<a href="https://colab.research.google.com/github/J878-commits/-Task-1-Text-Summarization-with-Transformers-Gradio-/blob/main/%22Secure_DevOps_in_Action_Simulating_CI_CD_with_SonarQube_%26_OWASP_ZAP%22.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

✅ Task 4: Secure DevOps – CI/CD Pipeline with SonarQube & OWASP ZAP
Notebook Title: Secure DevOps Pipeline Simulation – SonarQube & OWASP ZAP Integration

📌 Step-by-Step Structure for Colab

# 🔐 Secure DevOps Pipeline Simulation – CodTech Internship Task 4

This notebook simulates the integration of security scanning tools—**SonarQube** for static code analysis and **OWASP ZAP** for dynamic vulnerability scanning—into a CI/CD pipeline using Python and YAML logic.

**Goal:** Demonstrate secure DevOps practices by configuring a pipeline and generating a simulated vulnerability report.

**Deliverables:**
- CI/CD pipeline configuration
- Vulnerability scan simulation
- Summary report for internship completion

---


⚙️ 2. Simulate Project Setup (Python)

In [1]:
# Simulate a basic project structure
project_files = {
    "app.py": "def hello():\n    print('Hello, world!')",
    "requirements.txt": "flask\nrequests",
    "Dockerfile": "FROM python:3.9\nCOPY . /app\nWORKDIR /app\nRUN pip install -r requirements.txt\nCMD ['python', 'app.py']"
}

for filename, content in project_files.items():
    with open(filename, "w") as f:
        f.write(content)

print("✅ Project files created.")


✅ Project files created.


🧪 3. Simulate SonarQube Static Analysis (Python)

In [2]:
# Simulate SonarQube scan results
sonarqube_results = {
    "bugs": 2,
    "vulnerabilities": 1,
    "code_smells": 5,
    "security_hotspots": 1
}

print("🔍 SonarQube Scan Summary:")
for k, v in sonarqube_results.items():
    print(f"{k.capitalize()}: {v}")


🔍 SonarQube Scan Summary:
Bugs: 2
Vulnerabilities: 1
Code_smells: 5
Security_hotspots: 1


🕷️ 4. Simulate OWASP ZAP Dynamic Scan (Python)

In [3]:
# Simulate OWASP ZAP scan results
zap_results = {
    "SQL Injection": "Low",
    "XSS": "Medium",
    "CSRF": "High",
    "Sensitive Data Exposure": "Medium"
}

print("🛡️ OWASP ZAP Vulnerability Report:")
for vuln, severity in zap_results.items():
    print(f"{vuln}: {severity}")


🛡️ OWASP ZAP Vulnerability Report:
SQL Injection: Low
XSS: Medium
CSRF: High
Sensitive Data Exposure: Medium


🔄 5. Simulated CI/CD Pipeline Configuration (Markdown + YAML-style)

In [5]:
pipeline_yaml = """
stages:
  - build
  - test
  - scan
  - deploy

build:
  script:
    - docker build -t codtech-app .

test:
  script:
    - pytest

scan:
  script:
    - sonar-scanner
    - zap-cli quick-scan --self-contained --start-options

deploy:
  script:
    - kubectl apply -f deployment.yaml
"""

print(pipeline_yaml)



stages:
  - build
  - test
  - scan
  - deploy

build:
  script:
    - docker build -t codtech-app .

test:
  script:
    - pytest

scan:
  script:
    - sonar-scanner
    - zap-cli quick-scan --self-contained --start-options

deploy:
  script:
    - kubectl apply -f deployment.yaml



## Task Summary, Insights, and Conclusion

This notebook simulated a secure DevOps pipeline by integrating **SonarQube** for static code analysis and **OWASP ZAP** for dynamic vulnerability scanning within a CI/CD workflow.

1.  **Project Setup Simulation:** Basic project files (`app.py`, `requirements.txt`, `Dockerfile`) were created to represent a typical application structure.
2.  **SonarQube Simulation:** Simulated SonarQube scan results indicated the presence of technical debt and potential security issues (bugs, vulnerabilities, code smells, security hotspots).
3.  **OWASP ZAP Simulation:** Simulated OWASP ZAP scan results highlighted various web application vulnerabilities with different severity levels (e.g., SQL Injection, XSS, CSRF, Sensitive Data Exposure).
4.  **CI/CD Pipeline Configuration Simulation:** A YAML-like structure was presented, outlining the stages of a CI/CD pipeline including build, test, scan (integrating SonarQube and ZAP), and deploy.

**Insights:**

*   The simulation demonstrates the value of integrating security scanning tools early in the CI/CD pipeline. Identifying issues during the `scan` stage prevents vulnerable code from reaching production.
*   Both static (SonarQube) and dynamic (OWASP ZAP) analysis provide different perspectives on security and code quality. Static analysis catches issues in the code itself, while dynamic analysis identifies vulnerabilities in the running application. A comprehensive security approach requires both.
*   The simulated results highlight common web application vulnerabilities and code quality issues that need to be addressed for a secure and maintainable application.

**Conclusion:**

The simulation successfully illustrates the concept of a secure DevOps pipeline. By integrating tools like SonarQube and OWASP ZAP, development teams can automate security checks, gain visibility into code quality and vulnerabilities, and ultimately deliver more secure software faster. The simulated results serve as a reminder that continuous security testing is crucial throughout the software development lifecycle.