Enterprise DevSecOps Platform

Security architecture you can run, explore, and demonstrate.

Five integrated security domains — Zero Trust, compliance automation, supply chain security, and real-time threat detection — running locally in under 5 minutes.

View on GitHub Quick Start ↓

What This Demonstrates

Built for technical evaluation — every claim is runnable code.

Security-First Architecture

Zero Trust core (Keycloak + OPA + Vault) with MITRE ATT&CK coverage. Every inter-service call is authenticated, authorized, and logged — no implicit trust.

Automated Compliance

SOC2, HIPAA, PCI-DSS, and GDPR controls as version-controlled code. Live pass/fail dashboard with simulated drift injection and auto-recovery.

Production-Grade Tooling

11 integrated services: Kubernetes, Istio, Prometheus, Grafana, HashiCorp Vault, Keycloak, OPA, SonarQube, Trivy, Semgrep, and MobSF.

Five Security Domains

End-to-end coverage from code commit to mobile runtime.

App DevSecOps Pipeline

Node.js Express with defense-in-depth controls at every pipeline stage.

SonarQube · ESLint SAST
OWASP ZAP DAST
Trivy container scan
Falco runtime detection
Istio mTLS · Kyverno

Zero Trust Security

NIST SP 800-207 Zero Trust framework — identity-first, every request verified.

Keycloak OIDC + TOTP MFA
OPA Rego ABAC policies
Vault PKI + secrets tiers
Istio mTLS + net policies
Behavioral anomaly detection

Cloud-Native Security

Multi-cloud IaC security across AWS, Azure, and GCP with CIS Benchmarks.

AWS WAF · GuardDuty · IAM
Azure WAF · Defender
GCP Cloud Armor · IAM
Checkov · tfsec IaC scan
CIS Benchmark 1.2–1.4

Compliance Automation

Continuous compliance monitoring with live pass/fail dashboard and drift simulation.

SOC2 Type II (CC1.0–CC9.0)
HIPAA §164.312 safeguards
PCI-DSS Requirements 1–12
GDPR Articles 25 & 32
Prometheus metrics + alerts

Mobile Security

iOS and Android security pipeline covering the OWASP Mobile Security Testing Guide.

MobSF SAST + DAST
Semgrep custom rules
Certificate pinning
ProGuard obfuscation
detect-secrets · RASP

Live Platform

Screenshots captured from running services — every tool is operational, not mocked.

Compliance Dashboard showing SOC2, HIPAA, PCI-DSS, and GDPR control status — Compliance Dashboard

SonarQube code quality analysis interface — Code Quality · SonarQube

Keycloak identity provider login interface — Identity Provider · Keycloak

MobSF mobile security framework interface — Mobile Security · MobSF

HashiCorp Vault secrets management UI — Secrets Management · Vault

Prometheus metrics and alerting interface — Metrics · Prometheus

Architecture

Five domains unified through a shared Zero Trust core. Every inbound request passes through Keycloak (authentication) → OPA (authorization) → Vault (secret resolution) before reaching the application layer.

Runtime telemetry flows from all services to Prometheus, visualized in Grafana, with Alertmanager routing critical events. The compliance layer continuously evaluates control status and exposes Prometheus metrics for drift alerting.

Full architecture diagram →

┌─ Attack Surface ───────────────────────────────────┐
│  Code Commits · Mobile Apps · Cloud IaC · Web API  │
└───────────────────────┬────────────────────────────┘
                        │ Pipeline Security Gates
                        │ SAST · DAST · Checkov
                        │ MobSF · detect-secrets
                        ▼
┌─ Zero Trust Core ──────────────────────────────────┐
│  Keycloak (OIDC/MFA) → OPA (ABAC) → Vault (PKI)   │
└───────────────────────┬────────────────────────────┘
                        │ Authenticated & Authorized
                        ▼
┌─ Application + Runtime Security ───────────────────┐
│  Demo App · Falco · Istio mTLS · Prometheus        │
└───────────────────────┬────────────────────────────┘
                        │ Continuous Monitoring
                        ▼
┌─ Compliance & Evidence ─────────────────────────────┐
│  SOC2 · HIPAA · PCI-DSS · GDPR controls + reports  │
└─────────────────────────────────────────────────────┘

Live Demo Scenarios

Each scenario runs a real attack, then shows the platform detecting and blocking it.

Credential Brute-Force

Simulates repeated login failures against Keycloak. Triggers account lockout after 3 attempts, fires a Prometheus alert, and visualizes the authentication_failures spike in Grafana within seconds.
./shared/scripts/demo-attack.sh brute-force
Privilege Escalation

Attempts to use a developer-role token to access an admin-only resource. OPA evaluates the ABAC policy and returns a denial — no code change required, policy-as-code enforces the boundary.
./shared/scripts/demo-privilege-esc.sh
Compliance Drift

Injects a SOC2 CC1.0 control failure into the compliance reporter. The live dashboard turns red, a Prometheus alert fires, and the auto-recovery endpoint restores green status.
./shared/scripts/demo-compliance.sh inject-drift
Supply Chain Attack

Injects a malicious dependency into the application, then runs a Trivy scan in the CI pipeline. Trivy exits with code 1, blocking the build before deployment.
./shared/scripts/demo-supply-chain.sh inject && ./shared/scripts/demo-supply-chain.sh scan
Mobile Secret Leak

Injects a hardcoded API key into mobile source code, then runs the Semgrep pipeline. The key is detected and flagged in under 2 seconds — before it can reach version control.
./shared/scripts/demo-mobile-leak.sh inject && ./shared/scripts/demo-mobile-leak.sh scan

Quick Start

Runs locally with Docker. All services healthy in ~2 minutes.

bash

git clone https://github.com/dbsectrainer/controlplane
cd controlplane
./shared/scripts/demo-setup.sh
docker-compose up -d

Requires Docker Desktop · 8 GB RAM · Ports 3000, 3100, 8080, 8088, 8200

Full guide for hiring managers →

Tech Stack

Every tool is configured, integrated, and runnable — not just listed.

Node.js HashiCorp Vault Keycloak Open Policy Agent Prometheus Grafana SonarQube MobSF Terraform Kubernetes Docker Falco Istio Trivy OWASP ZAP Semgrep Kyverno Checkov detect-secrets Flask Express Alertmanager