GRC Compliance Dashboard

The CI/CD pipeline enforces shift-left security by automatically scanning for vulnerabilities in code and containers, stopping non-compliant images. CloudWatch monitoring provides centralized logging and real-time security analysis.

• Snyk (SAST) checks package.json for vulnerable dependencies.
• Trivy scans the Docker image for OS and package vulnerabilities.
• Ansible installs all required patches and security updates on the host OS.

Infrastructure is deployed using AWS IAM Instance Profiles, ensuring the EC2 host has zero hardcoded credentials and only the bare minimum permissions (Route 53 DNS update).

• GitHub Secrets are used for SSH, never stored on the host.
• IAM Role is scope-limited to only update DNS records in Route 53.
• The application containers themselves run without any cloud credentials.

Ansible ensures the host OS is configured to a secure baseline (CIS/NIST), installing and managing the UFW firewall and preventing unapproved configuration changes.

• Ansible enforces the host baseline (hardening, user management).
• Terraform defines network baselines (Security Groups) and prevents drift.
• Docker images are defined by code (Dockerfile) and are immutable.

The Nginx reverse proxy enforces HTTPS/TLS 1.2+ for all public traffic and automates certificate renewal (Certbot), fulfilling HIPAA and security requirements for data in transit.

• Nginx acts as the secure edge, enforcing SSL/TLS termination.
• Certbot ensures automatic renewal, preventing certificate expiration risks.
• The system runs behind a public Elastic IP which is firewalled by the host UFW.