Resolve conflicts

.github/workflows/cicd.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # ← Crucial for Sentry and Checkov to see full history
+          fetch-depth: 0  #  Crucial for Sentry and Checkov to see full history
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -36,7 +36,7 @@ jobs:
       - name: Dependency Audit
         run: npm audit --audit-level=high
 
-      # --- IaC Security Scans ---
+      #  IaC Security Scans 
       - name: Checkov Scan (IaC security)
         run: |
           pip install checkov
@@ -60,7 +60,7 @@ jobs:
           sudo mv terrascan /usr/local/bin/
           terrascan scan -d infra/ -i terraform -t k8s || echo "Terrascan completed"
 
-      # --- Build + Scan Image ---
+      #  Build + Scan Image
       - name: Build Docker Images
         run: |
           docker build -t mydev:${{ github.sha }} .
@@ -162,7 +162,7 @@ jobs:
           environment: production
           version: ${{ github.sha }}
           set_commits: auto
-          ignore_missing: true #set to true
+          ignore_missing: true 
 
 
   notify:

README.md

@@ -1,5 +1,12 @@
 # 🚀 FullStack DevSecOps Demo
 
+A production-grade fullstack pipeline showcasing modern DevSecOps practices — from secure CI/CD to observability and Infrastructure-as-Code (IaC).  
+This project demonstrates how to take a simple Node.js/Express app and wrap it with a battle-tested DevSecOps workflow used in real companies.
+
+---
+
+## 🌟 Highlights
+
 - **CI/CD Pipeline**: GitHub Actions with linting, testing, dependency audits, Docker builds, Trivy scans, Gitleaks, CodeQL, Checkov & Terrascan
 - **Secure Containerization**: Hardened Dockerfiles with non-root users and HEALTHCHECK instructions
 - **Runtime Security**: Gitleaks (secret scanning), CodeQL (static analysis), npm audit (dependency vulnerabilities)
@@ -13,6 +20,7 @@
   - Production: auto-deploy on `main`
 - **IaC Versioning**: Full `render.yaml` and Helm manifests for portability to Kubernetes (k3s, GKE, EKS)
 
+---
 
 ## 🏗️ Architecture
 
@@ -58,11 +66,24 @@ Slack messages for staging/prod deployments with build status:
 
 ---
 
+# 📊 Observability
 
+## Prometheus
+- Scrapes app `/metrics` endpoint (via `prom-client`)
+- Collects:
+  - Default Node.js process metrics
+  - `http_requests_total` counter
+  - Latency histogram
 
 🔗 **See live link here**: [Your Prometheus URL Here]
 
-
+## Grafana Dashboards
+Includes panels for:
+- CPU %
+- Memory usage
+- HTTP requests/sec
+- 5xx error rate
+- 95th percentile latency
 
 🔗 **See live link here**: [Your Grafana URL Here]
 
@@ -78,6 +99,7 @@ Slack messages for staging/prod deployments with build status:
 - Tied to GitHub Actions release versions
 - Shows "Deployed to Staging/Prod" in release timeline
 
+---
 
 
 ## 📸 Project in Action
@@ -96,13 +118,19 @@ Slack messages for staging/prod deployments with build status:
 ### 🔔 Slack Notifications
 ![Slack Notifications](docs/images/SLACK-NOTIFY.png)
 
+### 📊 Observability with Prometheus & Grafana
+![Prometheus Dashboard](docs/images/Prometheus-dashh.png)
+
 
 
+# 🐳 Docker Hardening
+
 All service images include:
 - `HEALTHCHECK` instructions
 - Non-root user execution
 - Minimal base images (`node:18-alpine`, `alpine:3.20`, etc.)
 
+---
 
 # ☸️ Kubernetes (Future-Ready)
 
@@ -148,17 +176,29 @@ Secrets managed via K8s Secret resources (Slack webhook, Grafana admin password)
 ├── .github/workflows/      # CI/CD pipelines
 ├── render.yaml             # Render IaC config
 └── Dockerfile              # App Dockerfile
+```
 
 🎯 Why This Matters
 
+| Feature                 | Benefit                                                   |
+| ----------------------- | --------------------------------------------------------- |
+| Full DevSecOps pipeline | Integrated security, monitoring, and alerting             |
+| Cloud-native ready      | Helm charts → easy migration to Kubernetes                |
+| Production realism      | Error tracking, observability, secrets mgmt, IaC scanning |
+| Team collaboration      | Slack notifications + Sentry releases → transparency      |
+| Hands-on expertise      | End-to-end modern DevSecOps toolchain experience          |
+
+
+
+📬 Contact
 
 Interested in how I can bring end-to-end DevSecOps expertise to your team? Let’s connect!
 
+<div align="center">
 
+**Built with ❤️ to demonstrate modern DevSecOps practices**
 
 [![GitHub stars](https://img.shields.io/github/stars/wizzfi1/fullstack-devsecops-demo?style=social)](https://github.com/wizzfi1/fullstack-devsecops-demo)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-
 </div>
-

helm/alertmanager/templates/deployment.yaml

@@ -14,6 +14,7 @@ spec:
         app: alertmanager
     spec:
       automountServiceAccountToken: false
+
       # Pod-level context — only for pod-wide settings
       securityContext:
         runAsNonRoot: true
@@ -35,7 +36,8 @@ spec:
             - name: alertmanager-secret-vol
               mountPath: /etc/secrets/alertmanager
               readOnly: true
-          # CONTAINER-LEVEL SECURITY CONTEXT — THIS IS WHAT MATTERS
+
+          # CONTAINER-LEVEL SECURITY CONTEXT 
           securityContext:
             runAsNonRoot: true
             runAsUser: 10001

infra/grafana/Dockerfile

@@ -1,4 +1,4 @@
-# Use official Grafana image with pinned version (avoid 'latest')
+# Use official Grafana image with pinned version
 FROM grafana/grafana:11.1.4
 
 # Copy provisioning config files