This project implements a comprehensive DevSecOps pipeline utilizing AWS EC2 instances to streamline the continuous integration and deployment (CI/CD) process with a strong emphasis on security and monitoring. The setup consists of two AWS EC2 instances:
- Instance 1: Dedicated to SonarQube, Trivy, and the Netflix coding standard checker for static code analysis and security scanning.
- Instance 2: Hosts Jenkins, Prometheus, and Grafana for CI/CD, monitoring, and visualization, respectively.
The pipeline checks for security issues using SonarQube, Trivy, and OWASP Dependency Checker integrated as plugins in Jenkins. After successful analysis, code is containerized and pushed to Docker Hub. Future enhancements include adopting GitOps with Argo CD for automated deployments to Kubernetes on AWS.
The pipeline is defined in a Groovy script for Jenkins and includes the following stages:
- Clean Workspace: Prepares the build environment by cleaning the workspace.
- Checkout from Git: Pulls the latest code from the specified Git repository.
- SonarQube Analysis: Performs static code analysis to identify bugs, vulnerabilities, and code smells.
- Quality Gate: Waits for SonarQube's Quality Gate result, ensuring code quality standards are met.
- Install Dependencies: Installs required dependencies for the project using
npm. - OWASP FS SCAN: Conducts a dependency check to identify project dependencies' publicly disclosed vulnerabilities.
- TRIVY FS SCAN: Scans the file system for vulnerabilities using Trivy.
- Docker Build & Push: Builds a Docker image from the codebase and pushes it to Docker Hub.
- TRIVY Image Scan: Scans the Docker image for vulnerabilities using Trivy.
- Deploy to Container: Deploys the Docker image as a container, making the application accessible.
Ensure Jenkins is configured with the necessary plugins and tools (JDK, Node.js, SonarQube scanner, Docker, etc.) as defined in the pipeline script.
Troubleshooting: If you encounter a Docker login error, ensure Jenkins has Docker permissions:
sudo usermod -aG docker jenkins
sudo systemctl restart jenkinsThis project infrastructure can be provisioned using Terraform. To get started:
-
Initialize Terraform:
terraform initThis command initializes the Terraform environment.
-
Apply Terraform Configuration:
terraform apply -auto-approveApplies the Terraform configuration to provision the AWS infrastructure as defined. The
-auto-approveflag skips interactive approval. -
Destroy Infrastructure:
terraform destroy -auto-approveSafely tear down the infrastructure provisioned by Terraform when the project is concluded.
Ensure you have AWS CLI configured and Terraform installed on your machine. Always review Terraform configurations before applying them to understand the resources being created, modified, or destroyed.
Diagram visualizing the workflow and integration of tools within the pipeline.
- Jenkins: Automation server for CI/CD pipelines.
- SonarQube & Trivy: Tools for static code analysis and vulnerability scanning.
- Prometheus & Grafana: Monitoring and visualization.
- Docker & Docker Hub: Containerization and image hosting.
- Terraform: Infrastructure as Code tool for provisioning and managing cloud resources.
- Argo CD: GitOps continuous delivery tool for Kubernetes.
Contributions to improve the pipeline or add new features are welcome. Please fork the repository, make changes, and submit pull requests.
This README provides a high-level overview of the DevSecOps pipeline project. Detailed setup instructions and configurations for each tool and technology can be found in their respective official documentation.