This project demonstrates a DevSecOps pipeline for a three-tier application called Messenger App. The CI/CD pipeline, managed with Jenkins, automates code quality analysis, security scanning, and deployment using Docker Compose. The pipeline integrates various tools, including SonarQube for code quality analysis, OWASP Dependency Check for dependency vulnerability scanning, and Trivy for file system scanning. This approach enhances security and stability, ensuring each build meets security and quality standards before deployment.
git clone https://github.com/tushargurav28/Deployment-Messenger.git
cd Deployment-Messenger
docker-compose up --build- Clone Code from GitHub: Clones the Messenger App project repository.
- SonarQube Quality Analysis: Analyzes code quality using SonarQube.
- OWASP Dependency Check: Scans for vulnerabilities in project dependencies.
- Sonar Quality Gate Scan: Ensures code meets the defined quality standards.
- Trivy File System Scan: Performs file system scanning to identify vulnerabilities.
- Deploy using Docker Compose: Deploys the application using Docker Compose.
- Prerequisites
- Jenkins
- Docker & Docker Compose
- SonarQube
- OWASP Dependency Check
- Trivy
- Install Jenkins:
sudo apt update
sudo apt install openjdk-11-jdk -y
wget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -
sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'
sudo apt update
sudo apt install jenkins -y
sudo systemctl start jenkins
sudo systemctl enable jenkins
- Install Docker and Docker Compose:
sudo apt update
sudo apt install -y docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo usermod -aG docker $USER
# Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose- Install SonarQube:
docker run -d --name sonarqube -p 9000:9000 sonarqube:lts-community- Install Trivy:
sudo apt update
sudo apt install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt update
sudo apt install trivy -y- Open Jenkins and create a new Pipeline project.
- In the pipeline configuration, use the following script:
pipeline {
agent any
environment {
SONAR_HOME = tool "Sonar"
}
stages {
stage("Clone Code from GitHub") {
steps {
git url: "https://github.com/tushargurav28/Deployment-Messenger.git", branch: "main"
}
}
stage("SonarQube Quality Analysis") {
steps {
withSonarQubeEnv("Sonar") {
sh "$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=Messenger -Dsonar.projectKey=Messenger"
}
}
}
stage("OWASP Dependency Check") {
steps {
dependencyCheck additionalArguments: '--scan ./', odcInstallation: 'dc'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage("Sonar Quality Gate Scan") {
steps {
timeout(time: 2, unit: "MINUTES") {
waitForQualityGate abortPipeline: false
}
}
}
stage("Trivy File System Scan") {
steps {
sh "trivy fs --format table -o trivy-fs-report.html ."
}
}
stage("Deploy using Docker compose") {
steps {
sh "docker-compose up -d"
}
}
}
}
- Run the pipeline to initiate the build and deployment process.
