TaskFlow is a three-service web application wrapped in a DevSecOps CI/CD pipeline. The repository combines:
- A React frontend
- An
auth-servicefor registration, login, and JWT-based identity - A
tasks-servicefor task CRUD operations - GitHub Actions workflows for CI and CD
- Terraform for AWS infrastructure provisioning
- Docker and Docker Hub for container packaging and image distribution
The main goal of this project is to demonstrate a portfolio-ready DevSecOps flow: code changes on main trigger security and quality checks, images are built and pushed to Docker Hub, and successful CI can automatically deploy the stack to AWS ECS Fargate. For demo use, the CD workflow also supports a manual destroy action so infrastructure can be removed to avoid ongoing cloud cost.
This repository implements a microservices-based task management application and the delivery pipeline around it.
frontend: React + Vite UI served by Nginxauth-service: Node.js/Express authentication API with JWT and SQLitetasks-service: Node.js/Express tasks API with SQLite
- CI on push and pull request to
main - Trivy filesystem vulnerability scan
- OWASP Dependency-Check report generation and artifact upload
- SonarCloud code scan
- Docker image build and push to Docker Hub
- CD workflow that applies or destroys AWS infrastructure with Terraform
- AWS VPC
- Public subnets
- Internet Gateway
- Route table and associations
- Security group
- CloudWatch log group
- ECS cluster
- ECS task definition
- ECS service on Fargate
- Remote Terraform state in S3
.
|-- .github/
| `-- workflows/
| |-- devsecops-ecs-pipeline.yml
| `-- cd-pipeline.yml
|-- auth-service/
|-- frontend/
|-- screenshots/
|-- tasks-service/
|-- terraform/
|-- docker-compose.yml
`-- README.md
User
|
v
Frontend (React + Nginx, port 3000 locally / 8080 in ECS)
|
+--> Auth API (Node.js, Express, SQLite, port 4001)
|
`--> Tasks API (Node.js, Express, SQLite, port 4002)
GitHub Actions CI
-> Trivy
-> OWASP Dependency-Check
-> SonarCloud
-> Docker build and push
GitHub Actions CD
-> AWS credential configuration
-> Terraform init/apply or destroy
-> ECS Fargate deployment using Docker Hub images
- React 18
- Vite
- Tailwind CSS
- React Router
- React DnD
- Axios
- Nginx
- Node.js 20
- Express
- SQLite via
better-sqlite3 - JWT via
jsonwebtoken - Password hashing via
bcryptjs - Joi validation
- Helmet
- Rate limiting
- Winston logging
- GitHub Actions
- Docker
- Docker Buildx
- Docker Hub
- Trivy
- OWASP Dependency-Check
- SonarCloud
- Terraform
- AWS ECS Fargate
- AWS VPC networking
- AWS CloudWatch Logs
- Amazon S3 backend for Terraform state
- User registration and login
- JWT-protected routes
- Authenticated
meendpoint - Task creation, update, deletion, and listing
- Kanban-style board with drag-and-drop
- Table view for tasks
- Light and dark theme support
- Health checks for all services
- Containerized local development and deployment
| Component | Local Port | ECS Container Port | Purpose |
|---|---|---|---|
| Frontend | 3000 |
8080 |
Web UI |
| Auth Service | 4001 |
4001 |
Registration, login, JWT validation |
| Tasks Service | 4002 |
4002 |
Task CRUD |
Base path: http://localhost:4001/api/auth
POST /registerPOST /loginGET /meGET /health
Base path: http://localhost:4002/api/tasks
GET /GET /:idPOST /PUT /:idDELETE /:idGET /health
Workflow file: .github/workflows/devsecops-ecs-pipeline.yml
- Push to
main - Pull request targeting
main
trivy-scanowasp-scansonarqube-scanbuild-and-push
Each later job depends on the previous one with needs, so the pipeline runs in order.
- Scans the repository in filesystem mode
- Looks for OS and library vulnerabilities
- Focuses on
CRITICALandHIGHseverity findings
- Scans dependencies in the repository
- Generates an HTML report
- Uploads the report as a GitHub Actions artifact named
owasp-report
- Performs static analysis with SonarCloud
- Uses
SONAR_TOKENand the built-inGITHUB_TOKEN
- Builds images for:
auth-servicetasks-servicefrontend
- Pushes images to Docker Hub on
pushevents - Skips pushing on pull requests
- Tags images with:
latest${{ github.sha }}
abdulraheem381/taskflow-auth-service:latestabdulraheem381/taskflow-tasks-service:latestabdulraheem381/taskflow-frontend:latest
Workflow file: .github/workflows/cd-pipeline.yml
The CD workflow listens to completion of the DevSecOps Pipeline workflow. If CI finishes successfully, CD can run automatically and apply the Terraform configuration.
The workflow also supports workflow_dispatch with an action input:
applydestroy
This is useful for demo environments where you want to create infrastructure, test the app, and then tear everything down to avoid cost.
- Checks out the repository
- Configures AWS credentials from GitHub Secrets
- Installs Terraform
- Runs
terraform init - Runs either:
terraform apply --auto-approveterraform destroy --auto-approve
Terraform files are in the terraform directory.
Terraform is configured to use an S3 backend:
- Bucket:
taskflow-terraform-state-abdulraheem - Key:
state/terraform.tfstate - Region:
ap-south-2
aws_vpcaws_internet_gatewayaws_subnetfor public subnetsaws_route_tableaws_route_table_associationaws_security_groupaws_cloudwatch_log_groupaws_iam_rolefor ECS executionaws_iam_rolefor ECS taskaws_ecs_clusteraws_ecs_task_definitionaws_ecs_service
- Launch type:
FARGATE - Network mode:
awsvpc - Public IP assigned to task
- Frontend is exposed on port
8080 - Security group allows inbound
8080/tcpfrom0.0.0.0/0 - Frontend depends on healthy
auth-serviceandtasks-servicecontainers - Logs are sent to CloudWatch
Terraform deploys these images by default through terraform.tfvars:
abdulraheem381/taskflow-frontend:latestabdulraheem381/taskflow-auth-service:latestabdulraheem381/taskflow-tasks-service:latest
To run the workflows successfully, configure these repository secrets:
| Secret | Purpose |
|---|---|
DOCKERHUB_USERNAME |
Docker Hub account/user name |
DOCKERHUB_TOKEN |
Docker Hub access token |
SONAR_TOKEN |
SonarCloud authentication |
AWS_ACCESS_KEY_ID |
AWS access key for Terraform deploy/destroy |
AWS_SECRET_ACCESS_KEY |
AWS secret key for Terraform deploy/destroy |
docker-compose up --buildOpen:
- Frontend:
http://localhost:3000 - Auth API:
http://localhost:4001/health - Tasks API:
http://localhost:4002/health
cd frontend
npm install
npm run devcd auth-service
npm install
npm run devcd tasks-service
npm install
npm run devThe repository includes example environment files:
frontend/.env.exampleauth-service/.env.exampletasks-service/.env.example
Frontend variables:
VITE_AUTH_API_URL=http://localhost:4001/api/auth
VITE_TASKS_API_URL=http://localhost:4002/api/tasksAuth service variables:
PORT=4001
NODE_ENV=development
JWT_SECRET=change-me-to-a-long-random-secret
JWT_EXPIRES_IN=8h
DB_PATH=./data/auth.db
CORS_ORIGIN=http://localhost:3000
LOG_LEVEL=infoTasks service variables:
PORT=4002
NODE_ENV=development
JWT_SECRET=change-me-to-a-long-random-secret
DB_PATH=./data/tasks.db
CORS_ORIGIN=http://localhost:3000
LOG_LEVEL=info- Multi-stage build
- Built with Node.js
- Served with Nginx
- Exposes
8080
- Based on
node:20-alpine - Install production dependencies only
- Run as non-root user
- Expose
4001and4002 - Include container health checks
- JWT authentication
- Password hashing with
bcryptjs - Joi request validation
- Helmet headers
- Express rate limiting
- Per-service health checks
- Structured request and error logging
- Developer pushes code to
mainor opens a pull request tomain - CI starts the security and quality jobs
- If the workflow reaches the image stage, Docker images are built
- On non-PR events, images are pushed to Docker Hub
- A successful CI run can trigger the CD workflow
- CD initializes Terraform against the remote S3 backend
- Terraform provisions or updates AWS networking and ECS resources
- ECS pulls images from Docker Hub and starts the application
For demonstration and cost control, the project includes a manual destroy path.
- Open the
CD Pipelineworkflow in GitHub Actions - Select
Run workflow - Choose
destroy - Run the workflow
- Terraform reads the remote state from S3 and destroys the provisioned resources
This keeps the project demo-friendly and avoids leaving AWS resources running unnecessarily.
- The CD workflow region is set to
ap-south-2. - Terraform variable default for
aws_regionisus-east-1, butterraform.tfvarsoverrides it toap-south-2. - The current CI workflow uses SonarCloud, not a self-hosted SonarQube server.
- The current Trivy step is configured with
exit-code: '0', which means it reports findings but does not fail the job by itself. If you want Trivy to hard-fail CI on detected vulnerabilities, change that value to1. - The current ECS deployment exposes the frontend directly with a public IP and security group on port
8080; there is no Application Load Balancer in this repository.
This project demonstrates:
- Secure-by-default application development
- Containerized microservices
- Shift-left security scanning in CI
- Automated artifact creation and registry publishing
- Infrastructure as Code with Terraform
- Automated deployment to AWS ECS Fargate
- Controlled teardown for low-cost demos
It is suitable as a hands-on DevSecOps portfolio project because it shows the full path from source code to security checks to cloud deployment.
This project is licensed under the MIT License - see the LICENSE file for details.