DevSecOps Project Setup — A Step-by-Step Guide

 

Introduction

In this project, we’ll build a DevSecOps pipeline using the following tools:

  1. JDK + Jenkins — Automation server for CI/CD
  2. Docker — Containerization platform
  3. SonarQube — Code quality and security scanner
  4. Trivy — Container image vulnerability scanner
  5. OWASP Dependency Checker — Identifies security risks in dependencies
  6. Docker Compose — Manages multi-container Docker applications

Project Workflow

  1. Developer pushes code to GitHub
  2. SonarQube scans the code for quality and security
  3. Docker builds the image
  4. Trivy scans the image for vulnerabilities
  5. Image is pushed to DockerHub
  6. Deploy the image on AWS EC2 or any other server

Setting Up the Environment

1. AWS EC2 Setup

We’ll use an AWS T2.large instance to handle multiple tools running together.

2. Install Java (JDK 17)

Run the following commands on your EC2 instance:

sudo apt update
sudo apt install fontconfig openjdk-17-jre -y

Jenkins Installation & Setup

Jenkins has two types of releases:

  • Weekly Release — Gets updates every week (not recommended for stability).
  • Long-Term Support (LTS) — More stable, updated every 12–13 weeks (Recommended).

Installing Jenkins (LTS Version)

sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
  https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc]" \
  https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
  /etc/apt/sources.list.d/jenkins.list > /dev/nullsudo apt-get update
sudo apt-get install jenkins -y

Check Jenkins Status:

systemctl status jenkins

Jenkins Web Interface Setup

Jenkins runs on port 8080. Allow access from your IP only in AWS security groups.

  1. Get Admin Password:
  • sudo cat /var/lib/jenkins/secrets/initialAdminPassword

2. Paste the password in Jenkins UI (http://:8080)

3. Install Suggested Plugins

4. Create Admin User

Docker Installation & Configuration

sudo apt-get install docker.io docker-compose -y
sudo usermod -aG docker $USER
sudo usermod -aG docker jenkins
sudo chown ubuntu /var/run/docker.sock
sudo systemctl enable docker

How to Push a Docker Image to Docker Hub Using Jenkins

Pushing a Docker image to Docker Hub might seem tricky, but it’s absolutely doable. Here’s a step-by-step guide to help you complete this task without directly sharing your Docker Hub username and password.

Step 1: Add Credentials in Jenkins

  1. Log in to Jenkins.
  2. Go to Manage Jenkins > Security > Credentials.
  3. Under Stores scoped to Jenkins, click on the Global domain.
  4. Click on Global credentials and then click Add Credentials.
  5. Fill out the form:
  • Kind: Username and password
  • Scope: Global (Jenkins, nodes, etc.)
  • Username: Your Docker Hub username (e.g., brillertechnologies)
  • Password: Your Docker Hub Personal Access Token (PAT)
  • ID: Choose a name to identify the credentials (e.g., dockerCreds). This ID will be used in the pipeline.
  • Description: Add a description for your reference.
  • Click Create. Your Docker Hub credentials are now securely stored in Jenkins.

SonarQube & SonarScanner Setup

How SonarQube Works?

  • SonarScanner sends code to SonarQube Server for analysis.
  • SonarQube checks for vulnerabilities, code smells, bugs, and quality gates.

Run SonarQube in Docker

docker run -itd --name sonarqube-server -p 9000:9000 sonarqube:lts-community

Access SonarQube:

  • Open http://:9000
  • Login (default: admin / admin)
  • Change the password

Connecting SonarQube with Jenkins

Generate SonarQube Token:

  • Go to Administration > Security > Users
  • Generate a Personal Access Token (PAT)
  1. Install SonarQube Plugin in Jenkins
  • Go to Manage Jenkins > Plugin Manager
  • Search and install SonarQube Scanner
  • Restart Jenkins

2. Add SonarQube Credentials in Jenkins

  • Go to Manage Jenkins > Credentials > Global
  • Add new credentials:
  • Kind: Secret Text
  • Secret: Paste your SonarQube Token

3. Configure SonarQube in Jenkins

  • Go to Manage Jenkins > System > SonarQube Servers
  • Add SonarQube URL & Authentication Token

Trivy Setup — Container Security Scanner

What is Trivy?
Trivy scans container images, file systems, Git repositories, and Kubernetes clusters for vulnerabilities.

Install Trivy

sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y

Scan a Docker Image with Trivy

trivy image node

OWASP Dependency Checker — Detect Vulnerabilities in Libraries

Why Use OWASP DC?

  • Checks for known vulnerabilities in project dependencies
  • Helps prevent issues like Log4j vulnerabilities

Install OWASP Dependency Checker in Jenkins

  1. Install OWASP DC Plugin
  • Go to Manage Jenkins > Plugin Manager
  • Search for OWASP Dependency-Check
  • Install and restart Jenkins

2. Configure OWASP in Jenkins

  • Go to Manage Jenkins > Tools > OWASP Dependency-Check
  • Install version 9.0.9

Jenkins Pipeline — Automating DevSecOps

pipeline {
    agent any
    environment {
        SONAR_HOME = tool "sonar"
    }
    stages {
        stage("Code") {
            steps {
                git url: "https://github.com/LondheShubham153/node-todo-cicd", branch: "master"
                echo "Code cloned successfully"
            }
        }
        stage("Build and Test") {
            steps {
                sh 'docker build -t node-app:latest .'
                echo "Code built successfully"
            }
        }
        stage("SonarQube Analysis") {
            steps {
                withSonarQubeEnv("sonar") {
                    sh "$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=node-todo -Dsonar.projectKey=node-todo -X"
                }
            }
        }
        stage("SonarQube Quality Gate") {
            steps {
                timeout(time: 1, unit: "MINUTES") {
                    waitForQualityGate abortPipeline: false
                }
            }
        }
        stage("Trivy Security Scan") {
            steps {
                sh 'trivy image node-app'
            }
        }
        stage("Push to DockerHub") {
            steps {
                withCredentials([usernamePassword(credentialsId: "dockerCreds", usernameVariable: "DOCKER_USER", passwordVariable: "DOCKER_PASS")]) {
                    sh "docker login -u ${DOCKER_USER} -p ${DOCKER_PASS}"
                    sh "docker tag node-app:latest ${DOCKER_USER}/node-app:latest"
                    sh "docker push ${DOCKER_USER}/node-app:latest"
                }
            }
        }
        stage("OWASP Dependency Check") {
            steps {
                dependencyCheck additionalArguments: "--scan ./"
                dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
            }
        }
        stage("Deploy") {
            steps {
                sh 'docker-compose up -d'
                echo "App deployed successfully"
            }
        }
    }
}

Conclusion

This DevSecOps pipeline ensures security is embedded into every step of the software development process. You can now:
✅ Automate builds with Jenkins
✅ Scan code for vulnerabilities using SonarQube
✅ Scan container images using Trivy
✅ Check dependencies with OWASP DC
✅ Deploy securely on DockerHub & AWS

Try it out and share your experience! 🚀

Comments

Post a Comment

Popular posts from this blog

📘 Understanding Prometheus in a Simple Way-Part 3 (For DevOps Beginners)

Image
 In our previous blogs, we have already covered: How to launch an EC2 instance (Link: https://medium.com/@raeesyaqubqazi/prometheus-and-grafana-project-part-1-by-raees-yaqoob-qazi-12eb5c431350 ) How to run our Notes App inside a Docker container (Link: https://medium.com/@raeesyaqubqazi/prometheus-and-grafana-project-part-1-by-raees-yaqoob-qazi-12eb5c431350 ) How to install cAdvisor to collect container-level metrics (Link: https://medium.com/@raeesyaqubqazi/monitoring-containers-with-cadvisor-part-2-of-my-previous-blog-series-cec2452b1ba5 ) Today, we will move one step ahead and learn Prometheus , which will collect the metrics generated by cAdvisor. 🔍 What Is Prometheus? Before understanding Prometheus, let’s talk about how data is stored in databases . ✔️ Relational Databases (MySQL, PostgreSQL) Data is stored in rows and columns  — like an Excel sheet. ✔️ Prometheus (TSDB — Time Series Database) Prometheus does NOT store data in tables.  It stores data in Time Series fo...
Read more

Grafana Setup & Dashboard Creation (Part-5)— Explained by Raees Yaqoob Qazi

Image
 Today, I’m going to talk about Grafana . Grafana is a powerful tool used to create dashboards and visualize data . As DevOps engineers, monitoring is very important, and Grafana makes it easy to understand system performance. Part-1:  https://brillertechnologies.blogspot.com/2025/11/prometheus-and-grafana-projectpart-1-by.html Part 2:  https://brillertechnologies.blogspot.com/2025/11/monitoring-containers-with-cadvisorpart.html Part 3:  https://brillertechnologies.blogspot.com/2025/12/understanding-prometheus-in-simple-way.html Part 4: https://brillertechnologies.blogspot.com/2025/12/understanding-prometheusmonitoring-made.html 1. Running Grafana Using Docker Compose First, I use Docker Compose to run Grafana. Open your docker-compose.yml file: vim docker-compose. yml Add the Grafana service: grafana: image: grafana/grafana-enterprise container_name: grafana restart: unless-stopped ports: - "3000:3000" Save and exit with:   :wq Then run: d...
Read more

My First Python Program: A Simple Calculator

Image
 Today, I am going to create a simple calculator using Python . This might be your first code ever , and honestly, this is also my first Python code . So don’t worry — we are learning together. Let’s start step by step. Step 1: Open VS Code First, open Visual Studio Code (VS Code) . Step 2: Create a Folder and a File Create a new folder (you can name it anything). Inside the folder, create a new file. In my case, I named the file first.py . 👉  .py is the file extension for Python , just like: .cpp for C++ .java for Java Step 3: Write the Python Code Now, write the following code in first.py : num1 = float ( input ( "Enter num 1: " ) ) # Taking first number from the user num2 = float ( input ( "Enter num 2: " ) ) # Taking second number from the user opr = input ( "Enter operator: " ) # User selects the operator (+, -, *) if opr = = "+" : # If operator is + output = num1 + num2 if opr = = "-" : # If operator is - ...
Read more