A production-grade DevSecOps platform enforcing Security-as-Code at every stage of the CI/CD lifecycle.
GateKeeper is a six-module DevSecOps pipeline platform that treats security as a first-class engineering concern. Rather than bolting security on at the end, every stage of the delivery pipeline enforces automated security gates — from static analysis and secret detection to container scanning and infrastructure hardening.
Vulnerabilities are caught before they ship, not after.
Webhook → Jenkins → [SAST + Secret Scan] (parallel) → Docker Build + SCA → IaC + Provision → Blue-Green Deploy
↓
Prometheus / Grafana / ELK
The pipeline runs 12 services locally via Docker Compose and deploys to Kubernetes using a blue-green strategy for zero-downtime releases.
| # | Module | Tools |
|---|---|---|
| 1 | Build Triggering | Jenkins, Hardened Docker Agent |
| 2 | Static Analysis & Linting | SonarQube 10.3, Checkstyle |
| 3 | Container Build & SCA | Hadolint, Trivy 0.48.3 |
| 4 | Secret Detection | Gitleaks 8.18.1 |
| 5 | IaC & Blue-Green Deploy | Terraform, Ansible, Kubernetes |
| 6 | Observability | Prometheus 2.49, Grafana 10.3, ELK Stack |
Every pipeline run passes through an automated decision tree before any deployment is permitted:
secrets found? → ABORT immediately
SAST quality gate? → FAIL with report
critical CVEs? → FAIL with report
all clear? → DEPLOY via blue-green
No manual override. No exceptions. Security gates are non-negotiable.
The platform ships with a three-tier Spring Boot microservices application (API Gateway, User Service, Order Service) containing 6 intentionally seeded vulnerabilities to validate each gate:
| Vulnerability | Type | Detected By |
|---|---|---|
| SQL Injection | SAST | SonarQube |
| Path Traversal | SAST | SonarQube |
| XXE Injection | SAST | SonarQube |
| Log4Shell (CVE-2021-44228) | SCA | Trivy |
| CVE-2023-28858 | SCA | Trivy |
| Hardcoded API Key | Secret | Gitleaks |
All six are detected and blocked automatically — no manual review required.
# Start all 12 services locally
docker-compose up -d| Service | URL |
|---|---|
| Jenkins | http://localhost:8080 |
| SonarQube | http://localhost:9000 |
| Grafana | http://localhost:3000 |
| Prometheus | http://localhost:9090 |
| Kibana | http://localhost:5601 |
For full setup instructions, see docs/setup.md.
GateKeeper/
├── Jenkinsfile # Full declarative pipeline
├── Dockerfile # Hardened application image
├── docker-compose.yml # Local dev stack (12 services)
├── app/ # Spring Boot microservices
├── terraform/ # IaC modules (EKS, RBAC, NetworkPolicies)
├── ansible/ # CIS Level 1 hardening playbooks
├── kubernetes/ # Blue-green deployments, RBAC, monitoring
├── monitoring/ # Prometheus, Grafana, Logstash, Alertmanager
├── scripts/ # Blue-green deploy & pre-commit hooks
├── docker/jenkins-agent/ # Hardened build agent
└── docs/setup.md # Full setup guide
- Parallel security scanning — SAST and secret detection run concurrently to minimise pipeline duration without sacrificing coverage
- Hardened build agent — Jenkins runs inside a custom Docker agent built to CIS benchmarks, so the build environment itself is a security boundary
- CIS Level 1 hardening — Ansible playbooks enforce baseline OS hardening on every provisioned node before deployment
- Blue-green deployments — Zero-downtime releases with instant rollback capability; production traffic only shifts after health checks pass
- Full observability stack — Prometheus metrics, Grafana dashboards, and ELK log aggregation provide end-to-end visibility post-deployment
Built by Hrishikesh Bywar