DevSecOps End to End CICD Project | SonarQube + OWASP + Trivy + Docker + Jenkins

What is DevSecOps?

DevOps is Development + Operations, which is a culture and mindset to automate the SDLC (Software Development Lifecycle).

When we introduce the "Security" aspect to this mindset, it becomes "DevSecOps" (Development + Security + Operations).

Security is mandatory in every organization, so every DevOps professional is essentially a DevSecOps engineer.

Some levels of security our application code needs to pass before deployment:

GitHub: Our code is placed here. When the code is pushed, it might have security issues.
SonarQube: The code from GitHub might have security vulnerabilities. SonarQube scans the code for security purposes and detects malicious or vulnerable code coming from GitHub.
OWASP (to check library dependencies): When the code is scanned, it also goes through its dependencies. Example: A library version might have faults or bugs that could compromise our entire application, making the code vulnerable.
Trivy: It checks whether the Docker image or file system has vulnerabilities. Image scanning with Trivy is essential. Other similar tools include Docker Scout and Snyk.
Tests: We can write test cases inside our Docker setup or have them written by the developer.
Deploy: Finally, our code is successfully deployed on Docker.

Steps to Create an EC2 Instance

1. Launch an EC2 Instance

Instance Type: t2.medium
Storage: 15 GB

2. Install Docker and Docker Compose

Since we will deploy using Docker Compose, install it with the following commands:

sudo apt update && sudo apt install -y docker.io docker-compose

3. Verify Docker Installation

Run the following command to check if Docker is installed properly:

docker ps

4. Grant Docker Permissions to the Ubuntu User

By default, Docker does not have permission to run under the Ubuntu user. Run the following command:

sudo usermod -aG docker $USER

Install Java JDK and Jenkins on EC2 (Ubuntu)

Jenkins requires Java JDK to run. Install both with the following commands:

sudo apt update && sudo apt install -y openjdk-17-jdk
wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee /usr/share/keyrings/jenkins-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/" | sudo tee /etc/apt/sources.list.d/jenkins.list
sudo apt update && sudo apt install -y jenkins

1. Add Port 8080 in Inbound Rules in EC2

Modify the security group to allow traffic on port 8080 for Jenkins.

2. Start Jenkins and Setup

Once Jenkins is installed, start it with:

sudo systemctl start jenkins

Then, go to:

http://<EC2-Public-IP>:8080

Setup SonarQube with Docker on Ubuntu

Run the following command to deploy SonarQube as a container:

docker run -itd --name SonarQube-Server -p 9000:9000 sonarqube:lts-community

1. Access SonarQube

It will run on:

http://<EC2-Public-IP>:9000

2. Code Scanning with SonarQube

We can take code from different platforms and scan it using SonarQube.
We send the code to SonarQube with Jenkins and get the analyzed code back to Jenkins for any changes.

3. Webhooks Configuration

Jenkins and SonarQube communicate via Webhooks.
To set up Webhooks, we generate tokens inside SonarQube.

Setup Trivy on EC2 Machine (Ubuntu)

Trivy is used for vulnerability scanning of Docker images and file systems. Install it with:

sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install trivy -y

1. Running Trivy Commands

Scan a Docker Image

trivy image redis

This command will download the Redis image and scan for vulnerabilities.

Scan a File System

trivy fs --security-checks vuln,config <foldername-or-path>

This command scans all files in the given path for vulnerabilities.

Install Plugins in Jenkins

To integrate Jenkins with SonarQube and other tools, install the following plugins:

1. Go to Jenkins Master

Navigate to:

Manage Jenkins → Plugins → Available Plugins

2. Install the Below Plugins:

OWASP (Security vulnerabilities detection)
SonarQube Scanner (For scanning code with SonarQube)
Sonar Quality Gates (Enforces SonarQube analysis rules)
Docker (For containerized deployments)
Pipeline: Stage View (For Jenkins pipeline visualization)

Integrate Sonarqube and Jenkins

Go to Sonarqube > Administration

Go to Configuration > Webhooks

Click on Create:

We are all set: as you can see we successfully created webhook on sonarqube
Do same for jenkins → First create user in Sonarqube

Go to Sonarqube > Security > user

Create a token in Administrator to authenticate jenkins
Login to Jenkins : to add sonarqube token in Jenkins

Go to manage jenkins > Credentials

Go to global > Add credentials

Click on “add credentials”

Add credentials: The one we copied the token from sonarqube
1. Go to Jenkins > Manage Jenkins > Sonarqube Installation
  
  Congrats! You have successfully integrated Sonar and Jenkins

Installing Sonarqube Quality Gate Tool in Jenkins

Go to Jenkins> Manage Jenkins > Tools

Add Sonar Scanner and save

Sonarqube is done fully now

Setup OWASP Tool in Jenkins

OWASP is a tool for dependency check in Jenkins

Go to Jenkins> Manage Jenkins > Tools

Check “Dependency-Check installations”

Now to configure:

Name: OWASP > Install from github > Dependency Check> Save

OWASP helps to check code dependencies, we add OWASP tool in Jenkins. OWASP have packages and libraries on Github, that’s why we added install from github. It will check dependencies and give the result back to Jenkins.

Setup Declarative Pipeline

Declarative Pipeline helps to create stages in a pipeline.

Add Github Project Link to Project url
```
 https://github.com/krishnaacharyaa/wanderlust
```
1. Add “throttle builds:” It restricts user to click multiple times on Build button.
2. GitHub hook trigger for GITScm polling : When Jenkins receives a GitHub push hook, GitHub Plugin checks to see whether the hook came from a GitHub repository which matches the Git repository defined. When GITScm polls GitHub, it finds that there is a change and initiates a build.
3. Write Pipeline Script:
  
  Check the short glimpse of my project of hit and try where I was trying to build this CICD pipeline. And always got stuck at OWASP because it download heavy files from internet, so I replaced the direct downloading of OWASP through Jenkins, instead I have installed the Dependency check in my local and used inside my pipeline, configured with help of env_var.

Pipeline Script:

pipeline {
    agent any
    environment {
        SONAR_HOME = tool "Sonar"
        OWASP_HOME = '/opt/dependency-check'
    }

    stages {

        stage("Github code") {
            steps {
                git url: "https://github.com/krishnaacharyaa/wanderlust.git", branch: "devops"
            }
        }

        stage("Sonarqube quality analysis") {
            steps {
                withSonarQubeEnv("Sonar") {
                    sh """$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=wanderlust -Dsonar.projectKey=wanderlust"""
                }
            }
        }

        stage('OWASP FS SCAN') {
            steps {
                sh '${OWASP_HOME}/bin/dependency-check.sh --scan ./frontend --out .'
                sh 'pwd'
                sh 'ls -alh'
            }
        }

        stage("SonarQube Quality Gate Scan") {
            steps {
                timeout(time: 2, unit: "MINUTES") {
                    waitForQualityGate abortPipeline: false
                }
            }
        }

        stage("Trivy File Scan") {
            steps {
                sh "trivy fs --format table -o trivy-fs-report.html ."
            }
        }

        stage("Deploy With Docker Compose") {
            steps {
                sh "docker compose up -d"
            }
        }
    }
}

Certainly! Here’s a breakdown of each stage and its purpose:

Github Code Checkout:
- This stage pulls the latest code from the "devops" branch of the repository.
- Ensures that the pipeline works with the most up-to-date version of the code.
SonarQube Quality Analysis:
- Performs static code analysis using SonarQube to identify bugs, vulnerabilities, and code smells.
- Ensures the code meets quality standards before proceeding with further steps.
OWASP FS Scan:
- Runs the OWASP Dependency-Check tool to identify vulnerable dependencies in the frontend code.
- Helps ensure that the project does not use outdated or insecure libraries.
SonarQube Quality Gate Scan:
- Waits for the SonarQube Quality Gate to verify if the code passed all quality checks.
- The pipeline will stop if the quality gate fails, preventing deployment of low-quality code.
Trivy File Scan:
- Executes a security scan using Trivy to check for vulnerabilities in the filesystem.
- Produces a report to ensure that no critical vulnerabilities are present in the project’s files.
Deploy With Docker Compose:
- Deploys the application using Docker Compose to start the containers in detached mode.
- Ensures that the app is ready for execution with the services defined in docker-compose.yml.

Each of these stages serves an important part in ensuring that code quality, security, and deployment readiness are maintained throughout the CI/CD pipeline.

Congratulations! We have successfully deployed our application with help of docker compose.