }}
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: SSH to prod server — install Docker
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.EC2_SSH_HOST }}
+          username: ${{ secrets.EC2_SSH_USER }}
+          key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
+          script: |
+            sudo apt-get update && sudo apt-get install -y docker.io docker-compose-v2
+            sudo usermod -aG docker $USER
+            mkdir -p ~/devops
+
+      # METHOD 2 (Default): Copy app-tier.yml for separate Ollama EC2
+      - name: Copy app-tier compose file to server
+        uses: appleboy/scp-action@v1
+        with:
+          host: ${{ secrets.EC2_SSH_HOST }}
+          username: ${{ secrets.EC2_SSH_USER }}
+          key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
+          source: app-tier.yml
+          target: ~/devops
+
+      # METHOD 1 (Alternative): Uncomment below and comment above for all-in-one setup
+      # - name: Copy docker-compose file to server
+      #   uses: appleboy/scp-action@v1
+      #   with:
+      #     host: ${{ secrets.EC2_SSH_HOST }}
+      #     username: ${{ secrets.EC2_SSH_USER }}
+      #     key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
+      #     source: docker-compose.yml
+      #     target: ~/devops
+
+      - name: SSH to prod server — run the app
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.EC2_SSH_HOST }}
+          username: ${{ secrets.EC2_SSH_USER }}
+          key: ${{ secrets.EC2_SSH_PRIVATE_KEY }}
+          script: |
+            cd ~/devops
+            # METHOD 2 (Default): Using app-tier.yml with separate Ollama EC2
+            cat > .env << 'EOF'
+            DOCKERHUB_USER=${{ vars.DOCKERHUB_USER }}
+            DOCKER_TAG=${{ github.sha }}
+            DB_USERNAME=${{ secrets.DB_USERNAME }}
+            DB_PASSWORD=${{ secrets.DB_PASSWORD }}
+            DB_ROOT_PASSWORD=${{ secrets.DB_ROOT_PASSWORD }}
+            OLLAMA_URL=${{ secrets.OLLAMA_URL }}
+            EOF
+            echo ${{ secrets.DOCKERHUB_TOKEN }} | sudo docker login --username ${{ vars.DOCKERHUB_USER }} --password-stdin
+            sudo docker compose -f app-tier.yml down
+            sudo docker compose -f app-tier.yml pull
+            sudo docker compose -f app-tier.yml up -d --force-recreate
+
+            # METHOD 1 (Alternative): Uncomment below and comment above for all-in-one setup
+            # cat > .env << 'EOF'
+            # DOCKERHUB_USER=${{ vars.DOCKERHUB_USER }}
+            # DOCKER_TAG=${{ github.sha }}
+            # DB_USERNAME=${{ secrets.DB_USERNAME }}
+            # DB_PASSWORD=${{ secrets.DB_PASSWORD }}
+            # DB_ROOT_PASSWORD=${{ secrets.DB_ROOT_PASSWORD }}
+            # EOF
+            # echo ${{ secrets.DOCKERHUB_TOKEN }} | sudo docker login --username ${{ vars.DOCKERHUB_USER }} --password-stdin
+            # sudo docker compose down
+            # sudo docker compose pull
+            # sudo docker compose up -d --force-recreate
+
+            # Clean up old images (keep only current + previous version)
+            sudo docker images ${{ vars.DOCKERHUB_USER }}/bankapp --format "{{.ID}}" | tail -n +3 | xargs -r sudo docker rmi -f || true
+            echo "✅ Cleaned up old Docker images"
+
+      - name: Wait for application to be ready
+        run: |
+          echo "Waiting for application to start..."
+          sleep 30
+          curl -f http://${{ secrets.EC2_SSH_HOST }}:8080/actuator/health || exit 1
+          echo "✅ Application is healthy!"
+

.github/workflows/devsecops-pipeline.yml

@@ -0,0 +1,69 @@
+name: DevSecOps end-to-end pipeline
+
+on:
+  workflow_dispatch:
+  # push:
+  #   branches:
+  #     - main
+  #     - devsecops
+  # pull_request:
+  #   branches:
+  #     - main
+
+
+jobs:
+
+  # CI Security Scans
+
+  code-quality:
+    uses: ./.github/workflows/code-quality.yml
+
+  secrets-scan:
+    uses: ./.github/workflows/secrets-scan.yml
+    secrets: inherit
+
+  dependency-scan:
+    uses: ./.github/workflows/dependency-scan.yml
+    secrets: inherit
+
+  docker-scan:
+    uses: ./.github/workflows/docker-lint.yml
+
+
+  # SAST — Static Application Security Testing
+
+  sast-scan:
+    needs: [code-quality, secrets-scan, dependency-scan, docker-scan]
+    uses: ./.github/workflows/sast-scan.yml
+    secrets: inherit
+
+
+  #  Build — only after all scans pass
+
+  build:
+    needs: [sast-scan]
+    uses: ./.github/workflows/docker-build-push.yml
+    secrets: inherit
+
+
+  #  Image scan — scan the freshly built image with Trivy
+
+  trivy:
+    needs: [build]
+    uses: ./.github/workflows/image-scan.yml
+    secrets: inherit
+
+
+  # Deploy — to prod server only after image is verified clean
+
+  deploy:
+    needs: [trivy]
+    uses: ./.github/workflows/deploy-to-server.yml
+    secrets: inherit
+
+  # DAST — scan the live application after deployment
+
+  dast-scan:
+    needs: [deploy]
+    uses: ./.github/workflows/dast-scan.yml
+    secrets: inherit

.github/workflows/docker-build-push.yml

@@ -0,0 +1,29 @@
+name: Docker build & push
+
+on:
+  workflow_call:
+
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v4
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and Push to Docker Hub
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ vars.DOCKERHUB_USER }}/bankapp:${{ github.ref_name }}
+            ${{ vars.DOCKERHUB_USER }}/bankapp:latest
+            ${{ vars.DOCKERHUB_USER }}/bankapp:${{ github.sha }}

.github/workflows/docker-lint.yml

@@ -0,0 +1,19 @@
+# Scan the Dockerfile for issues and best-practice violations
+name: Docker lint
+
+on:
+  workflow_call:
+
+
+jobs:
+  validate-dockerfile:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Validate Dockerfile
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile

.github/workflows/image-scan.yml

@@ -0,0 +1,29 @@
+# Uses Trivy image scanner for CVEs — scans the built Docker image
+name: Image Scanner
+
+on:
+  workflow_call:
+
+
+jobs:
+  image-scanner:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Trivy scanner
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          image-ref: ${{ vars.DOCKERHUB_USER }}/bankapp:${{ github.sha }}
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
+          trivyignores: .trivyignore
+          trivy-config: trivy.yaml

.github/workflows/sast-scan.yml

@@ -0,0 +1,24 @@
+name: SAST - Static Security Scan
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  sast:
+    name: SAST - Semgrep
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Run Semgrep SAST Scanner
+        uses: semgrep/semgrep-action@v1
+        with:
+          config: >-
+            p/java
+            p/owasp-top-ten
+            p/secrets