Creating a project for setting up a Jenkins CI/CD pipeline for a Node.js application, Incorporating DevSecOps practices. Integrated SonarQube for core quality, OWASP for security testing, and Trivy for Docker image scanning.
Prerequisites
AWS-EC2 - Ensure you have an AWS account and have created an EC2 instance.
GitHub - For source code repository and version control.
Docker and Docker Compose - For Containerizing the Node.js application.
Jenkins - For setting up and managing the CI/CD pipeline.
SonarQube - For continuous inspection of code quality.
OWASP tool - For identifying security vulnerability in the application.
Trivy - For scanning Docker Images for vulnerability.
DevSecOps Practices - Integrating security at every phase of the software development lifecycle.
Launch EC2 Instance:
Create an AWS EC2 instance with the necessary permissions.
Note - Make sure to use t2.large instance type so that it supports tools for running the project.
Jenkins Setup:
Install Java:
sudo apt update sudo apt install fontconfig openjdk-17-jre
Install Jenkins:
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \ https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc]" \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null sudo apt-get update sudo apt-get install jenkins
Set the Security Group to port:8080. Copy and paste IP Address to your local webserver.
Unlock Jenkins by providing the password and continue. click on Install suggested plugins and create a username and password and click on save and finish.
Setting up Docker and Docker-compose
- Install Docker and Docker-compose:
sudo apt-get install docker.io docker-compose
- Add Ubuntu/Jenkins user to the Docker group:
sudo usermod -aG docker $USER
sudo usermod -aG docker jenkins
SonarQube Server Setup:
SonarQube is a Code Quality Assurance tool that collects and analyzes source code and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time.
Utilize Docker to deploy SonarQube. Docker provides a convenient and consistent environment for running applications, ensuring easy setup and management of SonarQube.
docker run -itd --name sonarqube-server -p 9000:9000 sonarqube:lts-community
Access the SonarQube server via port 9000 and log in with the initial credential's - user: admin, password: admin.
Now, On SonarQube server:
- Create a new user and generate a token for it: Administration > Security > Users > Token > Create Token.
Next, In Jenkins server:
Install the SonarQube Scanner plugin: Manage Jenkins > Plugins > Available Plugin > search for "SonarQube scanner" > install.
Add the token from SonarQube server into Jenkins: Manage Jenkins > Credentials > Global > Add Credentials > Choose "Secret text" in kind, paste copied text in "Secret", set ID as "Sonar", Description as "Sonar".
Additionally, if you need to add Docker Hub Credentials:
Manage Jenkins > Credentials > Add Credentials > Choose "Username and Password" as kind, set ID as "DockerHubCreds".
Follow the process to establish the connection between the SonarQube server and Jenkins:
Manage Jenkins > Access the system settings > Locate SonarQube server > Add a new SonarQube server configuration > Save the changes.
We're going to activate the SonarQube Scanner plugin:
Manage Jenkins > Choose Tools > Look for SonarQube Scanner installations >Save your changes.
Now, we will set up a webhook on the SonarQube Server for Jenkins:
Navigate to Administration.
Select Configuration.
Locate the Webhooks section.
Click on Create to initiate the webhook setup process.
Install Trivy:
Trivy is an open-source vulnerability scanner for container images, file systems, and programming language dependencies. Developed by Aqua Security, Trivy is known for its ease of use and comprehensive vulnerability detection.
It supports a wide range of image formats, including those from Docker, and can also scan IaC (Infrastructure as Code) files for security issues.
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Install OWASP:
OWASP stands for Open Web Application Security Project. It is an international non-profit organization that dedicates itself to the security of web applications. The core principles of OWASP includes their materials to be available freely and easily accessible on their website.
Their motive is to make it possible for any user to improve their web application security. OWASP is a tool to check the prevalent risks related to web application security vulnerabilities.
To integrate OWASP into Jenkins:
Add the OWASP dependency checker plugin: Go to Manage Jenkins > Plugins > Available Plugins > search for "OWASP dependency checker" > install.
Enable OWASP: Go to Manage Jenkins > Tools > find "Dependency-Check installations" > save your changes.
Create a pipeline for jenkins:
This Jenkins pipeline automates the continuous integration and deployment process for a Node.js application. It comprises several stages:
Code: Clones the source code from a GitHub repository.
SonarQube Analysis: Conducts static code analysis using SonarQube to assess code quality.
SonarQube Quality Gates: Sets quality gates based on SonarQube analysis results.
OWASP: Utilizes OWASP dependency checker to scan for vulnerabilities in dependencies.
Build and Test: Builds a Docker image for the Node.js application.
Trivy: Conducts vulnerability scanning on the Docker image using Trivy.
Push to Private Docker Hub Repo: Pushes the Docker image to a private Docker Hub repository.
Deploy: Deploys the application using Docker Compose.
Here is our Pipeline:
pipeline {
agent any
environment{
SONAR_HOME = tool "Sonar"
}
stages {
stage("Code"){
steps{
git url: "https://github.com/LondheShubham153/node-todo-cicd.git" , branch: "master"
echo "Code Cloned Successfully"
}
}
stage("SonarQube Analysis"){
steps{
withSonarQubeEnv("Sonar"){
sh "$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=nodetodo -Dsonar.projectKey=nodetodo -X"
}
}
}
stage("SonarQube Quality Gates"){
steps{
timeout(time: 1, unit: "MINUTES"){
waitForQualityGate abortPipeline: false
}
}
}
stage("OWASP"){
steps{
dependencyCheck additionalArguments: '--scan ./', odcInstallation: 'OWASP'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage("Build & Test"){
steps{
sh 'docker build -t node-app-batch-6:latest .'
echo "Code Built Successfully"
}
}
stage("Trivy"){
steps{
sh "trivy image node-app-batch-6"
}
}
stage("Push to Private Docker Hub Repo"){
steps{
withCredentials([usernamePassword(credentialsId:"DockerHubCreds",passwordVariable:"dockerPass",usernameVariable:"dockerUser")]){
sh "docker login -u ${env.dockerUser} -p ${env.dockerPass}"
sh "docker tag node-app-batch-6:latest ${env.dockerUser}/node-app-batch-6:latest"
sh "docker push ${env.dockerUser}/node-app-batch-6:latest"
}
}
}
stage("Deploy"){
steps{
sh "docker-compose down && docker-compose up -d"
echo "App Deployed Successfully"
}
}
}
}
Now we are ready for build: Click on Build Now
Conclusion:
Implementing a DevSecOps Jenkins CI/CD pipeline for a Node.js application has significantly enhanced our development and deployment processes. By integrating security into the continuous integration and continuous deployment workflows, we have ensured that our application is not only built and deployed efficiently but also adheres to stringent security standards at every stage.
Overall, this project has demonstrated the critical importance of integrating security into the DevOps pipeline, fostering a culture of continuous improvement and security awareness within our development teams. Moving forward, we are well-positioned to scale our operations while maintaining high standards of security and quality, ultimately delivering a more secure and reliable product to our users.
Hope you found this article informative and useful. Thanks for reading this article.
Keep Learning... :)