DevSecOps + AI Security Engineer — Portfolio Platform

Production-style scanning platform that demonstrates the full Cloud DevSecOps and AI Security toolchain expected of a senior engineer in the role:

• Shift-left scanning — SAST, SCA, IaC (Terraform + Kubernetes), container, secrets, AI agent / LLM security — all behind a unified engine, policy file, and CLI/API.
• Pipeline gating — declarative thresholds per stage (pre_merge, pre_release) plus declarative pass/fail policy rules.
• Standards-aligned reporting — SARIF (GitHub code scanning), CycloneDX SBOM, JSON, Markdown PR comments. CWE / OWASP Top 10 / OWASP LLM Top 10 / CIS Benchmark mappings on every finding.
• AI guardrails — prompt-injection catalog, runtime middleware that blocks malicious inputs and redacts leaky outputs, plus a 10-prompt red-team evaluation library.
• Ready-to-drop CI — GitHub Actions, GitLab CI, and pre-commit templates, plus a non-root Docker image.

Architecture

                            ┌──────────────────────┐
   policies/default.yaml    │       devsec          │
   (rule toggles, gates,    │       engine          │
    custom regex)           └─────────┬────────────┘
                                      │ orchestrates
        ┌──────────┬────────┬─────────┼─────────┬──────────┬────────────┐
        ▼          ▼        ▼         ▼         ▼          ▼            ▼
       SAST       SCA      IaC      Container Secrets   AI Security  Policy
      regex      OSV      Terraform Dockerfile  patterns +catalog +    eval
      rules      DB       K8s YAML  heuristic  custom    guardrails
                                                          middleware
                                      │
                                      ▼
           ┌──────────────────────────┬──────────────────────────┐
           ▼                          ▼                          ▼
     CLI (devsec)            FastAPI (X-Api-Key)            CI templates
     JSON/MD/SARIF/SBOM      JSON/MD/SARIF/SBOM/gate        GitHub/GitLab/pre-commit

Quickstart

git clone https://github.com/kumar1shailesh/DevSecOps-AI-Security-Engineer-.git
cd DevSecOps-AI-Security-Engineer-
python -m venv .venv; .\.venv\Scripts\Activate.ps1
pip install -e .

# Self-demo against bundled vulnerable examples
devsec scan examples
devsec scan examples --output sarif --out-file devsec.sarif
devsec sbom .       --out-file devsec.sbom.json
devsec gate examples --gate pre_merge

CLI

Command	Purpose
devsec scan <path> [-s scanner] [-o table|json|markdown|sarif] [--fail-on critical|high|medium|low|none]	Run all (or selected) scanners. Non-zero exit when threshold hit.
devsec check <file>	Scan a single file's content (editor integrations).
devsec sbom <path>	Emit CycloneDX SBOM.
devsec gate <path> --gate pre_merge	Apply a named pipeline gate from policies/default.yaml.
devsec-serve	Start the FastAPI server (port 8090).

API

All POSTs require X-Api-Key: $DEVSEC_API_KEY.

Endpoint	Body	Notes
POST /scan/path	{"path": "...", "scanners": ["all"]}	Returns ScanResult JSON
POST /scan/content	{"content": "...", "filename": "..."}	Inline content scan
POST /scan/upload	multipart/form-data file=	Upload + scan
POST /scan/path.sarif	same as /scan/path	SARIF 2.1.0
POST /scan/path.md	same	Markdown for PR comments
POST /sbom	{"path": "..."}	CycloneDX SBOM
POST /gate?gate_name=pre_merge	{"path": "..."}	Pass/fail against gate thresholds
GET /policy	—	Returns the active policy
GET /docs	—	OpenAPI / Swagger UI
GET /	—	Minimal HTML dashboard

Scanners

Scanner	Detects	Rule prefix
sast	eval/exec, shell injection, deserialization, weak crypto, TLS-off, debug-on, JWT-none, … (Python, JS/TS, Java, Go)	PY*, JS*, JV*, GO*
sca	Pinned versions matching an offline OSV-shaped DB (requests, Django, Flask, PyYAML, cryptography, FastAPI, lodash, …)	CVE IDs
iac	Public S3 buckets, open SGs, public RDS, unencrypted EBS, wildcard IAM; privileged / hostNetwork / :latest / no-limits / plain-env-secret containers	TF*, K8S*
container	:latest / no USER / curl | bash / --insecure / baked secrets / ADD remote	CONT*
secrets	OpenAI, Anthropic, AWS, GitHub, Slack, Google, JWT, private keys, Stripe, Twilio, LangSmith + custom regex	SEC*
ai_security	Prompt-injection bait in docs/prompts; LLM output → eval/shell; wildcard agent tools; system-prompt leakage	AI*

Policy

policies/default.yaml drives everything: rule disables, severity overrides, scanner toggles, custom secret patterns, per-rule policy actions (fail / warn), and pipeline gates (per-severity caps). Re-use the same file across the CLI, API, and the bundled CI templates.

AI security extras

File	Purpose
ai_security/prompt_injection_catalog.yaml	OWASP LLM Top 10-aligned pattern catalog feeding the AI scanner + guardrails
ai_security/red_team_prompts.yaml	10-prompt red-team library for model evaluations
ai_security/guardrails/middleware.py	FastAPI/Starlette middleware: blocks malicious inputs, redacts leaky outputs

CI integration

Pre-built templates for the three biggest CI surfaces:

• ci-templates/github-actions.yml — scan + upload SARIF to GitHub Security tab + stick a Markdown report on the PR.
• ci-templates/gitlab-ci.yml — emits SARIF + CycloneDX so GitLab's UI shows it natively.
• ci-templates/pre-commit-config.yaml — fast secret + AI-agent-config gates before each commit.

The repo also self-scans on every push via .github/workflows/security-scan.yml.

Standards mappings

Every finding carries CWE / OWASP / OWASP-LLM / CIS tags where applicable. See docs/owasp_mappings.md for the cross-walk.

Tests

pip install -e .
pytest -q

The test suite covers every scanner against the bundled fixtures and asserts the engine, reporters, gate evaluator, and AI guardrails work end-to-end.

License

MIT