This project implements a comprehensive DevSecOps pipeline for a deliberately vulnerable Angular application to demonstrate security scanning capabilities in CI/CD.
The pipeline includes the following security stages:
- Secrets Scanning - Using TruffleHog OSS to detect exposed credentials
- Static Application Security Testing (SAST) - Using CodeQL with JavaScript, Angular, and Node.js rulesets
- Software Composition Analysis (SCA) - Using OWASP Dependency-Check to identify vulnerable dependencies
- Software Bill of Materials (SBOM) - Using CycloneDX to generate a comprehensive inventory of components
- Dynamic Application Security Testing (DAST) - Using OWASP ZAP to perform runtime security testing
- Vulnerability Reporting - Aggregating all findings in DefectDojo
- GitHub account
- Docker and Docker Compose installed
- Access to DefectDojo instance (or run locally using provided docker-compose file)
- Push your code to GitHub to trigger the workflow
- Manually trigger the workflow from the GitHub Actions tab
cd defectdojo
docker-compose up -dAccess DefectDojo at http://localhost:8080 with credentials:
- Username: admin
- Password: admin
The pipeline is designed to detect:
- Secrets and credentials exposed in code
- XSS vulnerabilities in Angular code
- Vulnerable dependencies in both frontend and backend
Scan results from all security tools are aggregated in DefectDojo for:
- Centralized vulnerability management
- Tracking remediation progress
- Generating comprehensive reports
- Historical security trend analysis
When importing ZAP scan results into DefectDojo, use the XML format (report_xml.xml) which is specifically formatted for DefectDojo compatibility. The XML report requires properly formatted URLs with fully qualified domain names to be parsed correctly by DefectDojo's ZAP parser.
See the docs/screenshots directory for:
- Successful SAST scan results
- Identified XSS vulnerabilities
- DefectDojo dashboard
All security scan results are stored in the docs/reports directory for easy access and review:
- TruffleHog Results -
trufflehog-results.json - CodeQL SAST Results -
codeql-results.sarif - OWASP Dependency-Check Results -
dependency-check-*.sarif - CycloneDX SBOM - Separate SBOMs for both components:
- API:
angular-xss-api-sbom.json - Frontend:
angular-xss-frontend-sbom.json
- API:
- ZAP DAST Reports - Multiple formats available:
- JSON format:
report_json.json - Markdown format:
report_md.md - HTML format:
report_html.html - XML format:
report_xml.xml
- JSON format:
To view SARIF files, you can use:
- GitHub Security Code Scanning dashboard
- SARIF Viewer VSCode Extension
- SARIF Web Viewer