{"id":36489895,"url":"https://github.com/aws-samples/devsecops-quickstart","last_synced_at":"2026-01-12T01:54:51.524Z","repository":{"id":39787127,"uuid":"459240927","full_name":"aws-samples/devsecops-quickstart","owner":"aws-samples","description":"Quickly set up a ready to use development environment integrated with a multi-account CI/CD pipeline following security and DevOps best practices","archived":false,"fork":false,"pushed_at":"2023-10-18T01:57:15.000Z","size":13704,"stargazers_count":51,"open_issues_count":2,"forks_count":16,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-05T08:19:27.981Z","etag":null,"topics":["aws","cdk","cdk-pipelines","cicd","devops","devsecops","secops"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit-0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aws-samples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-14T16:36:51.000Z","updated_at":"2025-04-26T22:57:13.000Z","dependencies_parsed_at":"2024-06-19T00:02:49.766Z","dependency_job_id":"9ed5ef1b-7bfb-42fd-9a98-a5adce5ded62","html_url":"https://github.com/aws-samples/devsecops-quickstart","commit_stats":{"total_commits":134,"total_committers":3,"mean_commits":"44.666666666666664","dds":"0.014925373134328401","last_synced_commit":"7a69e5f8f65aa1c837a8945bf7a3d19ad3180828"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/aws-samples/devsecops-quickstart","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Fdevsecops-quickstart","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Fdevsecops-quickstart/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Fdevsecops-quickstart/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Fdevsecops-quickstart/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aws-samples","download_url":"https://codeload.github.com/aws-samples/devsecops-quickstart/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-samples%2Fdevsecops-quickstart/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28331297,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T00:36:25.062Z","status":"ssl_error","status_checked_at":"2026-01-12T00:36:15.229Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cdk","cdk-pipelines","cicd","devops","devsecops","secops"],"created_at":"2026-01-12T01:54:49.512Z","updated_at":"2026-01-12T01:54:51.516Z","avatar_url":"https://github.com/aws-samples.png","language":"Go","readme":"# DevSecOps Quick Start\n\nThis artefact helps development teams to quickly set up a ready to use environment integrated with a\nmulti-account CI/CD pipeline following security and DevOps best practices.\n\n![architecture](./assets/architecture.png)\n\nUpon successful deployment, you will have:\n\n- an AWS CodeCommit Git repository \n- an AWS Cloud9 development environment integrated with the code repository\n- a multi-stage, multi-account CI/CD pipeline integrated with the code repository  \n- pipeline integration with [Bandit](https://github.com/PyCQA/bandit) for finding common security issues in Python code \n- pipeline integration with [Snyk](https://snyk.io/) for continuously monitoring for vulnerabilities in your dependencies\n- pipeline integration with [CFN NAG](https://github.com/stelligent/cfn_nag) to look for patterns in \n  CloudFormation templates that may indicate insecure infrastructure\n- pipeline integration with [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) that enables you define and\n  enforce policies on infrastructure resources at development time\n\n## Prerequisites\n- An [AWS Account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) to be used as `Toolchain` account\n- One or more [AWS Account(s)](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/) to be used as deployment target accounts (e.g. `Dev`,`QA`,`Prod`, etc.)\n\n\u003e **_NOTE:_**  Separating toolchain and deployment target accounts is technically not required, but is considered as best practice. We encourage you to start with a toolchain and a development account. You can easilty add new target environments to the pipeline in the future, if and when needed. \n\n- [AWS CLI](https://aws.amazon.com/cli/)\n- [Install AWS CDK Toolkit v2](https://docs.aws.amazon.com/cdk/v2/guide/cli.html)\n- [Install Python v3.7 or higher](https://www.python.org/downloads/)\n- [Install Docker](https://docs.docker.com/get-docker/)\n- [Install Go](https://go.dev/doc/install)\n\n## Set UP the Project\n\n### 1. Clone GitHub repository\nThis project's code repository contains `Git Submodules`. If cloning for the first time, make sure to use\n`--recurse-submodules` flag to automatically initialize and update submodules:\n\n```\ngit clone --recurse-submodules https://github.com/aws-samples/devsecops-quickstart.git\n```\n\nIf the repository is already cloned without the `--recurse-submodules` flag,\ninitialize and update submodules by running the following command:\n\n```\ngit submodule update --init --recursive\n``` \n\nFor more information on working with Git repositories with submodules, refere to \n[Git-Tools-Submodules](https://git-scm.com/book/en/v2/Git-Tools-Submodules) documentation.\n\n### 2. Configure accounts and regions\nLocate `cdk.json` file on project's root folder. This is the project's configuration file. \nUpdate `cdk.json` with account number and region values to be used for toolchain, and deployment target accounts. \nThe default setting has three deployment target accounts for Dev, QA, and Prod. This is just for demonstration purposes. \nFeel free to add/remove deployment targets according to your requirements. You can for example start with a\nsingle development account and keep adding more stages in the future as requierd.\n\n\u003e **_NOTE:_** Make sure to commit your changes. \n\n### 3. Set up Python environment\nThis project is set up like a standard Python project.  The initialization\nprocess also creates a virtualenv within this project, stored under the `.venv`\ndirectory. \n\nUse the following command to create a virtualenv on the project's root folder:\n\n\u003e **_NOTE:_** Use `python` instead of `python3` on Windows.\n\n```\npython3 -m venv .venv\n```\n\nAfter the virtualenv is created, use the following step to activate your virtualenv.\n\n```\nsource .venv/bin/activate\n```\n\nIf you are a Windows platform, you would activate the virtualenv like this:\n\n```\n.venv\\Scripts\\activate.bat\n```\n\nOnce the virtualenv is activated, install the required dependencies.\n\n```\npip install -r requirements.txt\n```\n\n\n## Bootstrap Account(s)\nThis is a one-time setup known as [Bootstrapping](https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html), \nwhich you need to do for the toolchain and each deployment target account separately. \n\nDo the following steps for toolchain account+region, that you configured in `cdk.json` in \nstep **2. Configure accounts and regions**:\n\n### 4. [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) to point to the account and region\n\n\u003e **_NOTE:_** This can be quickly done as described in [Quick configuration with aws configure](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config) section. Alternatively, you can use \n[AWS CLI Profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-profiles), which is more convenient when switching back and forth between multiple accounts.\n\n\u003e **_NOTE:_** If you are using AWS CLI profiles, make sure to provide the `--profile \u003cprofile_name\u003e` option for every command interacting with AWS accounts below. \n\n### 5. Run CDK Bootstrap\n\n\u003e **_NOTE:_** Make sure to replace `toolchain_account` and `toolchain_region` placeholders.\n\n```\ncdk bootstrap \\\n  --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \\\n  aws://\u003ctoolchain_account\u003e/\u003ctoolchain_region\u003e\n```\n\nRepeat the following steps for each deployment target account+region that you configured in `cdk.json` in \nstep **2. Configure accounts and regions**:\n\n### 6. [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) to point to the account and rgion\n\n### 7. Run CDK Bootstrap\n\n\u003e **_NOTE:_** Make sure to replace `\u003ctoolchain_account\u003e`, `\u003cdeployment_target_account\u003e`, and `\u003cdeployment_target_region\u003e` placeholders. \n\n```\ncdk bootstrap \\\n  --trust \u003ctoolchain_account\u003e \\\n  --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \\\n  aws://\u003cdeployment_target_account\u003e/\u003cdeployment_target_region\u003e\n```\n\n## Configure Snyk authentication token in toolchain account\n\nFor Snyk integration, you need to provide authentication token with a Snyk profile account. You can sign up for a\nfree Snyk account [here](https://app.snyk.io/login?cta=sign-up\u0026loc=body\u0026page=try-snyk). After sign up, you can get\nyour Auth Token from the Account Settings section in your profile.\n\n\u003e **_NOTE:_** When signing up for a new account on Snyk, the whizzard routes you to a final step to select a \nGit repository and provide integration for Snyk to monitor that repository. This step is not mandatory for creating\nSnyk accounts and is not required for our setup, either. Simply skip that by choosing `Select from other repositories`\nwhich will bring you directly to your profile.\n\nWith the Snyk authentication token retrieved, use `create_secret_helper` utility to securely store \nthe token in AWS Secret Manager in toolchain account. \nIt will be automatically used by the pipeline to interact with Snyk during the pipeline execution.\n\n### 8. [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) to point to the account and rgion\n\n\u003e **_TODO:_** Pass profile to CLI commands\n\n```\n./create_secret_helper.sh snyk-auth-token \u003csnyk-auth-token-value\u003e \u003ctoolchain_profile_name\u003e\n```\n\n## Seed project's code to toolchain account\n\n### 9. [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) to point to the account and region \n\n### 10. Create CodeCommit repository\n\nCreate a new Git repository in the toolchain account. This will become the main repository used by the pipeline\nfor deployments, where you will be developing your application.\n\n```\naws codecommit create-repository --repository-name devsecops-quickstart\n```\n\nTake note of `cloneUrlHttp` value in the command output.\n\n### 11. Setup Git Credential Helper for AWS CodeCommit\n\nIf this is the first time you are using AWS CodeCommit, you need to configure a Git Credential Helper \nto be able to access CodeCommit repositories using HTTPS. Follow AWS CodeCommit\ndocumentation to set up a credential helper on \n[Linux, macOS, or Unix](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-https-unixes.html#setting-up-https-unixes-credential-helper) or \n[Windows](https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-https-windows.html#setting-up-https-windows-credential-helper).\n\n### 12. Seed CodeCommit repository\n\n\u003e **_NOTE:_** Make sure to replace `\u003ccodecommit_repository_url\u003e` placeholder with `cloneUrlHttp` value \nfrom step **9. Create Git repository**.\n\n```\ngit remote add codecommit \u003ccodecommit_repository_url\u003e\ngit checkout -b main\ngit add .\ngit commit -m \"initial commit\"\ngit push --set-upstream codecommit main\n```\n\n## Deploy CI/CD pipeline in toolchain account\n\n### 13. [Configure AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) to point to the account and region\n### 14. Deploy\nRun CDK deploy command to build and deploy the CI/CD pipeline.\n\n```\ncdk deploy devsecops-quickstart-cicd\n```\n\n## Verify deployment in toolchain account\nLogin to the toolchain account in AWS Console. Select the same region you used for the deployment.\n### AWS CodeCommit Repository\n\nNavigate to AWS CodeCommit service, select Source/Repositories from the left navigation bar, and verify that a new repository has been created.\n\n![validate](./assets/repository.png)\n\n### AWS Cloud9 Environment\nNavigate to AWS Cloud9 service, select Account Environments from the left navigation bar, and verify that a new Cloud9 environment has been created.\n\n![cloud9](./assets/cloud9.png)\n\nNote that `cloud9_admin` is the owner of the environment and Open IDE buttion is disabled. To access the \nCloud9 environment, go to CloudFormation service, open `tooling-cloud9` stack, and select Outputs section from the top navigation bar.\n\n![validate](./assets/cloud9_outputs.png)\n\nCopy the `IDEURL` link and open it in a new __incognito__ browser tab. For Sign In select IAM User. For Account number use the `IDEAccount` value from stack outputs, and for IAM user use `AdminUserName`. The Password needs to be retrieved from AWS Secret Manager by following the link in `AdminPasswordSecretURL` and selecting Retrieve Secret Value under Secret Value section. After successful login, you get access to the Cloud9 environment.\n\n![validate](./assets/cloud9_env.png)\n\n### AWS CodePipeline pipeline\nNavigate to AWS CodePipeline service, select Pipeline/Pipelines from the left navigation bar, and verify that a new pipeline has been created. \n\n![validate](./assets/pipeline.png)\n\nOpen the pipeline and scroll down to `validate` stage. This is the stage where all the validation steps will be run.\n\n![validate](./assets/validate.png)\n\nAfter validation you can see the deployment stage(s). The number of the stages correspond to the number of target accounts you have configured in the `cdk.json` file as described in the __Deploy__ section. \n\n![dev](./assets/dev.png)\n\nIf you have enabled manual approvals in the stage configuration in `cdk.json`, the corresponding pipeline stage will have a mandatory manual approval before deploying to that environment.\n\n![prod](./assets/prod.png)\n\n## Verify deployment in target account(s)\nFor each target account, login to the account in AWS Console. Make sure you are in the same region as you used for the deployment. Navigate to CloudFormation service and search for the application stack that is deployed by the pipeline. This pipeline comes with a sample application called `SampleApp` which is deployed for demonstration purposes. You can add your application stacks following the same approach and the pipeline will take care of deploying them into your target environments.\n\n![prod](./assets/sample_app.png)\n\n\n## What Now?\n\nThe pipeline you just created is deploying a dummy application stack called `SampleApp`. The stack is defined in \n`devsecops_quickstart/sample_app/sample_app.py` and is integrated into the pipeline definition in \n`devsecops_quickstart/pipeline.py`. \n\nIt is now your turn to roll up the sleeves and develop your application stack(s). Follow the same approach as in\nthe `SampleApp` to define you application stage and integrate it into the pipeline. \n\nHave fun!\n## FAQ\n### Q: How to access the Cloud9 Environment?\nA: Check the CloudFormation Outputs section of the stack called `tooling-Cloud9`. There you can find output parameters\nfor the environment URL, admin user, and the AWS Secret Manager secret containing the admin password.\n\n### Q: How to add a new deployment target to the pipeline?\nA: Deployment targets are configured in `cdk.json` file under `context.config.stage` variable. You can add as many stages \nto the pipeline as required, both now or in the future. Simply give your new stage a name and provide values for account, region, and wheather \nmanual approval is required. Then commit and push the changes to trigger the pipeline. The pipeline is capable of mutating \nitself to dynamically adjust to your configuration.\n\n## Security\n\nSee [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis library is licensed under the MIT-0 License. See the LICENSE file.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-samples%2Fdevsecops-quickstart","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faws-samples%2Fdevsecops-quickstart","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faws-samples%2Fdevsecops-quickstart/lists"}