Author: Ankit Dand | Program: GET 2026 | Date: December 2025
Automated DevSecOps pipeline that scans Terraform infrastructure code for security vulnerabilities before deployment. Uses AI (Claude) to analyze and fix security issues.
Key Achievement: Reduced security vulnerabilities from 6 CRITICAL/HIGH issues to 0 through AI-driven remediation.
Developer → GitHub → Jenkins Pipeline → Trivy Scan → Terraform
↓
[AI Analysis]
↓
[Security Fixes]
Pipeline Stages:
- Checkout code from GitHub
- Security scan with Trivy
- Terraform validation
- Terraform plan
| Component | Technology |
|---|---|
| Application | Python Flask 3.0 |
| Containerization | Docker + Docker Compose |
| Infrastructure | Terraform 1.14.3 |
| CI/CD | Jenkins LTS |
| Security | Trivy 0.48.3 |
| AI | Claude (Anthropic) |
devops-security-project/
├── app/ # Flask application + Dockerfile
├── terraform/ # Infrastructure code (secured)
├── jenkins/ # Jenkinsfile + Jenkins setup
├── vulnerable-terraform/ # Original vulnerable code (backup)
├── screenshots/ # Project screenshots
└── README.md
# 1. Clone repository
git clone https://github.com/AnkitDand/DevOps-Security-Project.git
# 2. Test Flask app locally
cd app && docker-compose up
# Access: http://localhost:5000
# 3. Start Jenkins
cd jenkins && docker-compose up -d
# Access: http://localhost:8080
# 4. Create Jenkins pipeline pointing to your GitHub repo
# 5. Run pipeline - will fail initially (expected)
# 6. Fix vulnerabilities using AI recommendations
# 7. Re-run pipeline - should pass ✅| Issue | Severity | Risk |
|---|---|---|
| SSH open to 0.0.0.0/0 | CRITICAL | Brute force attacks |
| Unrestricted egress | CRITICAL | Data exfiltration |
| Unencrypted EBS | HIGH | Data breach |
| IMDSv1 allowed | MEDIUM | SSRF attacks |
Trivy Result: 5 CRITICAL, 1 HIGH = FAILED
| Fix Applied | Implementation |
|---|---|
| SSH restricted | Only admin IP allowed |
| Egress limited | HTTP/HTTPS/DNS only |
| EBS encrypted | KMS encryption enabled |
| IMDSv2 enforced | Session tokens required |
Trivy Result: 0 vulnerabilities = PASSED
I ran Trivy security scan and found 5 CRITICAL and 1 HIGH vulnerabilities:
- SSH open to 0.0.0.0/0
- Unrestricted egress traffic
- Unencrypted EBS volumes
Please explain each risk and provide fixed Terraform code.
Claude identified:
- SSH Exposure → Restrict to admin IP only (prevents brute force)
- Open Egress → Limit to ports 80, 443, 53 (prevents data theft)
- No Encryption → Enable KMS encryption (protects data at rest)
- IMDSv1 → Enforce IMDSv2 (prevents SSRF attacks)
Before:
ingress {
cidr_blocks = ["0.0.0.0/0"] # ❌ SSH open to world
}
root_block_device {
encrypted = false # ❌ No encryption
}After:
ingress {
cidr_blocks = [var.admin_ip] # ✅ Restricted to admin
}
root_block_device {
encrypted = true # ✅ KMS encrypted
kms_key_id = aws_kms_key.ebs.arn
}- Before: 🔴 6 vulnerabilities (CRITICAL risk)
- After: 🟢 0 vulnerabilities (LOW risk)
- Impact: 100% vulnerability reduction
Shows 6 security vulnerabilities detected
All security checks passed
Application accessible at localhost:5000
Issue: HTTP/HTTPS ports flagged as vulnerable
Solution: Used .trivyignore to skip acceptable web server rules
Learning: Differentiate real vulnerabilities from false positives
- Security Automation: Automated scanning catches issues before deployment
- AI-Assisted Development: AI accelerates vulnerability remediation
- Infrastructure as Code: Version control for infrastructure enables security review
- DevSecOps Culture: Security integrated into development workflow, not added later
- Multi-environment support (dev/staging/prod)
- Terraform state management (S3 backend)
- Container orchestration (ECS/EKS)
- Enhanced monitoring (CloudWatch alarms)
- Secrets management (AWS Secrets Manager)
Successfully implemented automated DevSecOps pipeline with:
- ✅ 100% vulnerability reduction (6 → 0)
- ✅ AI-driven security remediation
- ✅ Production-ready infrastructure code
- ✅ Automated security validation
Key Achievement: Demonstrated that security can be automated, enabling faster and safer deployments.