Jenkins CI/CD with Docker| Trivy | Sonarqube | OWASP Dependency Check
In this project Jenkins CI/CD pipeline integrates Docker, Trivy, SonarQube, and OWASP Dependency Check to automate, secure, and ensure code quality. Trivy and Dependency Checkhandle vulnerabilities, while SonarQube ensures code integrity, all within Dockerized environments
Github repository
Step 1 :- Install Jenkins
Step 2:-Install Docker
sudo apt-get update
sudo apt-get install docker.io -y
sudo usermod -aG docker $USER #my case is ubuntu
sudo usermod -a -G docker jenkins
systemctl restart docker
Once you are done with the above steps, it is better to restart Jenkins.
http://<Jenkins-ip>:8080/restart
Step 3:-Sonarqube Docker Container Run
After the docker installation, we create a sonarqube container (Remember to add 9000 ports in the security group).
docker run -d --name sonar -p 9000:9000 sonarqube:lts-community
Now our sonarqube is up and running
Now our sonarqube is up and running on Port :9000
username - admin
password - admin
Now our sonarqube is up and running
Update New password, This is Sonar Dashboard.
Step 4:-Install Trivy
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y
Install Plugins like JDK, Sonarqube Scanner, NodeJs, OWASP Dependency Check
Goto Manage Jenkins →Plugins → Available Plugins →
1 → Eclipse Temurin Installer (Install without restart)
2 → SonarQube Scanner (Install without restart)
3 → NodeJs Plugin (Install Without restart)
4 -> OWASP Dependency-Check (Install Without restart)
5 -> Docker , Docker Commons , Docker Pipeline , Docker API , docker-build-step (Install Without restart) All are seperate plugins
Configure Tool
Goto Jenkins Dashboard → Manage Jenkins → Tools
JDK installations — v17
NodeJS installations — v 16
Dependency-Check installations
Docker installations
SonarQube Scanner installations
After that click on apply
Configure Sonar Server in Manage Jenkins
Goto your Sonarqube Server. Click on Administration → Security → Users → Click on Tokens and Update Token → Give it a name → and click on Generate Token
click on update Token
Create a token with a name and generate
copy Token
Goto Jenkins Dashboard → Manage Jenkins → Credentials → System → Global credentials (unrestricted) → Add Secret Text
Enter detail and click on create
Now, go to Dashboard → Manage Jenkins → System and Add like the below image.
Click on Apply and Save
In the Sonarqube Dashboard add a quality gate also
Administration–> Configuration–>Webhooks
Click on Create
Add details
in URL section of quality gate :
<http://jenkins-public-ip:8080>/sonarqube-webhook/
Generating Docker access token
Log into Docker Hub:
- Go to Docker Hub and log in with your Docker ID and password.
Navigate to Account Settings:
- Click on your profile icon at the top right and select Account Settings from the dropdown menu.
Create Access Token:
- In the Security section of your account settings, click on New Access Token.
- Enter a description for the token (e.g., “CLI access token”) to help identify its purpose.
- Select the desired permissions for the token. Docker Hub offers options like read-only or full access.
- Click Create to generate the token.
Copy the Access Token:
- Once generated, the access token will be displayed on screen. Copy it immediately, as you won’t be able to view it again.
Add DockerHub Username and Password under Global Credentials
Goto Jenkins Dashboard → Manage Jenkins → Credentials → System → Global credentials (unrestricted) → Add Secret Text
It should look like this
Create a Jenkins Job
Goto Jenkins Dashboard create a job as Zomato Name, select pipeline and click on ok.
Add script Click on Apply and Save here and pipline will star
Pipeline — Script
pipeline{
agent any
tools{
jdk 'jdk17'
nodejs 'node16'
}
environment {
SCANNER_HOME=tool 'sonar-scanner'
}
stages {
stage('clean workspace'){
steps{
cleanWs()
}
}
stage('Checkout from Git'){
steps{
git branch: 'main', url: 'https://github.com/jay75chauhan/Zomato-Clone'
}
}
stage("Sonarqube Analysis "){
steps{
withSonarQubeEnv('sonar-server') {
sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=zomato \
-Dsonar.projectKey=zomato '''
}
}
}
stage("quality gate"){
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-Token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
stage('OWASP FS SCAN') {
steps {
dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage('TRIVY FS SCAN') {
steps {
sh "trivy fs . > trivyfs.txt"
}
}
stage("Docker Build & Push"){
steps{
script{
withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){
sh "docker build -t zomato ."
sh "docker tag zomato jay75chauhan/zomato:latest "
sh "docker push jay75chauhan/zomato:latest "
}
}
}
}
stage("TRIVY"){
steps{
sh "trivy image jay75chauhan/zomato:latest > trivy.txt"
}
}
stage('Deploy to container'){
steps{
script{
withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){
sh 'docker run -d --name zomato -p 3000:3000 jay75chauhan/zomato:latest'
}
}
}
}
}
}
If you click on Build Now pipline will start again
Dependency-Chek Trend
Sonarqube report
Dependency-Check Results
Docker hub registry image
stage view
Deployed website
http://<Jenkins-public-ip:3000>