Building a Complete DevSecOps Pipeline: From Code to Kubernetes with ArgoCD

ShudhoShudho
5 min read

In today's rapidly evolving software landscape, integrating security into every stage of the development lifecycle isn't just a best practice—it's essential. This blog post walks through building a comprehensive DevSecOps pipeline for a Tic-tac-Toe application using modern tools and practices.

What is DevSecOps?

DevSecOps extends beyond simply building CI/CD pipelines with security measures. While it includes integrating static code analysis, OWASP security checks, and unit testing, true DevSecOps encompasses:

  • Securing Terraform state files

  • Using HashiCorp Vault for sensitive data management (API keys, tokens, passwords)

  • Implementing Kubernetes encryption and secrets management

  • Container security scanning and vulnerability assessment

  • Infrastructure as Code (IaC) securityProject Overview

    This project demonstrates a complete DevSecOps implementation for a Node.js-based Tic-tac-Toe application, featuring:

    • Application: React-based Tic-tac-Toe game

    • Infrastructure: Minikube for local Kubernetes deployment

    • CI/CD: GitHub Actions with integrated security scanning

    • Container Registry: GitHub Container Registry (GHCR)

    • Deployment: ArgoCD for GitOps-based continuous deployment

    • Development Environment: Complete local development setup with Minikube

Architecture and Tech Stack

Core Technologies

  • Frontend: React with TypeScript

  • Containerization: Docker with multi-stage builds

  • Orchestration: Kubernetes (Minikube for local development and deployment)

  • CI/CD: GitHub Actions

  • GitOps: ArgoCD

  • Security: Trivy, ESLint, OWASP integration

Implementation Deep Dive

1. Local Development Setup

Starting with local development is crucial for understanding application dependencies and environment variables. This approach helps DevOps engineers grasp the application architecture and requirements before building the pipeline.

Key Benefits:

  • Understanding application flow and dependencies

  • Identifying required environment variables

  • Testing application functionality before containerization

  • 2. Multi-Stage Dockerfile

    Security and efficiency drove the decision to implement a multi-stage Docker build:

    dockerfile

      # Stage 1: Build Stage
      FROM node:20-alpine AS builder
      COPY package.json ./
      RUN npm install
      COPY . .
      RUN npm run build
    
      # Stage 2: Production Stage  
      FROM nginx:alpine
      COPY --from=builder /app/dist /usr/share/nginx/html
      EXPOSE 80
      CMD ["nginx", "-g", "daemon off;"]
    

    Advantages:

    • Reduced image size

    • Enhanced security (no build tools in production image)

    • Improved deployment speed

3. GitHub Actions DevSecOps Pipeline

The pipeline implements a sequential job flow with integrated security checks:

Pipeline Jobs

1. Unit Testing

  • Executes comprehensive test suites using Node.js 20

  • Validates code functionality before proceeding

2. Static Code Analysis (Linting)

  • Performs code quality checks using ESLint

  • Generates detailed reports in JSON format

  • Uploads artifacts for review

3. Build Process

  • Compiles the project after successful tests and linting

  • Creates build artifacts (dist folder)

  • Prepares application for containerization

4. Docker Image Build

  • Creates optimized Docker images using multi-stage builds

  • Tags images with SHA-based versioning

  • Pushes to GitHub Container Registry (GHCR)

5. Security Scanning

  • Trivy Vulnerability Scanning: Scans Docker images for critical and high-severity vulnerabilities

  • Prevents deployment of vulnerable images

  • Generates security reports

6. Kubernetes Manifest Updates

  • Automatically updates deployment files with new image tags

  • Commits changes back to repository

  • Triggers ArgoCD sync for deployment

4. Minikube Kubernetes Environment

This project uses Minikube to provide a complete local Kubernetes environment that closely mirrors production setups. Minikube offers several advantages for DevSecOps development:

Benefits:

  • Full Kubernetes API compatibility

  • Local testing of complete deployment pipeline

  • Cost-effective development environment

  • Easy integration with ArgoCD and other Kubernetes tools

5. GitOps with ArgoCD

ArgoCD serves as the continuous deployment controller, monitoring Git repositories for changes in Kubernetes manifests or Helm charts.

  •   # Install ArgoCD on Minikube
      kubectl create namespace argocd
      kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
    

    Key Features:

    • 3-minute default sync interval

    • Automated rollback capabilities

    • Visual deployment tracking

    • Multi-environment support

      6. Minikube Development Environment

      Minikube Setup and Configuration:

        # Start Minikube with Docker driver
        minikube start --driver=docker --cpus=2
      
        # Enable Ingress addon for external access
        minikube addons enable ingress
      
        # Verify ingress controller is running
        kubectl get pods -n ingress-nginx
      
        # Create container registry secret
        kubectl create secret docker-registry github-container-registry \
          --docker-server=ghcr.io \
          --docker-username=shudhoo \
          --docker-password=$GITHUB_TOKEN \
          --docker-email=shudhowani@gmail.com
      

      Local Access Configuration:

        # Get Minikube IP
        minikube ip
      
        # Add to /etc/hosts
        echo "$(minikube ip) tic-tac-toe.local" >> /etc/hosts
      
        # Start tunnel for local access
        minikube tunnel
      

      Security Implementation

      Container Security

      • Base Image Selection: Using Alpine Linux for minimal attack surface

      • Multi-stage Builds: Eliminating build tools from production images

      • Vulnerability Scanning: Trivy integration for continuous security assessment

Secrets Management

  • GitHub Secrets for sensitive data

  • Kubernetes secrets for runtime configuration

  • Container registry authentication

Code Quality

  • ESLint for static code analysis

  • Automated security dependency scanning

  • Pull request validation workflows

Key Benefits Achieved

1. Automated Security Integration

Every code change undergoes comprehensive security scanning before deployment, ensuring vulnerabilities are caught early in the development cycle.

2. GitOps Workflow

ArgoCD provides declarative deployment management, ensuring infrastructure and application state consistency across environments.

3. Scalable Architecture

Kubernetes orchestration enables horizontal scaling and high availability, while Minikube provides a complete local development environment that mirrors production capabilities.

4. Developer Experience

Minikube setup allows developers to test the complete deployment pipeline locally, ensuring consistency between development and production environments.

5. Compliance and Auditability

All changes are tracked through Git, providing complete audit trails for security and compliance requirements.

  • Best Practices Implemented

    1. Local-First Development: Complete local Kubernetes environment with Minikube

    2. Immutable Deployments: Container-based deployments with versioned artifacts

    3. Security-First Approach: Integrated security scanning at every stage

    4. Monitoring and Observability: ArgoCD provides deployment visibility

    5. Environment Consistency: Minikube ensures development-production parity

Conclusion

This DevSecOps implementation demonstrates how modern tooling and practices can create a robust, secure, and scalable deployment pipeline. By integrating security at every stage—from code analysis to container scanning—we ensure that security isn't an afterthought but a fundamental part of the development process.

The combination of GitHub Actions for CI, ArgoCD for CD, and Kubernetes for orchestration creates a powerful platform that can scale with organizational needs while maintaining security and reliability standards.

The project showcases that DevSecOps isn't just about tools—it's about creating a culture and process that prioritizes security, automation, and continuous improvement throughout the software delivery lifecycle.

  • Technologies Used: React, Node.js, Docker, Kubernetes, GitHub Actions, ArgoCD, Minikube, Trivy, ESLint

Project Repository: https://github.com/shudhoo/devsecops-cicd-tictactoe.git

0
Subscribe to my newsletter

Read articles from Shudho directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shudho
Shudho

Hi, I’m Shudhodhan 🎯 — A passionate Cloud ☁️ and DevOps ♾️ learner, focused on applying skills to build, scale, and automate modern software development and deployment workflows. With a Strong foundation in IaC, Containerization 🐋 & Orchestration ☸️ with Kubernetes and Terraform. Capable of building and maintaining Cloud Native Applications on AWS ☁️. Skilled in designing and automating CI/CD 🔧 pipelines using Jenkins and GitHub Actions, supporting scalable deployments for both microservices and monolithic applications.