Demo Projects Overview

Project 1 -
Setup Secrets Scanning in GitLab CI and
Pre-Commit Script using GitLeaks

M Demo Project:
O Setup GitLab CI pipeline and pre-commit script to scan
for secrets using GitLeaks.
D
Technologies used:
U GitLab CI, GitLeaks, Git
L Project Description:
E Configure GitLeaks job in GitLab CI to check
commits for secrets
Create a Git pre-commit hook script that runs
3 GitLeaks using Docker, and performs GitLeaks scan
before code is committed

Project 2 -
Setup Static Application Security Scanning
in GitLab CI using NJSScan & Semgrep

M
Demo Project:
O Setup Static Application Secret Testing (SAST) in GitLab
D CI pipeline using NJSScan and Semgrep.

U Technologies used:
L GitLab CI, Git, NJSScan, Semgrep, Python

E Project Description:
Configure NJSScan in GitLab CI pipeline to run SAST
scan against repository code
3 Configure Semgrep in GitLab CI pipeline to run
additional SAST scan against respository code
 Project 3 -
Upload Security Scan Results Automatically
to DefectDojo

Demo Project:
M Create a Python script that automatically uploads security
scan findings to vulnerability management tool,
O DefectDojo, using GitLab CI.

D Technologies used:
Python, DefectDojo, GitLab CI
U
Project Description:
L Create Python script that connects to DefectDojo via
E API key
Create Python script to upload GitLeaks, Semgrep, and
NJSScan files from GitLab CI security scanning jobs to
DefectDojo
4 Add a new job in GitLab CI pipeline to run the Python
script to upload findings to DefectDojo as part of the
pipeline execution

Project 4 -
Remediate Weak Cryptography and SQL Injection
Vulnerabilities in Application based on Security Findings

M Demo Project:
Review NJSScan and Semgrep security findings in DefectDojo,
O then remediate weak cryptography and SQL injection
vulnerabilities in application code.
D
U Technologies used:
JavaScript, DefectDojo, Git, GitLab, Semgrep, NJSScan
L
Project Description:
E Update application code to remediate weak hash function,
based on NJSScan security finding in DefectDojo
Update application code to remediate SQL injection
4 vulnerability, based on Semgrep security finding in
DefectDojo
 Project 5 -
Setup SCA Scanning using RetireJS and
Upload Findings to DefectDojo

M Demo Project:
Setup Software Composition Analysis (SCA) scanning in
O GitLab CI pipeline and automatically upload scan reports to
DefectDojo.
D
Technologies used:
U DefectDojo, Git, GitLab CI, RetireJS, Python

L Project Description:
Create new GitLab CI pipeline job for automated SCA
E scanning using RetireJS
Configure the job to save the SCA scan reports as an
artifact
5 Upload the RetireJS scan report to DefectDojo using
Python automation script

Project 6 -
Upload Images to AWS ECR using
CI/CD Pipeline

M Demo Project:
Configure GitLab CI with AWS user credentials to upload
O images to AWS ECR via CI/CD pipeline
D
Technologies used:
U AWS IAM, AWS ECR, GitLab CI
L
Project Description:
E Create access keys for user in AWS IAM
Add AWS access keys as GitLab CI secret environment
variables for use in the pipeline
6 Update CI pipeline to build and push Docker images to
ECR using the AWS access keys
 Project 7 -
Deploy Application to EC2 Instance using
GitLab CI/CD Pipeline

Demo Project:
M Deploy application to AWS EC2 instance using GitLab CI/CD
O pipeline.

D Technologies used:
AWS IAM, AWS EC2, GitLab CI, Docker
U
Project Description:
L Configure EC2 instance with Docker and ECR credentials
E Create new deployment job in GitLab CI that
automatically:
a. Connects to EC2 instance using SSH
b. Pulls the latest Docker image from ECR
6 c. Stops previous running container, if applicable
d. Runs the latest Docker container

Project 8 -
Use Self-Managed Runners for GitLab CI/CD

M Demo Project:
Create an EC2 instance and configure it as a GitLab
O CI/CD self-managed runner.
D
Technologies used:
U AWS EC2, GitLab CI/CD
L
Project Description:
E Create new AWS EC2 Instance
Register the EC2 instance with GitLab CI/CD as a
project runner
6 Configure EC2 instance as a GitLab runner with Shell
executor, instead of Docker executor
 Project 9 -
Scan Docker Images using Trivy with
GitLab CI/CD Pipeline

M Demo Project:
Update GitLab CI/CD pipeline to perform Docker image
O scanning using Trivy.
D
Technologies used:
U Trivy, Git, GitLab CI, Docker, AWS ECR
L
Project Description:
E Create new job in GitLab CI/CD pipeline that :
a. Pulls the Docker image from private AWS ECR
b. Runs Trivy image scan on the image
7 c. Fails Trivy job only if high or critical level security
findings are detected

Project 10 -
Upload Trivy Image Scanning Results to
DefectDojo using CI/CD Pipeline

M Demo Project:
Update GitLab CI/CD pipeline to automate upload of Trivy
O image scan results to DefectDojo.
D Technologies used:
U Python, DefectDojo, GitLab CI, Trivy

L Project Description:
Update Trivy job to export image security findings
E report as pipeline artifact
Update Python script to automatically upload Trivy
security findings to DefectDojo
7 Update Upload Reports job to execute Python upload
script for Trivy scan reports
 Project 11 -
Create GitLab CI User Account using AWS IAM

M Demo Project:
Create dedicated AWS IAM user for GitLab CI with least privilege
O access to securely upload image to AWS ECR

D Technologies used:
U AWS IAM, GitLab CI

L Project Description:
Create AWS IAM user for GitLab CI and assign permission
E policy for ECR access only
Configure the GitLab CI user with only AWS CLI access
Create AWS CLI access keys for the GitLab CI user
9 Update GitLab CI to use the GitLab CI user access keys
instead of the admin user keys

Project 12 -
Use AWS SSM to Deploy Application to EC2 Instance

Demo Project:
Create new EC2 role to allow more secure access from GitLab CI
M using AWS SSM instead of SSH.

O Technologies used:
AWS IAM, GitLab CI, AWS EC2
D Project Description:
U Remove SSH firewall rule from AWS EC2 security group
Create new IAM role for EC2 instance with
L ‘SSMManagedInstanceCore’ policy, assign this role to EC2
instance for SSM permission
E Remove SSH commands from GitLab CI pipeline
Add SSM access policy to GitLab‘s IAM user permissions
Update GitLab CI deploy job to:
9 a. Connect to private AWS ECR repository
b. Run Docker image pull, stop, and run commands
c. Connect to EC2 instance with SSM, and run Docker
application deployment commands
 Project 13 -
Configure Automated DAST Scan in GitLab CI/CD Pipeline

Demo Project:
M Create ZAP job in GitLab CI/CD pipeline to run automated
O Dynamic Application Security Testing (DAST) scans.

D Technologies used:
ZAP, GitLab CI, Docker, AWS
U
Project Description:
L Configure GitLab CI pipeline to deploy to test and prod
environments
E Create a DAST job in GitLab CI to:
a. Run automated ZAP scans against Docker application
deployed on EC2 instance
9 b. Fail the ZAP job for security findings above the warning
severity level
c. Export the ZAP scan results as a pipeline artifact

Project 14 -
Provision AWS Infrastructure Using Terraform

Demo Project:
Automate entire process of provisioning EC2 servers, AWS
networking resources, IAM roles & permissions using Terraform
M Technologies used:
O Terraform, Docker, Git, AWS (VPC, EC2, IAM), GitLab CI

Project Description:
D Create new IAM user for Terraform operations
U Create IAM roles with needed policies for application server
and GitLab runner instances
L Create VPC and Security Group resources for EC2 networking
Create and configure two EC2 instances:
E Create application server with secure firewall
configuration
Configure script to automatically install Docker and
10 application dependencies on the application server
Create GitLab CI server with secure firewall configuration
Configure script to automatically install Docker and
register the instance as a GitLab runner
 Project 15 -
Automate Security Scanning and Deployments for IaC

Demo Project:
M Create a GitLab CI/CD pipeline for Terraform Infrastructure with
built-in security scanning and code validation - GitOps
O
D Technologies used:
AWS S3, GitLab CI, Terraform, Git, TFSec
U
Project Description:
L Create AWS S3 bucket and configure Terraform to use bucket
E for storing Terraform state
Create new GitLab CI pipeline for Terraform infrastructure that:
a. Initializes Terraform and builds a plan artifact
b. Validates Terraform configuration and syntax
10 c. Runs a TFSec security scan on Terraform code and
produces scan result artifact
d. Deploys the Terraform code to AWS

Project 16 -
Create Multi-Region CloudTrail Trail
and Forward Logs to CloudWatch

Demo Project:
M Create a trail in CloudTrail that captures events across all AWS
O regions and configure it to send event logs to CloudWatch.

D Technologies used:
AWS (S3, CloudTrail, CloudWatch)
U
L Project Description:
Create CloudTrail Trail that:
E Forwards trail logs to new CloudWatch Log Group
Saves CloudTrail events to S3 bucket for all AWS regions
Create filters on CloudTrail Trail events to quickly view
11 events like failed login attempts
Create filter in CloudWatch Log Group to quickly view logging
metrics
 Project 17 -
Create CloudWatch Alarm for EC2 Instance

Demo Project:
M Create CloudWatch Alarm that sends an alert email when an EC2
instance has failed status checks for over five minutes.
O
D Technologies used:
AWS (SNS, CloudWatch)
U
Project Description:
L Create new CloudWatch metric alarm that:
E Checks if an EC2 instance failed status checks over a five
minute period
Configure the metric to the “In alarm” state if this
condition is met
11 Create a new SNS topic that sends an email when the
metric is in the alarm state

Project 18 -
Create Custom Metric Filter and
Alarm for Failed Console Logins

Demo Project:
Create a custom metric filter in CloudWatch that checks for failed
M AWS console logins, create an alarm to notify when failed logins
exceeds a threshold.
O Technologies used:
D AWS (CloudWatch, SNS)

U Project Description:
Create Custom metric filter in CloudWatch log group that:
L Checks for failed logins across entire log group
Creates new metric namespace for custom metric
E Counts the number of failed login attempts
Create CloudWatch alarm that:
Uses the custom metric filter to count failed login
11 attempts over a 5 minute period, and triggers the alarm if
there are more than 7 failures in that period
Creates a new SNS topic that sends an email when the
metric is in the alarm state
 Project 19 -
Create AWS Billing Alarms

Demo Project:
M Create an AWS Budgets alarm that sends an email alert if AWS
O costs exceed a threshold.

D Technologies used:
AWS Budgets
U
L Project Description:
Create AWS Budget that:
E Sets a desired AWS monthly cost budget
Emails recipients when threshold is:
at 85% of actual budget spend
11 at 100% of actual budget spend
and if forecasted amount is expected to reach 100%
of actual budget spend

Part 1
Demo Projects
 Part 2
Demo Projects

Project 20 -
Provision EKS cluster with Secure
Access Management

M
Demo Project:
O Provision EKS cluster with Secure Access Management for
developer and admin roles using Security Best Practices
D
U Technologies used:
AWS EKS, AWS IAM, Terraform, Kubernetes
L
Project Description:
E Infrastructure as Code configuration to:
Provision a base EKS cluster
Add Configuration for Access Management:
12 Configure AWS IAM Roles for Access on AWS Level
Define Kubernetes Access with Role Based Access Control
- (RBAC) - creating K8s Roles and ClusterRoles
13 Configure Mapping between IAM Roles and K8s Users
 Project 21 -
Secure IaC Pipeline for EKS Provisioning
using AWS STS Web Identity

Demo Project:
Create IaC Pipeline that establishes a secure connection with
AWS using trusted, third-party web identity provider
M
Technologies used:
O GitLab CI, AWS EKS, AWS STS, AWS IAM, Terraform, Kubernetes
D
Project Description:
U AWS Cloud Configuration:
L Configure Authentication with GitLab OIDC Identity Provider
Create Web Identity on AWS cloud
E Create IAM Role with with GitLab’s Identity Provider as
Trusted Entity
GitLab Pipeline Configuration
14 Add Pipeline configuration that establishes a secure
connection with temporary credentials on every job
execution
Terraform Configuration in Release Pipeline:
Configure TF commands to provision EKS cluster

Project 22 -
Bootstrap cluster with add-ons using
EKS Blueprints

M Demo Project:
Deploy cluster add-ons (Cluster Autoscaler, Metrics Server,
O Load Balancer Controller) using EKS Blueprints
D Technologies used:
U EKS Blueprints, GitLab CI, AWS EKS, AWS STS, AWS IAM,
Terraform, Kubernetes
L
E Project Description:
Deploy and configure Cluster Autoscaler for dynamic up &
down scaling of Nodes based on resource demand
Deploy Metrics Server needed for Autoscaler
15 Deploy AWS Load Balancer Controller that provisions AWS
Load Balancers for cluster services
 Capstone Project 23-26 -
Completely automated end-to-end CI/CD Pipeline
with GitOps principles using GitLab CI and Argo CD

M
Demo Project Part 1:
O Deploy ArgoCD in EKS Cluster using IaC Pipeline

D Technologies used:
U Argo CD, GitLab CI, AWS EKS, Terraform, Kubernetes, Helm Chart

L Project Description::
E Install ArgoCD in EKS cluster
Create ArgoCD Application manifest
Configure Connection and Automatic Syncing with GitOps
repository
16 Execute IaC Pipeline to deploy ArgoCD in EKS cluster

M
Demo Project Part 2:
O Automatically deploy K8s manifest files in Cluster via ArgoCD

D Technologies used:
U Kubernetes, Kustomize, Argo CD, Git, AWS EKS

L Project Description:
E Write K8s manifest files for all micro services
Write K8s manifest for external access using Ingress
Argo CD deploys microservices automatically as soon as
manifest files are pushed into Git repository
16
 Capstone Project 23-26 -
Completely automated end-to-end CI/CD Pipeline
with GitOps principles using GitLab CI and Argo CD

M
Demo Project Part 3:
O Create Pipeline for GitOps project to update Kustomization File

D Technologies used:
U Kubernetes, Kustomize, Argo CD, Git

L Project Description:
E Configure GitLab CI pipeline
to update image version of updated micro service in
Kustomization file
and push commit to Git repository
16 Configure GitLab access with project deploy token

Demo Project Part 4:

Create CI pipeline for Microservices Application that triggers
M GitOps pipeline

O Technologies used:
D Kubernetes, Kustomize, Argo CD, Git

U Project Description:
L Create CI Pipeline for Microservices that
tests the code
E scans for security vulnerabilities
builds and pushes to Docker repository
Note: Not repeated here, you can use code from previous
16 lectures
Add job to CI Pipeline that triggers the GitOps pipeline and
passes environment variables
Full CI/CD pipeline is triggered, where ArgoCD deploys the app
as soon as code is pushed to Git repository by GitLab CI
 Capstone Project 27-28 -
Increase Security using Policy as Code to
automatically reject K8s misconfigurations

M
O Demo Project Part 1:
Deploy OPA Gatekeeper in EKS Cluster using IaC Pipeline
D
Technologies used:
U OPA Gatekeeper, Argo CD, GitLab CI, AWS EKS, Terraform, K8s,
L Helm Chart

E Project Description:
Configure Gatekeeper in Terraform using Helm Chart
Execute IaC Pipeline to deploy OPA Gatekeeper in EKS
17 cluster

Demo Project Part 2:

Configure Policies to enforce best practices automatically
1. Block Service with type NodePort
2. Disallow privileged containers
M
Technologies used:
O OPA Gatekeeper, Kubernetes, Kustomize, Argo CD, Git
D
Project Description:
U Create Constraint Template and Constraint Manifest files to
L disallow NodePort service types
Create Kustomization file for deployment
E Create ArgoCD Application configuration to sync Git
repository
Adjust GitLab CI IaC Pipeline to deploy ArgoCD Application
17 Push manifest file with Service type NodePort to test
successful rejection by OPA
Create Constraint Template and Constraint Manifest files to
disallow privileged containers
Push manifest file with privileged container configuration to
test successful rejection by OPA
 Project 29-30
Store K8s secrets centrally in AWS Secrets Manager to fetch
them in cluster using External Secrets Operator

M
O Demo Project Part 1:
Deploy External Secrets Operator in EKS Cluster via IaC Pipeline
D
Technologies used:
U External Secrets Operator, GitLab CI, AWS EKS, Terraform, K8s
L
Project Description:
E Enable External Secrets EKS add-on in Terraform ‘s EKS
blueprints module
Execute IaC Pipeline to deploy External Secrets add-on in EKS
18 cluster

M
Demo Project Part 2:
O Create secrets in AWS Secrets Manager and give access to K8s
Service Account to access the secrets
D
U Technologies used:
AWS Secrets Manager, GitLab CI, AWS EKS, Terraform, K8s
L
E Project Description:
Add TF configuration to create IAM role with permission to
access the AWS Secrets Manager secrets
Add TF config to create K8s Service Account that maps to
18 the IAM role
Deploy the TF configuration via IaC pipeline
 Project 31
Fetch secrets from AWS Secrets Manager using External
Secrets Operator CRDs and map them to K8s secrets

Demo Project Part 3:

Fetch secrets into K8s cluster securely from AWS Secrets
Manager
M
O Technologies used:
AWS Secrets Manager, External Secrets Operator, Kubernetes,
D Kustomize, Argo CD, GitLab CI

U Project Description:
L Create ClusterSecretStore to connect K8s cluster to the
AWS Secrets Manager, using K8s service account for
E authentication with the Secrets Manager
Create ExternalSecret to map secret from AWS Secrets
Manager to K8s native Secret component
18 Deploy the above CRDs via ArgoCD
Mount the fetched secret into a pod to validate the secret
has been fetched into cluster
Update secret value in AWS Secrets Manager to showcase
the automatic syncing of the secret value into K8s cluster
 Project 32-33
Deploy Istio Service Mesh and Expose a
Secure Istio Gateway

M
O Demo Project Part 1:
Deploy Istio Service Mesh in EKS Cluster via IaC Pipeline
D
Technologies used:
U Istio, GitLab CI, AWS EKS, Terraform, K8s
L
Project Description:
E Install Istio and Istio gateway in EKS cluster using Terraform
configuration, enable proxy injection in app namespace
Execute IaC Pipeline to deploy Istio in EKS cluster
19

M
Demo Project Part 2:
O Expose micro services app through Istio gateway via secure Https
access
D
U Technologies used:
Istio, Istio gateway, AWS Secrets Manager, GitLab CI, AWS EKS,
L ArgoCD, K8s
E
Project Description:
Configure traffic routing in cluster via Istio
Create Virtual Service for the frontend of the application to
19 route traffic to MS app via gateway
Generate self-signed certificate for Istio gateway TLS and
store in AWS Secrets Manager
Configure Istio Gateway to only access secure https connection
 Project 33
Enable Strict mTLS in Istio Service Mesh

M
O Demo Project :
Validate Istio mTLS traffic enabled in the app namespace
D
Technologies used:
U Istio, AWS EKS, K8s
L
Project Description:
E Deploy a test pod to validate mTLS traffic between pods with
envoy proxies
Enable Strict mTLS mode to disallow any unencrypted traffic
19 between pods

Project 34
Secure Pod Traffic using Istio AuthorizationPolicy

M
Demo Project :
O Secure Pod Traffic using Istio Authorization Policy components

D Technologies used:
U Istio, AWS EKS, ArgoCD, Kustomization, K8s

L Project Description:
E Create Authorization Policy for pods within the application
namespace
Enable proxy injection in ArgoCD namespace
Validate restricted traffic rules by sending requests from
19 different pods within the cluster
Create Authorization Policy to restrict traffic from
application to ArgoCD namespace
 Project 35
Create Automated Compliance Checks for
AWS resources

M
O Demo Project Part 1:
Setup AWS Config to run automated compliance audit
D
U Technologies used:
AWS, AWS Config, Security Group, CloudTrail, AWS EC2
L
Project Description:
E Setup rule to validate ssh ports aren’t open on EC2 servers
Rule to check CloudTrail is always enabled and logging

20

Project 36
Auto Remediate Compliance Issues

M
Demo Project Part 2:
O Configure auto remediation for compliance issues
D
Technologies used:
U AWS, AWS Config, Security Group, CloudTrail, AWS EC2
L
Project Description:
E Create IAM role for SSM to modify security group and
CloudTrail resources
Configure auto-remediation with SSM script to remove ssh
20 ingress rule from security group
Configure auto-remediation to enable logging in CloudTrail
 Project 37
Create Automated Compliance Checks for
EKS Cluster compliance

M
O Demo Project Part 1:
Setup AWS Config to run automated compliance checks for
D EKS cluster configuration

U Technologies used:
L AWS, AWS Config, AWS EKS, Kubernetes

E Project Description:
Add rule to validate using supported K8s version in EKS
clusters in AWS account
20 Add rule to ensure all EKS control plane components have
logging enabled
Manually enable logging of EKS cluster components to
make the cluster compliant
 Part 1 Part 2
Demo Projects Demo Projects

DevSecOps Portfolio
With these tons of demos, you will end up with a
massive projects portfolio.

Which should be a crucial part for job search or

showcasing your skills in general

Git repos are needed to apply for “Certified

DevSecOps Practitioner”