Skip to content

KibouAkari/Security_pipeline_Owasp_Terraform

BranchesTags

Repository files navigation

☁️ Infrastructure as Code with Terraform & Azure

This project demonstrates how to automate infrastructure deployment in Microsoft Azure using Terraform. The goal is to deploy the vulnerable web application OWASP Juice Shop via a CI/CD pipeline and automatically scan it for security vulnerabilities using OWASP ZAP.

🌍 Overview

The following Azure resources are defined and provisioned using Terraform:

  • Resource Group – Container for all resources
  • Azure Container Instance (ACI) – Hosts the Juice Shop container
  • Public DNS Label – Enables external access to the app
  • Random ID – Generates a unique DNS name
  • System-assigned Managed Identity – Secure access to Azure Container Registry (ACR)

⚙️ Technologies Used

  • Terraform – Infrastructure as Code
  • Azure – Cloud platform
  • Docker – Containerization
  • GitHub Actions – CI/CD pipeline
  • OWASP Juice Shop – Vulnerable web application for testing
  • OWASP ZAP – Automated security scanner

📂 Project Structure

. 
├── .github/ 
│ └── workflows/ 
│ ├── cicd.yaml # Terraform deployment + tests 
│ └── zap_scan.yaml # ZAP security scan 
├── terraform/ 
│ ├── main.tf # Azure infrastructure definitions 
│ ├── variables.tf # Input variables 
│ ├── providers.tf # Azure provider configuration 
│ ├── version.tf # Required provider versions 
├── tests/ 
│ └── test_example.py # Placeholder test 
├── zap/ 
│ └── reports/ # ZAP scan reports 
├── zap-config/ 
│ ├── auth.context # (not used) ZAP context file 
│ └── zap-policy.xml # (not used) ZAP scan policy 
├── requirements.txt # Python dependencies 
├── README.md # Project documentation 
└── .gitignore

🚀 Getting Started

Install Prerequisites

  • Terraform
  • Azure CLI
  • Docker
  • GitHub repository with Actions enabled

Configure GitHub Secrets

  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET
  • AZURE_SUBSCRIPTION_ID
  • AZURE_TENANT_ID

Trigger Deployment

  • A push to the main branch triggers the GitHub Actions pipeline

Access the App

  • After successful deployment, the app is available at:
    http://<random-dns>.switzerlandnorth.azurecontainer.io:3000

Run Security Scan

  • The zap_scan.yaml workflow scans the app and uploads the report as an artifact

🔐 Security Practices

  • Secrets are managed via GitHub Actions Secrets
  • Terraform uses an Azure Service Principal with minimal privileges
  • OWASP ZAP detects common vulnerabilities like XSS and SQL Injection

🎯 Goals

  • Understand and apply Infrastructure as Code with Azure
  • Enable automated and secure deployment using GitHub Actions
  • Integrate security scans into CI/CD (DevSecOps)

About

A CI/CD Security Pipeline with OWASP ZAP & GitHub Actions with Terraform

Topics

github security cloud pipeline azure terraform owasp iac vpc cicd owasp-zap vulnerability-scanners security-scanner azurerm owasp-juice-shop

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages