PratikM's Blog

♾Securing the Future: A DevSecOps Project

We are going to variety of tools that are essential in the world of DevOps.

Pratik R. Mandge's photo
Pratik R. Mandge
·

4 min read

♾Securing the Future: A DevSecOps Project

Table of contents

🔹Flow of DevSecOps Project

🔹Prerequisite Tools:

AWS Ubuntu: "AWS Ubuntu refers to the Ubuntu operating system instances that are hosted on the Amazon Web Services cloud platform."

GitHub: "GitHub is a web-based platform for version control using Git, commonly used for hosting and sharing code repositories."

Docker: "Docker is a platform for developing, shipping, and running applications using containerization."

Docker-compose: "Docker Compose is a tool for defining and running multi-container Docker applications."

Jenkins CI/CD: "Jenkins CI/CD is an automation server used for continuous integration and continuous deployment pipelines."

SonarQube: "SonarQube is an open-source platform for continuous inspection of code quality."

OWASP: "OWASP (Open Web Application Security Project) is a non-profit organization dedicated to improving software security."

Trivy: "Trivy is a vulnerability scanner for containers and other artifacts, focusing on simplicity and ease of use."

These tools will help us streamline our development processes while ensuring security throughout.

🔹Now Let's start the Project

◼️Set EC2 Instance:

Instance Type - minimum t2.large & minimum Volume 10 GB.

◼️Install Openjdk 17-jre:

To run Jenkins, you need to have Java installed on your machine.

sudo apt update
sudo apt install fontconfig openjdk-17-jre
java -version

◼️Install Jenkins:

Long Term Support Release

sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
  https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
  https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
  /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install jenkins

◼️Now enable, start and verify the Jenkins service with below command:

sudo systemctl enable jenkins   
sudo systemctl start jenkins
sudo systemctl status jenkins

◼️Install Docker and docker-compose:

sudo apt-get install docker.io docker-compose -y

◼️Add Current User & jenkins into docker group:

sudo usermod -aG docker $USER
sudo usermod -aG docker jenkins

◼️Once reboot your instance:

sudo reboot

◼️Check current user & jenkins added in docker group:

sudo cat /etc/group     # To check the users added in docker group

◼️Install SonarQube:

To start a Docker container running SonarQube Community Edition in the LTS (Long Term Support) version.

docker run -itd --name sonarqube-server -p 9000:9000 sonarqube:lts-community

◼️Install Trivy:

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

◼️Now add the Ports shown below:

Go to Instance Security-> Security Groups-> Edit Inbound Rules-> Add Rules

For Jenkins: 8080, For SonarQube: 9000, For Docker: 8000

◼️Access Jenkins Server: With url as http://<publicIP>:8080

After acess jenkins-> Select suggested plugins.

After Installation you'll get path: /var/lib/jenkins/secrets/initialAdminPassword

Just copy that directory path and paste it in EC2 terminal using cat:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

◼️Copy the password and paste to jenkins. & Create your Jenkins account.

◼️Install SonarQube, OWASP, Docker plugins in Jenkins below:

Plugins - SonarQube Scanner, Sonar Quality Gates, OWASP Dependency-Check, Docker.

◼️Access SonarQube Server: To access server just use http://<publicIP>:9000

Initially username and password will be ‘ admin’ , ’ admin’. Just change with a new password.

◼️Create users token in SonarQube: Generate a token for authentication purposes. Click on Administration tab-> Security-> Users-> create Token name as jenkins.

Whatever token generated, just copy and paste to somewhere else. Once window is closed, you wont be able to see that again.

◼️Create a webhook in SonarQube: Administration-> Configuration-> Webhook-> Create

◼️Now Add SonarQube Credentials to Jenkins:

Manage Jenkins-> Credentials-> Add SonarQube Credential

Kind -Secret Text

Scope- Global (Jenkins nodes..)

Secret- Token generated from sonarqube.

ID- Sonar

Description- Sonar

◼️Also Add DockerHub Credentials:

Kind- ‘Username with Password‘

Scope- Global (Jenkins nodes..)

Username- your DockerHub Username

Password- your DockerHub Password

ID- dockerHub

Description- DockerHub Credentials.

◼️Add SonarQube in Jenkins:

Manage Jenkins-> System-> SonarQube Servers-> SonarQube Installations

Server URL:http://ipaddress:9000

Server authentication token: Sonar

◼️Add SonarQube Scanner from tools:

Manage Jenkins-> Tools-> SonarQube Scanner

◼️Add OWASP from tools:

Manage Jenkins-> Tools-> Dependency-Check installations

Select Install from Github.com and it will take version

◼️Build Pipeline:

New Item-> (Enter Project Name)-> Select Pipeline-> OK

Configuration-> GitHub Project(Github url)-> Build Trigger(Github hook trigger)

Select Pipeline script-> Paste Pipeline Syntax.

pipeline {

    agent any
     environment{
        SONAR_HOME = tool "Sonar"
    }
    stages {

        stage("Code"){
            steps{
                git url: "https://github.com/mandgepratik/node-todo-cicd.git" , branch: "master"
                echo "Code Cloned Successfully"
            }
        }
        stage("SonarQube Analysis"){
            steps{
               withSonarQubeEnv("Sonar"){
                   sh "$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=nodetodo -Dsonar.projectKey=nodetodo -X"
               }
            }
        }
        stage("SonarQube Quality Gates"){
            steps{
               timeout(time: 1, unit: "MINUTES"){
                   waitForQualityGate abortPipeline: false
               }
            }
        }
        stage("Build & Test"){
            steps{
                sh 'docker build -t node-app:latest .'
                echo "Code Built & Test Successfully"
            }
        }
        stage("OWASP"){
            steps{
                dependencyCheck additionalArguments: '--scan ./', odcInstallation: 'OWASP'
                dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
            }
        }
        stage("Trivy"){
            steps{
                sh "trivy image node-app"
                echo "Image Scanned Successfully"
            }
        }
       stage("Push to Private Docker Hub Repo"){
            steps{
                withCredentials([usernamePassword(credentialsId:"dockerHub",passwordVariable:"dockerPass",usernameVariable:"dockerUser")]){
                sh "docker login -u ${env.dockerUser} -p ${env.dockerPass}"
                sh "docker tag node-app:latest ${env.dockerUser}/node-app:latest"
                sh "docker push ${env.dockerUser}/node-app:latest"
                }

            }
        }
        stage("Deploy"){
            steps{
                sh "docker-compose down && docker-compose up -d"
                echo "App Deployed Successfully"
            }
        }
    }
}

◼️Save & Build Now

The Stages Box sequence will show as per your code.

◼️To access App:PublicIP:8000

🎊Congratulations!!! You have done it...

📌If you find any issue during the execution of this project, let me know on LinkedIn.

Happy Learning😊

Did you find this article valuable?

Support Pratik R. Mandge by becoming a sponsor. Any amount is appreciated!

DevSecOpsDevopsDevops articlestrivyDockerdocker imagesDocker composesonarqubeowaspGitHubJenkinsec2AWS#PratikMandge#90daysofdevops