Tools Usage:
Github: A platform for hosting and version-controlling source code repositories
Sonarqube: Analyzes code for quality, identifying bugs, code smells, security vulnerabilities, and maintainability issues
OWASP: For security scanning and OWASP Dependency-Check for identifying vulnerable dependencies.
Trivy: Used to scan Docker images, container file systems, and other package formats for security vulnerabilities, misconfigurations, and other risks.
Docker: Used to deploy applications in a consistent environment
Jenkins: A CI/CD tool that orchestrates the entire pipeline
Check out a detailed step-by-step process explained by Shubham Londhe (TrainwithShubham) on the YouTube channel below.
Prerequisites:
Step1: Launch an AWS instance with the below requirement:
Choose the instance type t2.large, which provides 2 vCPUs and 8 GB of memory. This instance type is suitable for various workloads.
Select Ubuntu as the operating system
Allow HTTP and HTTPS traffic
Configure the storage to have around 10 GB
Ensure you have a key pair set up for SSH access
Once these configurations are set, proceed to launch the EC2 instance
Use ssh to connect from your local terminal to the remote machine as follows
ssh -i "cicdproject.pem" ubuntu@ec2-54-234-19-59.compute-1.amazonaws.com
Step2: Install Docker
sudo apt-get update –y
sudo apt-get install docker.io –y
sudo apt-get install docker-compose –y
sudo usermod -aG docker ubuntu - to add docker as a user
sudo reboot -> to get the updated permissions
Step3: Install Jenkins
Refer to the below guide.
https://www.jenkins.io/doc/book/installing/linux/#long-term-support-release
Once Jenkins is installed, you can check the status by running the below command
systemctl status jenkins
To ensure Jenkins running on an AWS instance is accessible; you should open port 8080 in the inbound rules of the security group associated with your instance. This allows incoming traffic to reach Jenkins on the specified port.
Now you will be able to access jenkins at publicip:8080
Use cat along with the path in a login page to get the password as below.
Install suggested plugins by jenkins by default
now your Jenkins setup is ready and you can start using it
Step4: To setup Sonarqube
Here we are using a docker image that contains sonarqube in it.
docker run -itd --name sonarqube-server -p 9000:9000 sonarqube:lts-community
This docker run command starts a detached Docker container named sonarqube-server using the "LTS Community" SonarQube image. It maps port 9000 on the host machine to port 9000 inside the container, allowing you to access the SonarQube server . The -itd flag ensures the container runs interactively but in the background, so you can continue using the terminal for other tasks
Enable port 9000 in the security group of your AWS instance
You should be able to access sonarqube at publicip:9000
The initial username and password will be admin:admin, later you can change it as per your choice.
Step5: Trivy installation
Refer below guide to install trivy
https://github.com/DevMadhup/Trivy_Installation_and_implementation/blob/main/README.md
Step6: Plugins Installation
Navigate to Manage Jenkins -> Plugins -> Available Plugins -> Install below plugins->Restart Jenkins
Step7: Jenkins integration with sonarqube
Go to sonarqube instance, click on Administration-> Configuration->Webhooks-> Create Webhook
URL will be in below format
http://<jenkins_url>:8080/sonarqube-webhook/
Go to security-> User -> create token
Go to Jenkins instance, Manage jenkins -> Credentials -> System -> global -> Add credentials
In secret add the token created in sonar
Navigate to Manage Jenkins -> system -> Add sonarqube and configure as below
Step8: To install sonarqube quality gates
Navigate to "Manage Jenkins," then select "Tools." Locate "SonarQube Scanner Installations" and add a new SonarQube Scanner
Step9: Setting up OWASP (Open web application security project)
Navigate to Jenkins UI -> Manage Jenkins -> Tools -> Add dependency check and configure as below
Configure as above and click on save to install automatically.
Step10:
Let's build a CICD pipeline in jenkins using a declarative pipeline
Click on a new item and provide the project name and select the pipeline
Now provide the GitHub url of your project, and other configurations if required as follows
Step11: Start writing your pipeline
The script will perform below actions:
Environment Setup: Defines a SONAR_HOME environment variable pointing to the configured SonarQube installation.
Clone Code from GitHub: Clones the source code from the specified GitHub repository and branch.
SonarQube Quality Analysis: Analyzes the source code using SonarQube for quality and code issues, sending the results to the SonarQube server.
OWASP Dependency Check: Checks project dependencies for known vulnerabilities using OWASP's Dependency Check. If any errors occur during this stage, they're caught, preventing the build from failing.
Sonar Quality Gate Scan: Waits for SonarQube's Quality Gate result to determine if the project meets the set quality criteria.
Trivy File System Scan: Scans the file system for vulnerabilities using Trivy, saving the report in a table format to trivy-fs-report.html.
Deploy using Docker Compose: Deploy the project using Docker Compose.
Step12: Run the build once all above setup is done
In console logs, you can view the detailed info about all the above stages:
1. Sonarqube report:
- dependency-check-report and trivy-fs-report will be created with details which you can share with developers to check issues on dependencies, vulnerabilities etc
Sample:
To view the running applications:
3. Once the application is deployed using docker-compose you can view your application at
http://<publicip>:5173
