Note: This is a demonstration/portfolio project showcasing DevSecOps practices. The AWS infrastructure has been decommissioned.

This project demonstrates enterprise-grade security patterns:

• ✅ Non-root container users
• ✅ Read-only root filesystems
• ✅ Dropped Linux capabilities
• ✅ Multi-stage Docker builds (minimal attack surface)
• ✅ Health checks for all containers

• ✅ SecurityContext with runAsNonRoot: true
• ✅ allowPrivilegeEscalation: false
• ✅ Dedicated ServiceAccounts per workload
• ✅ Resource limits to prevent DoS
• ✅ Pod anti-affinity for high availability

• ✅ Trivy vulnerability scanning for images
• ✅ Bandit static analysis for Python
• ✅ Safety dependency vulnerability checks
• ✅ SonarQube integration ready

• ✅ Terraform state encryption (S3)
• ✅ DynamoDB state locking
• ✅ RDS deletion protection
• ✅ Private subnets for databases
• ✅ Security group least-privilege design

• ✅ Environment variables via .env (gitignored)
• ✅ Kubernetes Secrets (gitignored)
• ✅ Sensitive Terraform variables marked sensitive = true

When running locally, copy the example environment files:

cp .env.example .env
# Edit .env with your values

Never commit .env files or Kubernetes secrets to version control.