Jenkins CI/CD with Docker| Trivy | Sonarqube | OWASP Dependency Check

jay75chauhan
6 min readJul 13, 2024

--

In this project Jenkins CI/CD pipeline integrates Docker, Trivy, SonarQube, and OWASP Dependency Check to automate, secure, and ensure code quality. Trivy and Dependency Checkhandle vulnerabilities, while SonarQube ensures code integrity, all within Dockerized environments

Github repository

Step 1 :- Install Jenkins

Step 2:-Install Docker

sudo apt-get update
sudo apt-get install docker.io -y
sudo usermod -aG docker $USER #my case is ubuntu
sudo usermod -a -G docker jenkins
systemctl restart docker

Once you are done with the above steps, it is better to restart Jenkins.

http://<Jenkins-ip>:8080/restart

Step 3:-Sonarqube Docker Container Run

After the docker installation, we create a sonarqube container (Remember to add 9000 ports in the security group).

docker run -d --name sonar -p 9000:9000 sonarqube:lts-community

Now our sonarqube is up and running

Now our sonarqube is up and running on Port :9000

username -  admin
password - admin

Now our sonarqube is up and running

Update New password, This is Sonar Dashboard.

Step 4:-Install Trivy

sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy -y

Install Plugins like JDK, Sonarqube Scanner, NodeJs, OWASP Dependency Check

Goto Manage Jenkins →Plugins → Available Plugins →

1 → Eclipse Temurin Installer (Install without restart)

2 → SonarQube Scanner (Install without restart)

3 → NodeJs Plugin (Install Without restart)

4 -> OWASP Dependency-Check (Install Without restart)

5 -> Docker , Docker Commons , Docker Pipeline , Docker API , docker-build-step (Install Without restart) All are seperate plugins

Configure Tool

Goto Jenkins Dashboard → Manage Jenkins → Tools

JDK installations — v17

NodeJS installations — v 16

Dependency-Check installations

Docker installations

SonarQube Scanner installations

After that click on apply

Configure Sonar Server in Manage Jenkins

Goto your Sonarqube Server. Click on Administration → Security → Users → Click on Tokens and Update Token → Give it a name → and click on Generate Token

click on update Token

Create a token with a name and generate

copy Token

Goto Jenkins Dashboard → Manage Jenkins → Credentials → System → Global credentials (unrestricted) → Add Secret Text

Enter detail and click on create

Now, go to Dashboard → Manage Jenkins → System and Add like the below image.

Click on Apply and Save

In the Sonarqube Dashboard add a quality gate also

Administration–> Configuration–>Webhooks

Click on Create

Add details

in URL section of quality gate :
<http://jenkins-public-ip:8080>/sonarqube-webhook/

Generating Docker access token

Log into Docker Hub:

  • Go to Docker Hub and log in with your Docker ID and password.

Navigate to Account Settings:

  • Click on your profile icon at the top right and select Account Settings from the dropdown menu.

Create Access Token:

  • In the Security section of your account settings, click on New Access Token.
  • Enter a description for the token (e.g., “CLI access token”) to help identify its purpose.
  • Select the desired permissions for the token. Docker Hub offers options like read-only or full access.
  • Click Create to generate the token.

Copy the Access Token:

  • Once generated, the access token will be displayed on screen. Copy it immediately, as you won’t be able to view it again.

Add DockerHub Username and Password under Global Credentials

Goto Jenkins Dashboard → Manage Jenkins → Credentials → System → Global credentials (unrestricted) → Add Secret Text

It should look like this

Create a Jenkins Job

Goto Jenkins Dashboard create a job as Zomato Name, select pipeline and click on ok.

Add script Click on Apply and Save here and pipline will star

Pipeline — Script

pipeline{
agent any
tools{
jdk 'jdk17'
nodejs 'node16'
}
environment {
SCANNER_HOME=tool 'sonar-scanner'
}
stages {
stage('clean workspace'){
steps{
cleanWs()
}
}
stage('Checkout from Git'){
steps{
git branch: 'main', url: 'https://github.com/jay75chauhan/Zomato-Clone'
}
}
stage("Sonarqube Analysis "){
steps{
withSonarQubeEnv('sonar-server') {
sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=zomato \
-Dsonar.projectKey=zomato '''
}
}
}
stage("quality gate"){
steps {
script {
waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-Token'
}
}
}
stage('Install Dependencies') {
steps {
sh "npm install"
}
}
stage('OWASP FS SCAN') {
steps {
dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage('TRIVY FS SCAN') {
steps {
sh "trivy fs . > trivyfs.txt"
}
}
stage("Docker Build & Push"){
steps{
script{
withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){
sh "docker build -t zomato ."
sh "docker tag zomato jay75chauhan/zomato:latest "
sh "docker push jay75chauhan/zomato:latest "
}
}
}
}
stage("TRIVY"){
steps{
sh "trivy image jay75chauhan/zomato:latest > trivy.txt"
}
}
stage('Deploy to container'){
steps{
script{
withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){
sh 'docker run -d --name zomato -p 3000:3000 jay75chauhan/zomato:latest'
}
}
}
}

}
}

If you click on Build Now pipline will start again

Dependency-Chek Trend

Sonarqube report

Dependency-Check Results

Docker hub registry image

stage view

Deployed website

http://<Jenkins-public-ip:3000>

--

--

No responses yet