{"id":26193276,"url":"https://github.com/nasa-ammos/slim-cd-starterkit","last_synced_at":"2025-08-20T06:35:04.195Z","repository":{"id":279745075,"uuid":"939801183","full_name":"NASA-AMMOS/slim-cd-starterkit","owner":"NASA-AMMOS","description":"This repository provides a complete Continuous Deployment (CD) starter kit for SLIM projects, enabling automated, efficient, and secure deployments. It follows best practices for CI/CD workflows, environment management, security, and rollback strategies.","archived":false,"fork":false,"pushed_at":"2025-03-06T17:26:17.000Z","size":27,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-06T18:32:02.126Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NASA-AMMOS.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-27T06:05:57.000Z","updated_at":"2025-03-06T17:26:21.000Z","dependencies_parsed_at":"2025-02-27T08:40:21.915Z","dependency_job_id":"6603b134-a16f-48fd-bf6d-bfe53d509f35","html_url":"https://github.com/NASA-AMMOS/slim-cd-starterkit","commit_stats":null,"previous_names":["nasa-ammos/slim-cd-starterkit"],"tags_count":0,"template":false,"template_full_name":"NASA-AMMOS/slim-starterkit","purl":"pkg:github/NASA-AMMOS/slim-cd-starterkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASA-AMMOS%2Fslim-cd-starterkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASA-AMMOS%2Fslim-cd-starterkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASA-AMMOS%2Fslim-cd-starterkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASA-AMMOS%2Fslim-cd-starterkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NASA-AMMOS","download_url":"https://codeload.github.com/NASA-AMMOS/slim-cd-starterkit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASA-AMMOS%2Fslim-cd-starterkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271278994,"owners_count":24731900,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-20T02:00:09.606Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-12T01:37:55.537Z","updated_at":"2025-08-20T06:35:04.175Z","avatar_url":"https://github.com/NASA-AMMOS.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003c!-- ![CD Starter Kit Logo](https://your-logo-url.com) --\u003e\n\n# Continuous Deployment Starter Kit\n\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003eEnterprise-grade continuous deployment framework for automated, secure, and efficient software delivery\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://nasa-ammos.github.io/slim/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Best%20Practices%20from-SLIM-blue\" alt=\"SLIM\"\u003e\u003c/a\u003e\n \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-green.svg\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n## šŸ“‹ Contents\n\n- [Overview](#-overview)\n- [Key Features](#-key-features)\n- [Architecture](#-architecture)\n- [Quick Start](#-quick-start)\n- [CI/CD Pipeline](#-cicd-pipeline)\n- [Security \u0026 Compliance](#-security--compliance)\n- [Rollback Strategy](#-rollback-strategy)\n- [Monitoring \u0026 Logging](#-monitoring--logging)\n- [Documentation](#-documentation)\n- [Changelog](#-changelog)\n- [FAQ](#-frequently-asked-questions)\n- [Contributing](#-contributing)\n- [License](#-license)\n- [Support](#-support)\n\n## šŸ” Overview\n\nThe Continuous Deployment Starter Kit provides a comprehensive framework for implementing robust, secure, and efficient software delivery pipelines across multiple environments. Built on DevOps best practices and industry standards, this kit streamlines the deployment process while enforcing security controls and operational visibility.\n\nThis repository serves as both a reference implementation and a starting point for your own CD workflows, providing ready-to-use templates, infrastructure configurations, and security policies.\n\n## āœØ Key Features\n\n- **Fully Automated Pipelines** ā€” Trigger deployments automatically from code changes with comprehensive testing\n- **Multi-Environment Support** ā€” Distinct configurations for development, staging, and production environments\n- **Zero-Downtime Deployments** ā€” Blue/green and canary deployment strategies for uninterrupted service\n- **Security-First Design** ā€” Built-in security scans, secret management, and compliance checks\n- **Infrastructure as Code** ā€” Declarative infrastructure definitions using Terraform and Kubernetes\n- **Observability** ā€” Integrated monitoring, alerting, and logging for operational visibility\n- **Resilient Operations** ā€” Automated rollback mechanisms and failure recovery procedures\n\n## šŸ— Architecture\n\n```\nā”œā”€ā”€ .github/workflows # CI/CD pipeline definitions\nā”œā”€ā”€ infra/ # Infrastructure as Code templates\nā”‚ ā”œā”€ā”€ terraform/ # Cloud resource definitions\nā”‚ ā””ā”€ā”€ kubernetes/ # Kubernetes manifests\nā”œā”€ā”€ scripts/ # Deployment and utility scripts\nā”œā”€ā”€ monitoring/ # Monitoring and observability configs\nā””ā”€ā”€ docs/ # Documentation and guides\n```\n\n## šŸš€ Quick Start\n\n### Prerequisites\n\n- **Developer Tools**\n - Git\n - Docker Desktop\n - Terraform v1.0+\n - AWS CLI v2 / Kubernetes CLI (kubectl)\n \n- **Cloud Access**\n - AWS account with appropriate permissions\n - GitHub repository with Actions enabled\n \n- **CI/CD Systems**\n - GitHub account with repository access\n - Docker Hub account (or another container registry)\n\n### Setup Instructions\n\n#### 1. Clone the Repository\n\n```bash\ngit clone https://github.com/NASA-AMMOS/slim-cd-starterkit.git\ncd slim-cd-starterkit\n```\n\n#### 2. Configure Secrets and Environment Variables\n\nWe recommend using a secure secret management solution such as AWS Systems Manager Parameter Store.\n\n```bash\n# Example using AWS SSM\naws ssm put-parameter \\\n --name \"/myapp/DATABASE_URL\" \\\n --value \"postgresql://user:password@host:port/db\" \\\n --type \"SecureString\"\n\naws ssm put-parameter \\\n --name \"/myapp/SECRET_KEY\" \\\n --value \"your-secret-key\" \\\n --type \"SecureString\"\n```\n\n#### 3. Deploy Infrastructure\n\n```bash\ncd infra/terraform\nterraform init\nterraform plan -out=tfplan\nterraform apply tfplan\n```\n\n#### 4. Trigger Your First Deployment\n\n```bash\n# Make changes and commit\ngit add .\ngit commit -m \"Initial deployment\"\ngit push origin main\n```\n\nThe GitHub Actions workflow will automatically:\n- Run unit and integration tests\n- Perform security scans\n- Build and package the application\n- Deploy to the staging environment\n\n#### 5. Promote to Production\n\n```bash\n# Create a release tag\ngit tag -a v1.0.0 -m \"Release version 1.0.0\"\ngit push origin v1.0.0\n```\n\n## šŸ”„ CI/CD Pipeline\n\nOur pipeline automates the entire deployment process from code changes to production release:\n\n```yaml\nname: CI/CD Pipeline\n\non:\n push:\n branches: [main]\n pull_request:\n branches: [main]\n release:\n types: [published]\n\njobs:\n test:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout Repository\n uses: actions/checkout@v3\n \n - name: Setup Environment\n uses: actions/setup-node@v3\n with:\n node-version: '16'\n \n - name: Install Dependencies\n run: npm ci\n \n - name: Run Linter\n run: npm run lint\n \n - name: Run Unit Tests\n run: npm test\n \n - name: Run Integration Tests\n run: npm run test:integration\n \n - name: Security Scan\n uses: aquasecurity/trivy-action@master\n with:\n scan-type: 'fs'\n ignore-unfixed: true\n format: 'sarif'\n output: 'trivy-results.sarif'\n\n build:\n needs: test\n runs-on: ubuntu-latest\n steps:\n - name: Checkout Repository\n uses: actions/checkout@v3\n \n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v2\n \n - name: Login to DockerHub\n uses: docker/login-action@v2\n with:\n username: ${{ secrets.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n \n - name: Build and Push\n uses: docker/build-push-action@v3\n with:\n push: true\n tags: myorg/myapp:${{ github.sha }}\n\n deploy-staging:\n needs: build\n if: github.ref == 'refs/heads/main'\n runs-on: ubuntu-latest\n steps:\n - name: Deploy to Staging\n run: ./deploy.sh staging ${{ github.sha }}\n \n - name: Run Smoke Tests\n run: ./smoke-tests.sh https://staging.example.com\n\n deploy-production:\n needs: deploy-staging\n if: startsWith(github.ref, 'refs/tags/v')\n runs-on: ubuntu-latest\n environment: production\n steps:\n - name: Deploy to Production\n run: ./deploy.sh production ${{ github.sha }}\n \n - name: Verify Deployment\n run: ./verify-deployment.sh https://example.com\n```\n\n## šŸ”’ Security \u0026 Compliance\n\nSecurity is built into every stage of our deployment process:\n\n### Secure Secret Management\n\nWe use a combination of approaches to ensure secrets are securely managed:\n\n#### AWS KMS for Encrypting Sensitive Data\n\n```bash\n# Encrypt a value using AWS KMS\naws kms encrypt \\\n --key-id alias/my-app-key \\\n --plaintext \"my-secret-value\" \\\n --output text \\\n --query CiphertextBlob \u003e secret.enc\n\n# Decrypt the value when needed\naws kms decrypt \\\n --ciphertext-blob fileb://secret.enc \\\n --output text \\\n --query Plaintext | base64 --decode\n```\n\n### Role-Based Access Control (RBAC)\n\nImplement least-privilege access with these examples:\n\n#### AWS IAM Policy\n\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetObject\"\n ],\n \"Resource\": \"arn:aws:s3:::my-app-bucket/*\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:PrincipalTag/Role\": \"Developer\"\n }\n }\n }\n ]\n}\n```\n\n#### Kubernetes RBAC\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n namespace: my-app\n name: developer-role\nrules:\n- apiGroups: [\"\"]\n resources: [\"pods\", \"services\"]\n verbs: [\"get\", \"list\", \"watch\"]\n- apiGroups: [\"apps\"]\n resources: [\"deployments\"]\n verbs: [\"get\", \"list\", \"watch\"]\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: developer-binding\n namespace: my-app\nsubjects:\n- kind: User\n name: developer@example.com\n apiGroup: rbac.authorization.k8s.io\nroleRef:\n kind: Role\n name: developer-role\n apiGroup: rbac.authorization.k8s.io\n```\n\n### Automated Security Scanning\n\nWe integrate security scanning throughout the pipeline:\n\n#### OWASP ZAP for Dynamic Application Security Testing\n\n```bash\n# Start ZAP in daemon mode\nzap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true \u0026\n\n# Run an automated scan against the application\nzap-cli quick-scan --self-contained \\\n --start-options \"-config api.disablekey=true\" \\\n https://staging-app.example.com\n\n# Generate a security report\nzap-cli report -o zap-report.html -f html\n```\n\n### Compliance Checks\n\n- **CIS Benchmarks** ā€” Ensure infrastructure complies with industry standards\n- **SOC 2 Controls** ā€” Implement controls for security, availability, and confidentiality\n- **GDPR Compliance** ā€” Built-in data protection measures for EU data subjects\n\n## šŸ”„ Rollback Strategy\n\nOur multi-layered rollback strategy ensures rapid recovery from failed deployments:\n\n### Kubernetes Rollback\n\n```bash\n# Check deployment history\nkubectl rollout history deployment/my-app\n\n# Roll back to the previous version\nkubectl rollout undo deployment/my-app\n\n# Roll back to a specific revision\nkubectl rollout undo deployment/my-app --to-revision=2\n```\n\n### Feature Flags for Controlled Rollout\n\n```javascript\n// Example using LaunchDarkly client\nconst ldClient = LaunchDarkly.initialize('YOUR_CLIENT_SIDE_ID', user);\n\nldClient.on('ready', () =\u003e {\n const showNewFeature = ldClient.variation('new-payment-ui', false);\n \n if (showNewFeature) {\n // Show new payment UI\n } else {\n // Show old payment UI\n }\n});\n```\n\n### Automated Rollback in CI/CD\n\n```yaml\nname: Rollback Deployment\n\non:\n workflow_dispatch:\n inputs:\n environment:\n description: 'Environment to rollback (staging|production)'\n required: true\n version:\n description: 'Version to rollback to (leave empty for previous)'\n required: false\n\njobs:\n rollback:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout Repository\n uses: actions/checkout@v3\n \n - name: Configure AWS Credentials\n uses: aws-actions/configure-aws-credentials@v1\n with:\n aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n aws-region: us-west-2\n \n - name: Rollback Deployment\n run: |\n if [ -z \"${{ github.event.inputs.version }}\" ]; then\n ./scripts/rollback.sh ${{ github.event.inputs.environment }}\n else\n ./scripts/rollback.sh ${{ github.event.inputs.environment }} ${{ github.event.inputs.version }}\n fi\n \n - name: Verify Rollback\n run: ./scripts/verify-deployment.sh ${{ github.event.inputs.environment }}\n```\n\n## šŸ“Š Monitoring \u0026 Logging\n\nComprehensive observability ensures you can detect and respond to issues quickly:\n\n### Prometheus Monitoring\n\n```yaml\napiVersion: monitoring.coreos.com/v1\nkind: ServiceMonitor\nmetadata:\n name: my-app-monitor\n namespace: monitoring\nspec:\n selector:\n matchLabels:\n app: my-app\n endpoints:\n - port: web\n interval: 15s\n path: /metrics\n```\n\n### Grafana Dashboard\n\nOur starter kit includes pre-configured Grafana dashboards for key metrics:\n\n- Response time and error rates\n- System resource utilization\n- Deployment frequency and success rates\n- Custom business metrics\n\n### ELK Stack for Centralized Logging\n\n```yaml\n# Filebeat configuration\nfilebeat.inputs:\n- type: log\n enabled: true\n paths:\n - /var/log/app/*.log\n json.keys_under_root: true\n json.add_error_key: true\n\nprocessors:\n - add_kubernetes_metadata:\n host: ${NODE_NAME}\n matchers:\n - logs_path:\n logs_path: \"/var/log/containers/\"\n\noutput.elasticsearch:\n hosts: [\"elasticsearch:9200\"]\n index: \"app-logs-%{+yyyy.MM.dd}\"\n```\n\n## šŸ“š Documentation\n\nComprehensive documentation is available at [https://nasa-ammos.github.io/slim/](https://nasa-ammos.github.io/slim/)\n\n- **Getting Started Guide** ā€” Quick start for new users\n- **Architecture Overview** ā€” Design principles and system architecture\n- **Operator's Manual** ā€” Day-to-day operations and troubleshooting\n- **Security Guide** ā€” Security best practices and compliance information\n\n## šŸ“ Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for a detailed history of changes.\n\n## ā“ Frequently Asked Questions\n\n### How do I customize the deployment pipeline for my application?\n\nEdit the workflow files in `.github/workflows/` to add or modify steps specific to your application's build and deployment requirements.\n\n### Can I use this with cloud providers other than AWS?\n\nYes! While our examples primarily use AWS, the principles and patterns apply to any cloud provider. Check the `infra/terraform/providers` directory for other provider configurations.\n\n## šŸ‘„ Contributing\n\nWe welcome contributions from the community! Here's how to get started:\n\n1. **Fork the repository**\n2. **Create a feature branch**\n ```bash\n git checkout -b feature/awesome-feature\n ```\n3. **Make your changes**\n4. **Run tests**\n ```bash\n make test\n ```\n5. **Commit your changes**\n ```bash\n git commit -m \"Add awesome feature\"\n ```\n6. **Push to your branch**\n ```bash\n git push origin feature/awesome-feature\n ```\n7. **Open a Pull Request**\n\nPlease read our [CONTRIBUTING.md](CONTRIBUTING.md) and [GOVERNANCE.md](GOVERNANCE.md) for more details.\n\n## šŸ“œ License\n\nThis project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.\n\n## šŸ¤ Support\n\nFor support, questions, or feedback:\n\n- **GitHub Issues**: Report bugs or request features\n- **Discussions**: Ask questions and share ideas\n- **Contact**: Reach out to [@yunks128](https://github.com/yunks128) or other maintainers\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnasa-ammos%2Fslim-cd-starterkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnasa-ammos%2Fslim-cd-starterkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnasa-ammos%2Fslim-cd-starterkit/lists"}