← Portfolio

BMI Application CI/CD Pipeline

A production-grade GitLab CI/CD pipeline for a Go-based BMI web application featuring automated testing, DevSecOps controls, Docker image hardening, and Ansible-driven deployments to staging and production environments.

gitlab-cidevopsgolangdockeransibletrivydocklehadolintdevsecops

A production-oriented GitLab CI/CD pipeline for a Go-based BMI (Body Mass Index) web application. The project demonstrates how automated testing, container security scanning, image hardening, and infrastructure automation can be combined to deliver secure and repeatable deployments across staging and production environments.

What it does

The pipeline is organized into four stages: test, security, package, and deploy.

The test stage downloads Go dependencies and executes unit tests to validate application functionality before any build artifacts are produced.

The security stage leverages GitLab’s built-in SAST and Secret Detection templates to identify vulnerabilities, insecure coding patterns, and accidentally committed credentials early in the software delivery lifecycle.

The package stage begins by linting the Dockerfile with Hadolint to enforce container best practices. The application is then compiled using a multi-stage Docker build that produces a minimal scratch-based runtime image running as a non-root user. Docker Buildx is used with registry-backed caching to accelerate subsequent builds.

Before an image can be published, it must pass multiple security gates. Trivy scans for vulnerabilities, embedded secrets, and container misconfigurations, failing the pipeline when HIGH or CRITICAL findings are detected. Dockle performs an additional audit of container runtime security and Docker best practices.

Once validated, the image is pushed to Docker Hub and made available for deployment.

The deploy stage uses Ansible to automate application delivery. Deployments are performed over SSH with strict host verification enabled. Staging deployments occur automatically when changes are merged into the default branch, while production deployments are triggered from Git tags and require manual approval.

Tech Stack

  • CI platform: GitLab CI/CD
  • Application: Go
  • Containerization: Docker, Docker Buildx
  • Configuration management: Ansible
  • Container registry: Docker Hub
  • Security scanning: Trivy (vulnerabilities, secrets, misconfigurations)
  • Container auditing: Dockle
  • Dockerfile linting: Hadolint
  • Static security analysis: GitLab SAST
  • Secret detection: GitLab Secret Detection
  • Deployment: SSH-based Ansible automation with strict host key verification
  • Runtime security: Scratch image, non-root container execution

Impact

  • Shift-left security: vulnerabilities, secrets, and misconfigurations are detected before deployment, preventing insecure images from reaching any environment
  • Hardened container runtime: scratch-based images and non-root execution significantly reduce the container attack surface
  • Automated quality gates: testing, linting, and security checks ensure only validated artifacts progress through the pipeline
  • Reliable deployments: Ansible provides repeatable, infrastructure-as-code deployments across environments
  • Controlled releases: automatic staging deployments enable rapid feedback while manual production approvals maintain operational control
  • Faster builds: Docker Buildx registry caching reduces build times by reusing previously built image layers
  • Traceable releases: deployments are linked to commit SHAs and Git tags, providing a clear audit trail from source code to production

Results

  • Fully automated CI/CD workflow from commit to deployment
  • Separate staging and production environments
  • Security validation integrated into every pipeline execution
  • Immutable container-based deployments
  • Production-ready DevSecOps implementation using GitLab CI/CD, Docker, and Ansible