Skip to content
DevSecOps Distribution - Virtual Environment to learn DevSecOps
Branch: master
Clone or download
Latest commit 7259395 Jan 4, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
helper-scripts Add docker images download and upload result scripts Nov 26, 2018
images Add few more images for lesson-2 Feb 25, 2018
provisioning Bump rvm.ruby role (#73) Dec 25, 2018
sample-files Add scanned outputs Jan 4, 2019
setup Linux Debian one step install enabled. (#8) Apr 5, 2018
LICENSE Create (#15) May 19, 2018
Vagrantfile Bump rvm.ruby role (#73) Dec 25, 2018
machines.yml Move vagrant box to Ubuntu Nov 26, 2018
requirements.yml Multi OS support (#61) Nov 26, 2018

Welcome to DevSecOps Studio Project

Build Status

DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started, mostly automatic and battle tested during our Practical DevSecOps Courses at

DevSecOps Studio project aims to reduce the time to bootstrap the environment and help you in concentrating on learning/teaching DevSecOps practices with the following features.

  1. Easy to setup environment with just one command “vagrant up”
  2. Teaches Security as Code, Compliance as Code, Infrastructure as Code
  3. With built-in support for CI/CD pipeline
  4. OS hardening using ansible
  5. Compliance as code using Inspec
  6. QA security using ZAP, BDD-Security and Gauntlt
  7. Static tools like bandit, brakeman, windbags, gitrob, gitsecrets
  8. Security Monitoring using ELK stack.

How do I get set up?

Summary of Setup


Install Vagrant, Virtualbox, Ansible and Follow the below steps.

# Download the code
$ git clone && cd DevSecOps-Studio

# Download the ansible dependency roles
$ ansible-galaxy install -r requirements.yml -p provisioning/roles

# Setup the environment, takes an hour or less based on your internet speed.
$ vagrant up

Go grab some coffee while DevSecOps Studio does its job.

Yes, that's it, you just setup entire DevSecOps environment with three commands :)

Go ahead and read Practical DevSecOps Lessons on the wiki

Installation video



DevSecOps Studio uses vagrant, virtualbox and ansible to setup the lab environment. You can visit the vendor's website to download the above software for on Windows/Linux/macOS.

DevSecOps Studio simulates the environment presented below.



  • Atleast 4GB of RAM for the virtual machines.
  • 60GB of HDD Space.
  • Intel i3 Processor or above.


MacOS (optional)

Prerequisites can also be installed via homebrew on MAC OS X

Homebrew: Optional

 /usr/bin/ruby -e "$(curl -fsSL"


brew cask install vagrant


brew cask install virtualbox


brew install ansible


Curl Installlation(require root privileges to install tools)

curl -O && chmod +x && ./;


Install dependencies using apt-get


sudo sh -c 'echo "deb xenial contrib" >> /etc/apt/sources.list.d/virtualbox.list'

wget -q -O- | sudo apt-key add -

sudo apt update

sudo apt install virtualbox


# Looks like vagrant doesn't play nicely if you install with apt
sudo dpkg -i vagrant_${VAGRANT_VERSION}_x86_64.deb

sudo apt-get install python2 python2-pip


pip install ansible

Windows (optional)

Easiest solution for windows user is to use DevSecOps Studio Virtualbox Appliance

  1. Download DevSecOps-Studio Appliance (4.45 GB) from this link

  2. Import the above Appliance by following these step

Alternatively, Installation can be done using chocolatey by opening up command prompt and using the following command.

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString(''))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Install dependencies using choco

choco install vagrant virtualbox git -y 

Install ansible via pip

Installation on windows for ansible is not straight forward, please follow these instructions to install cygwin and then install ansible

choco install python2 -y #Installs python 2.7.x, includes pip under scripts folder of python27
pip install ansible


  1. Clone this repo or download the zip

    $ git clone
  2. CD into the directory and check what boxes are available.

    $ cd DevSecOps-Studio && vagrant status
  3. Download requirement ansible dependencies.

    $ ansible-galaxy install -r requirements.yml
  4. Ensure the latest verion of Vagrant is installed on your machine

  5. Edit the machines.yml file to make any changes, if you are not sure please leave it as default. Meanwhile, go grab some coffee to enjoy :)

    vagrant up

You can see how it all fits in DevSecOps pipeline by reading out WIKI

How to use the setup

What's included in the environment?

The environment contains the following tools used in different stages of DevSecOps.

Technology Tools
PenTest Toolkit: Nmap, Metasploit
Static Analysis Tools: Brakeman, bandit, findbugs
Dynamic Analysis Tools: ZAP proxy, Gaunlt
Hardening: DevSec Ansible OS Hardening
Compliance: Inspec
Operating System : Ubuntu Xenial (16.04)
Programming Languages: Java, Python 2, Python 3, Ruby/Rails
Container Technology: Docker
Source Code Management: Gitlab (github like system)
CI Server: Gitlab CI/Jenkins
Configuration Management: Ansible
Monitoring and Log management: Elastic Search, LogStash and Kibana
Cloud Provider Utilities: AWS CLI
Utilities: Git, Vim, curl, wget,

Todo Features

  • Provision the stack on AWS using vagrant.
  • Build Images using Packer and upload to vagrant cloud.
  • Add Ansible Testing using molecule.
  • Add Container scanning using clair.
  • Add Inspec for compliance.

Contribution guidelines

  • Fork this repo.
  • Contribute (documentation/features)
  • Raise a Pull Request (PR)


DevSecOps Studio uses some of the ansible roles from Jeff

Who do I talk to?

  • If you have any questions regarding this repo, please contact Mohammed A. Imran @secfigo and Raghunath G @raghunath24
You can’t perform that action at this time.