How to Build a CI/CD Pipeline with Jenkins, SonarQube & Trivy
rjshk013
June 11, 2025
A hands-on DevOps project that brings together Jenkins, SonarQube, and Trivy β all running locally with Docker Compose β to create a cost-free and secure CI/CD pipeline.
π§ Introduction
CI/CD is at the heart of modern DevOps. But what if you could build an end-to-end secure pipeline using only open-source tools β and run everything locally on a single Ubuntu server?
Thatβs exactly what I did β
In this tutorial, Iβll walk you through setting up a complete DevSecOps pipeline where:
- π§ Jenkins handles the automation
- π§ͺ SonarQube ensures code quality
- π‘οΈ Trivy scans for vulnerabilities
- π³ Docker Compose manages all containers
- π₯οΈ Even the deployment host is the same server, making this setup incredibly efficient and minimal
No external VMs, no cloud cost, no complexity β just pure DevOps learning π»β¨
π» System Requirements
- OS: Ubuntu 20.04+
- RAM: 8 GB+
- Tools: Docker, Docker Compose
- Internet access for pulling images
𧱠Step 1: Clone the Project & Launch Jenkins + SonarQube with Docker Compose
Before setting up our CI/CD magic, letβs get the project ready by cloning the repository and initializing the required directories and SSH keys.
π 1οΈβ£ Clone the Repository
Start by cloning the DevSecOps project repo that contains our pre-configured docker-compose.yaml and helper scripts:
git clone https://github.com/rjshk013/devops-projects.git
cd cicd-jenkins
π 2οΈβ£ Run start.sh to Prepare the Jenkins Agent
This script does two important things:
- π Creates required directories (
jenkins_home,jenkins_agent,jenkins_agent_keys) - π Generates SSH key pairs for Jenkins master β agent authentication
chmod +x setup.sh
sh setup.sh
β After this, your system is ready to launch the services!
π How This Docker Compose Setup Works (All-in-One CI/CD Stack)
This Docker Compose file orchestrates a fully functional DevSecOps pipeline stack β all running locally, isolated in a shared network β and ready to automate builds, scans, and deployments π₯
version: "3.8"
services:
# π§ Jenkins Master
jenkins-master:
image: jenkins/jenkins:lts-jdk17
container_name: jenkins
restart: unless-stopped
user: 1000:1000
ports:
- "8080:8080"
- "50000:50000"
volumes:
- jenkins_home:/var/jenkins_home:rw
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker
environment:
- JAVA_OPTS=-Dhudson.security.csrf.GlobalCrumbIssuerStrategy=true -Djenkins.security.SystemReadPermission=true
networks:
- jenkins_network
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp:size=2G
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:8080/login || exit 1"]
interval: 1m30s
timeout: 10s
retries: 3
# π§ Jenkins SSH Agent
jenkins-agent:
image: jenkins/ssh-agent
container_name: jenkins-agent
restart: unless-stopped
expose:
- "22"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker
- jenkins_agent:/home/jenkins/agent:rw
- type: bind
source: ./jenkins_agent_keys
target: /home/jenkins/.ssh
read_only: true
environment:
- SSH_PUBLIC_KEY_DIR=/home/jenkins/.ssh
networks:
- jenkins_network
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp:size=2G
# π§ SonarQube
sonarqube:
container_name: sonarqube
image: sonarqube:lts-community
restart: unless-stopped
depends_on:
- sonar_db
ports:
- "9001:9000"
environment:
SONAR_JDBC_URL: jdbc:postgresql://sonar_db:5432/sonar
SONAR_JDBC_USERNAME: sonar
SONAR_JDBC_PASSWORD: sonar
volumes:
- sonarqube_conf:/opt/sonarqube/conf
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
- sonarqube_temp:/opt/sonarqube/temp
networks:
- jenkins_network
# π Postgres for SonarQube
sonar_db:
image: postgres:15
restart: unless-stopped
environment:
POSTGRES_USER: sonar
POSTGRES_PASSWORD: sonar
POSTGRES_DB: sonar
volumes:
- sonar_db:/var/lib/postgresql
- sonar_db_data:/var/lib/postgresql/data
networks:
- jenkins_network
# π Shared Network
networks:
jenkins_network:
driver: bridge
# πΎ Volumes
volumes:
jenkins_home:
jenkins_agent:
sonarqube_conf:
sonarqube_data:
sonarqube_extensions:
sonarqube_logs:
sonarqube_temp:
sonar_db:
sonar_db_data:π οΈ Jenkins Master (jenkins-master)
- π¦ Image: Uses
jenkins/jenkins:lts-jdk17 - π Ports:
8080: Jenkins web UI50000: For connecting inbound agents- πΎ Volumes:
jenkins_home: Persists Jenkins jobs, config, and plugins/var/run/docker.sock: Lets Jenkins build and run Docker containers/usr/bin/docker: Gives Jenkins CLI access to Docker commands- π§ͺ Health Check:
- Automatically checks service availability via a
curllogin probe - π Hardened Settings:
read_only: true: Makes the container filesystem immutabletmpfs: Stores/tmpin RAM for better performance and safetyno-new-privileges: Prevents privilege escalation inside the container
βοΈ Jenkins SSH Agent (jenkins-agent)
- π¦ Image: Uses
jenkins/ssh-agent(for connecting back to master) - π SSH Access:
- Mounts SSH keys from
jenkins_agent_keysto enable secure agent communication - πΎ Volumes:
jenkins_agent: Stores agent workspace data/usr/bin/docker+ Docker socket: Enables builds inside the agent container- π‘οΈ Security First:
read_only: true+tmpfs: Isolates temp files in RAMno-new-privileges: Blocks processes from elevating access
π§ SonarQube (sonarqube)
- π¦ Image:
sonarqube:lts-community - π Port Mapping:
- Exposed as
localhost:9001 β container:9000 - π Connects to PostgreSQL (
sonar_db) - Configured via
SONAR_JDBC_URLand credentials - πΎ Volumes:
- Persist configuration, extensions, data, logs, and temp files
- π Depends On:
- Ensures PostgreSQL container starts before SonarQube
π PostgreSQL Database (sonar_db)
- π¦ Image:
postgres:15 - π― Purpose: Backend database for SonarQube code analysis data
- π Environment Variables:
- Sets DB name, user, and password for SonarQube integration
- πΎ Volumes:
sonar_dbandsonar_db_data: Persist DB schema and data
π Common Docker Network: jenkins_network
All containers share a custom bridge network, enabling secure internal DNS resolution and private communication between services (like jenkins β agent β sonarqube β postgres).
π³ 3οΈβ£ Launch Jenkins + SonarQube + PostgreSQL with Docker Compose
Now that everything is set, fire up the full stack:
docker-compose up -d
β Verify Container Status After Launch
Once youβve started the stack using docker compose up -d, youβll want to make sure everything is running properly.
π§ͺ Run this command to check the status of all containers:
docker ps
β³ Give Jenkins Some Timeβ¦
β οΈ Note: Jenkins Master takes a bit of time to fully initialize β especially on the first run when it sets up plugins and internal directories.
β²οΈ Wait 1β2 minutes, then run docker ps again.
You should see:
- π’
jenkinscontainer: showinghealthy - π’
jenkins-agentcontainer: up - π§
sonarqube: should also be healthy and accessible atlocalhost:9001
β Once all containers are up and healthy, youβre ready to configure Jenkins and start building pipelines!
π Step 4: Access Jenkins Web Interface
Your Jenkins Master is now running β letβs unlock the power of automation! π
π₯οΈ Open your browser and go to:
http://localhost:8080
Youβll be greeted by the Jenkins Setup Wizard π§ββοΈ
- π Enter the initial admin password
To retrieve the initial admin password for login run the below command
docker exec -it jenkins cat /var/jenkins_home/secrets/initialAdminPassword
Follow the guided setup: install recommended plugins, create your admin user
Once it finished will ask for configure admin user.Click save & continue
Once you completed we can see the jenkins dashboard as below
𧱠Step 2: Configure jenkins agent for build
π 1οΈβ£ Add SSH Credentials for Jenkins Agent
Now letβs securely configure the SSH authentication so the Jenkins Master can talk to the Jenkins Agent π
- Navigate to your Jenkins dashboard.
- Click on Manage Jenkins.
- Select Credentials.
- Under (global), click Add Credentials.
- Fill in the form:
- Kind: SSH Username with private key
- Scope: Global
- Username: jenkins
- Private Key: Enter directly
- Key: Paste the contents of the
id_rsafile located inside thejenkins_agent_keysfolder. This key is automatically generated during the setup process when you run thesetup.shscript.
- ID: can give some name to identify the credential,here i am giving build-agent
- Description: SSH key for Jenkins agent
- Click OK to save.
π Step 2: Connect Agent to Jenkins Master
- In Jenkins, go to Manage Jenkins > Manage Nodes and Clouds.
- Click New Node.
- Enter a name (e.g.,
agent), select Permanent Agent, and click create
- Configure the node:
- Remote root directory:
/home/jenkins/agent - Labels:
agent - Launch method: Launch agents via SSH
- Host:
jenkins-agent(matches the Docker service name) - Credentials: Select the credential that you have created earlier
- Host Key Verification Strategy: Manually trusted key verification Strategy
- Click Save
Verify Connection:
- Jenkins will attempt to connect to the agent. If successful, the agentβs status will show as Connected.
Step 3:Configure Jenkins Agent SSH Key for Remote Host Access
Since we already generated the SSH key pair during the Jenkins setup (via setup.sh), we can reuse the same private key for connecting to the remote host.(in our case it is the same local ubuntu server where we running containers )
β
Just copy the public key to your host machineβs authorized_keys.
On your host machine, run the following commands:
cat /home/user/devops-projects/cicd-jenkins/jenkins_agent_keys/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
π§ This allows Jenkins (via the agent) to SSH into the host machine securely using the existing key β
Add SSH Credentials for Remote Host Deployment
These credentials allow Jenkins to SSH into your remote host and trigger Docker Compose commands during deployment.
β‘οΈ Go to Manage Jenkins β Credentials β (Global) β Add Credentials
Then fill out the following fields:
- Kind: SSH Username with private key
- Scope: Global
- Username:
user(or your actual host system username) - Private Key: Enter directly β paste the content of
id_rsafromjenkins_agent_keysfolder (generated bysetup.sh) - ID (optional):
deploy-server-ssh - Description: Remote host SSH for Docker Compose deployment
π Plugin Power-Up: Install Essential Jenkins Plugins π
βοΈ Go to: Manage Jenkins β Plugins β Available Plugins
β Search and Install without restart for each listed plugin below.
1οΈβ£ Eclipse Temurin Installer
π§ Installs and manages JDK versions for your build environments
2οΈβ£ SonarQube Scanner
π Integrates Jenkins with SonarQube to analyze code quality and detect bugs
3οΈβ£ NodeJS Plugin
π Allows Jenkins to install and use specific Node.js versions in pipelines
4οΈβ£ Docker Plugin Suite (Install all individually) π³
Enables full Docker support in Jenkins β from simple builds to full pipelines
- β Docker Plugin
- β Docker Commons
- β Docker Pipeline
- β Docker API
- β Docker Build Step
5οΈβ£ SSH Agent Plugin
π Use SSH credentials securely to connect and execute on remote machines
π§ Step 4: Access & Secure Your SonarQube Dashboard
π SonarQube is now up and running on port 9001
π Open your browser and visit:
π http://localhost:9001/
π Login using default credentials:
- Username:
admin - Password:
admin
β οΈ Important:
Youβll be prompted to change the default password on your first login.
Make sure to choose a strong one! π
Step 5: Integrating Jenkins with SonarQube
π 1: Create a Global Token in SonarQube
- Log in to SonarQube with the admin user
- In the top right corner, click your username(Here it is Administrator)β choose βMy Accountβ.
- Go to the βSecurityβ tab.
- Under Generate Tokens:
- Name: enter something like
jenkins-global-token - Type: leave it as User Token
- Expires In: choose
No expiration(recommended for CI usage)
- Click Generate, and copy the token (you wonβt be able to see it again later).
β This token allows Jenkins to push analysis results to any project that the user has access to.
After previous step, youβll see the generated token. Save it somewhere to not loose. Weβll need that for later.
π Why Use a Global Token?
- π Reusable across all projects β no need to generate separate tokens per project
- π§Ή Easy to manage β one place to rotate/update
- β Secure β stored in Jenkins as a credential (not hardcoded)
- βοΈ Scalable β works even as your pipeline or project count grows
𧱠Step 2: Create the Project (Using the Global Token)
- Navigate to Projects β Create Project.
- Select Manually.
3.Fill:
- Project Key: blog-app
- Display Name: blog-app
- Main branch name: In my case it is main.But in some projects it could be master or dev as well
4.On the next screen, when youβre asked:
How do you want to analyze your project?
β Choose:Locally
- It will now prompt:
Use existing token
π Paste your global token here
π’ DO NOT click Generate Token β instead, choose βUse existing tokenβ and paste the global one you created in Step 1.
This completes the project setup and links your global token to it.
Note: You can see the Run analysis on your project options after giving the token.Just ignore the further steps .Will add the necessary commands in Jenkinsfile
π§Ύ 3. Add SonarQube Token to Jenkins Credentials
- In Jenkins, go to
Manage Jenkins>Credentials. - Select the appropriate domain (e.g.,
(global)). - Click Add Credentials.
- Choose Secret text as the kind.
- Paste the SonarQube token into the
Secretfield that we created from the step Create a Global Token in SonarQube - Provide an ID (e.g., sonar-token) and a description.
- Click Create to save.
βοΈ 4.Configure SonarQube Server in Jenkins
- Navigate to
Manage Jenkins>Configure System. - Scroll down to the SonarQube servers section.
- Click Add SonarQube.
- Provide a name for the server (e.g. sonar-server).
- Enter the SonarQube server URL (
http://sonarqube:9000).
β Use the Docker container name
sonarqubeβ this works because both Jenkins and SonarQube are running on the same Docker Compose network (jenkins_network), and Docker handles the DNS resolution automatically
6.Server authentication token:
Select the credential ID you created earlier β e.g., sonar-token
7.Check Enable injection of SonarQube server configuration as build environment variables.
β βEnable injection of SonarQube server configuration as build environment variablesβ
When checked, Jenkins automatically injects environment variables like:
SONAR_HOST_URL
SONAR_AUTH_TOKEN
SONAR_SCANNER_HOMEThese can then be used inside shell scripts or pipeline steps without hardcoding.Click Save to apply the changes.
6. Installing Required Tools in Jenkins
To make Jenkins ready for CI/CD magic β¨, we need to equip it with essential tools. These tools empower Jenkins to build, test, scan, and deploy applications across the pipeline.
π Navigate to:
Jenkins Dashboard β Manage Jenkins β Global Tool Configuration
Now, configure the following:
π 1. π§ͺ SonarQube Scanner
β Required for performing static code analysis on your project directly from Jenkins
π§ Steps to configure:
Navigate to the SonarQube Scanner section β Click β Add SonarQube Scanner
π·οΈ Name: sonar-scanner
β
Check: Install automatically
π½ Installer source: Install from Maven Central
π Version: 7.0.2.4839 (or latest available)
π Jenkins will now auto-download and manage the SonarQube Scanner version needed for your pipeline.
π§ This ensures that your pipeline always has a ready-to-go scanner for SonarQube analysis without needing to install anything manually on your host.
2.β JDK 21 (Temurin)
β Required to compile Java-based projects and run tools like SonarQube Scanner in Jenkins
π§ Steps to configure:
- Navigate to the JDK section β Click β Add JDK
- π·οΈ Name:
jdk21 - β Check: Install automatically
- π½ Installer source: Install from adoptium.net
- π Select version:
21.0.4(or latest available under JDK 21)
π§ This setup ensures Jenkins downloads and uses Java 21 from the official Adoptium build
3.π© NodeJS 21.0.0
β Required for building frontend applications (React, Vue, Angular) or running JavaScript-based tools in Jenkins
π§ Steps to configure:
- Scroll to the NodeJS section β Click β Add NodeJS
- π·οΈ Name:
node21 - β Check: Install automatically
- π½ Installer source: Install from nodejs.org
- π Select version:
21.0.0
π§ This configuration allows Jenkins to download and manage Node.js v21.0.0 directly from the official Node.js website
4.π³ Docker (Latest)
β Essential for building, running, and scanning Docker containers directly from Jenkins pipelines
π§ Steps to configure:
- Scroll to the Docker section β Click β Add Docker
- π·οΈ Name:
docker - β Check: Install automatically
- π½ Installer source: Download from docker.com
- π Select version: (latest available or your preferred Docker version)
π§ With this setup, Jenkins automatically installs Docker from the official source β no manual setup or system-level install required.
- Ensure Docker is already installed on your system (
/usr/bin/docker)
π Youβve already mounted the Docker socket in your Jenkins Compose file, so this config links Jenkins with the host Docker engine.
Apply and Save:
- Once all tools are configured, click Apply and Save.
7.Configure Essential Credentials in Jenkins for Secure CI/CD
π§Ύ 1. π Generate a Docker Hub Access Token
Go to: Docker Hub β Account Settings β Security β Access Tokens
- Click β βNew Access Tokenβ
- Give it a meaningful name (e.g.,
jenkins-ci) - Click Generate
- π Copy the token (you wonβt see it again!)
π§° 2. πΌ Add the Token to Jenkins Credentials
Go to your Jenkins Dashboard:
β‘οΈ Manage Jenkins β Credentials β Global Credentials (unrestricted) β Add Credentials
- π Select: Kind:
Secret text - βοΈ Secret: (Paste the Docker token here)
- π·οΈ ID:
docker-hub-token(or any unique identifier) - π¬ Description:
Docker Hub Personal Access Token for Jenkins
β Create it!
π οΈ Step-8:Grant Docker Access to Jenkins
To enable Jenkins (inside the container) to communicate with Docker on the host:
sudo chmod 666 /var/run/docker.sock
β οΈ Why this is needed?
This sets read/write permissions on the Docker socket so Jenkins containers can:
- π³ Build Docker images
- π Scan them with Trivy
- π Push to Docker Hub
π‘ Note: This is safe for local testing environments, but not recommended for production.
π About the Application: Wanderlust β A 3-Tier Web App
π§ Wanderlust is a lightweight 3-tier web application designed to demonstrate full CI/CD automation using open-source DevOps tools. It features:
π¦ Architecture:
- Frontend: A modern web UI built with ReactJS (Node.js 21), offering a clean and responsive interface for user interactions.
- Backend: A RESTful API developed using Node.js and Express.js, handling business logic and communication with the database.
- Database: MongoDB used as the NoSQL data store for posts or travel-related content.
π Set Up Your Jenkins CI/CD Pipeline β Automation Begins Here!
Now that your DevOps environment is all set π―, itβs time to automate your entire workflow β from code checkout to deployment β using a Jenkins pipeline.
π‘ What will this pipeline do?
β
Clone your code from GitHub
β
Run static code analysis via SonarQube
β
Perform vulnerability scans with Trivy
β
Build & push Docker images
β
Deploy the app β hands-free!
π 8.Letβs Create the Pipeline Job
π₯οΈ Navigate to Jenkins Dashboard:
- β Click on βNew Itemβ
- π·οΈ Name your project β e.g.,
wanderlust-deploy - 𧱠Choose βPipelineβ as the project type
- β Click OK to continue
Define Pipeline Syntax:
- In the Pipeline section, select Pipeline script and add the following pipeline code:
pipeline {
agent { label 'agent' }
tools {
jdk 'jdk21'
nodejs 'node21'
}
environment {
IMAGE_TAG = "${BUILD_NUMBER}"
BACKEND_IMAGE = "rjshk013/wanderlust-backend"
FRONTEND_IMAGE = "rjshk013/wanderlust-frontend"
}
stages {
stage('SCM Checkout') {
steps {
git branch: 'main', url: 'https://github.com/rjshk013/devops-projects.git'
}
}
stage('Install Dependencies') {
steps {
dir('wanderlust-3tier-project/backend') {
sh "npm install || true"
}
dir('wanderlust-3tier-project/frontend') {
sh "npm install"
}
}
}
stage('Run SonarQube') {
environment {
scannerHome = tool 'sonar-scanner'
}
steps {
withSonarQubeEnv('sonar-server') {
sh """
${scannerHome}/bin/sonar-scanner \
-Dsonar.projectKey=blog-app \
-Dsonar.projectName=blog-app \
-Dsonar.sources=wanderlust-3tier-project
"""
}
}
}
stage('Docker Build') {
steps {
dir('wanderlust-3tier-project') {
sh '''
docker build -t ${BACKEND_IMAGE}:${IMAGE_TAG} ./backend
docker build -t ${FRONTEND_IMAGE}:${IMAGE_TAG} ./frontend
'''
}
}
}
stage('Scan with Trivy') {
steps {
script {
def images = [
[name: "${BACKEND_IMAGE}:${IMAGE_TAG}", output: "trivy-backend.txt"],
[name: "${FRONTEND_IMAGE}:${IMAGE_TAG}", output: "trivy-frontend.txt"]
]
for (img in images) {
echo "π Scanning ${img.name}..."
sh """
mkdir -p wanderlust-3tier-project
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v \$HOME/.trivy-cache:/root/.cache/ \
-v \$WORKSPACE/wanderlust-3tier-project:/scan-output \
aquasec/trivy image \
--scanners vuln \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format table \
${img.name} > wanderlust-3tier-project/${img.output}
"""
}
}
}
}
stage('Push to Docker Hub') {
steps {
withCredentials([string(credentialsId: 'docker-hub-token', variable: 'DOCKER_TOKEN')]) {
sh '''
echo "${DOCKER_TOKEN}" | docker login -u rjshk013 --password-stdin
docker push ${BACKEND_IMAGE}:${IMAGE_TAG}
docker push ${FRONTEND_IMAGE}:${IMAGE_TAG}
'''
}
}
}
stage('Remote Deploy on Host with Docker Compose') {
steps {
sshagent(credentials: ['deploy-server-ssh']) {
sh '''
echo "π Deploying on host with docker compose..."
ssh -o StrictHostKeyChecking=no user@172.18.0.1 '
cd /home/user/devops-projects/wanderlust-3tier-project &&
docker compose build &&
docker compose up -d
'
'''
}
}
}
}
post {
always {
archiveArtifacts artifacts: 'wanderlust-3tier-project/trivy-*.txt', fingerprint: true
}
}
}π οΈ Understanding the Jenkinsfile (Wanderlust CI/CD Pipeline)
This Jenkinsfile automates the complete build β scan β deploy lifecycle of your Wanderlust project.
Hereβs a step-by-step overview of what it does:
π₯ Key Highlights
- Secure Build: Code quality is validated by SonarQube before proceeding to deployment β
- Security First: Images are scanned by Trivy before pushing to Docker Hub π‘οΈ
- Fully Automated: No manual steps β from Git pull to live deployment π
- Secrets Handling: Docker Hub credentials and SonarQube token are injected via Jenkins Credentials Manager π
π§ 9.Update Jenkinsfile with Your Values
Before using the pipeline, replace the following placeholders with your own values:
- rjshk013 β your actual Docker Hub username
https://github.com/rjshk013/devops-projects.gitβ use the provided repo or your own cloned GitHub repo- user@172.18.0.1-Replace with your host username & ip
Thatβs it β just plug in your details and youβre good to go! π
π 1οΈβ£0οΈβ£ Triggering the Pipeline & Viewing Results
Once your Jenkins pipeline is fully configured, itβs time to fire it up! π₯
π οΈ Steps to Run the Pipeline:
π Go to the Jenkins Dashboard and click on your job (e.g., wanderlust-deploy).
βΆοΈ Click βBuild Nowβ on the left panel to trigger the pipeline.
π Navigate to βBuild Historyβ, and click on the latest build number (e.g., #1).
π In the build details page:
- β Click Pipeline Steps or Pipeline Overview to visualize each stage.
- π₯οΈ Click Console Output to follow the logs in real-time β great for debugging and validation.
β 1οΈβ£1οΈβ£ Post-Pipeline Verification: Confirm Everything Worked! π΅οΈββοΈ
After the pipeline runs successfully, itβs time to verify each key milestone to ensure your CI/CD process worked perfectly.
π³ Docker Image Push Confirmation
β Go to your Docker Hub repository.
π Navigate to:
wanderlust-backendwanderlust-frontend
π Check if the latest image tags (build numbers) are successfully listed and match the ones from the Jenkins pipeline.
π§ SonarQube Code Quality Analysis
π Open your browser and go to:http://localhost:9001 (or your configured SonarQube URL)
π Navigate to:
Projectsβblog-app
β You should see a recent analysis with quality gate status, bugs, code smells, duplications, etc.
π‘οΈ Trivy Vulnerability Scan
π Go back to Jenkins UI β your job β latest build β Artifacts
π Youβll find files like:
trivy-backend.txttrivy-frontend.txt
π Open them and look for:
- Severity levels:
CRITICAL,HIGH - Confirm no critical issues OR review and mitigate them accordingly.
π UPDATE: Enhanced Container Vulnerability Scanning with Trivy
From Basic to Comprehensive: A Major Security Reporting Upgrade
The original Trivy scanning configuration in our pipeline provided basic vulnerability detection but lacked advanced reporting features. Our new implementation dramatically improves readability, analysis capabilities, and overall security insights.
β¨ Key Improvements
- Multi-format reporting: Generate HTML, text, and JSON formats simultaneously
- Organized report structure: Separate reports by container type (frontend/backend)
- Improved readability: HTML reports for visual analysis
- Automated summary: Markdown summary highlighting critical findings
- Better organization: Dedicated reports directory with consistent naming
Before: Basic text output with limited readability and no summary
stage('Scan with Trivy') {
steps {
script {
def images = [
[name: "${BACKEND_IMAGE}:${IMAGE_TAG}", output: "trivy-backend.txt"],
[name: "${FRONTEND_IMAGE}:${IMAGE_TAG}", output: "trivy-frontend.txt"]
]
for (img in images) {
echo "π Scanning ${img.name}..."
sh """
mkdir -p wanderlust-3tier-project
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v \$HOME/.trivy-cache:/root/.cache/ \
-v \$WORKSPACE/wanderlust-3tier-project:/scan-output \
aquasec/trivy image \
--scanners vuln \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format table \
${img.name} > wanderlust-3tier-project/${img.output}
"""
}
}
}
}
After: Comprehensive multi-format reporting with automated summary
stage('Scan with Trivy') {
steps {
script {
def trivyDir = "${WORKSPACE}/trivy-reports"
// Create reports directory
sh "mkdir -p ${trivyDir}"
// Define scan configurations
def images = [
[name: "${BACKEND_IMAGE}:${IMAGE_TAG}", type: "backend"],
[name: "${FRONTEND_IMAGE}:${IMAGE_TAG}", type: "frontend"]
]
// Run scans with multiple output formats
for (img in images) {
echo "π Scanning ${img.name}..."
// HTML Report - Highly readable in browser
sh """
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v \$HOME/.trivy-cache:/root/.cache/ \
-v ${trivyDir}:/reports \
aquasec/trivy image \
--scanners vuln \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format template \
--template '@/contrib/html.tpl' \
${img.name} > ${trivyDir}/trivy-${img.type}-report.html
"""
// Table format for console and archive
sh """
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v \$HOME/.trivy-cache:/root/.cache/ \
-v ${trivyDir}:/reports \
aquasec/trivy image \
--scanners vuln \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format table \
${img.name} > ${trivyDir}/trivy-${img.type}-report.txt
"""
// JSON format for potential programmatic processing
sh """
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v \$HOME/.trivy-cache:/root/.cache/ \
-v ${trivyDir}:/reports \
aquasec/trivy image \
--scanners vuln \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format json \
${img.name} > ${trivyDir}/trivy-${img.type}-report.json
"""
}
// Generate combined summary report
sh """
echo "# Trivy Vulnerability Summary Report" > ${trivyDir}/summary.md
echo "## Images Scanned" >> ${trivyDir}/summary.md
echo "- ${BACKEND_IMAGE}:${IMAGE_TAG}" >> ${trivyDir}/summary.md
echo "- ${FRONTEND_IMAGE}:${IMAGE_TAG}" >> ${trivyDir}/summary.md
echo "\\n## Backend Vulnerabilities" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
grep -A 10 "CRITICAL\\|HIGH" ${trivyDir}/trivy-backend-report.txt | head -20 >> ${trivyDir}/summary.md
echo "\\n... (See full report for more details)" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
echo "\\n## Frontend Vulnerabilities" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
grep -A 10 "CRITICAL\\|HIGH" ${trivyDir}/trivy-frontend-report.txt | head -20 >> ${trivyDir}/summary.md
echo "\\n... (See full report for more details)" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
"""
}
}
}
π‘ Benefits of This Upgrade
- Enhanced visibility: HTML reports provide clear visualization of vulnerabilities
- Better decision making: Prioritized view of HIGH and CRITICAL issues
- Automation-friendly: JSON output enables programmatic analysis and integration
- Quick executive summaries: Markdown summary highlights the most critical findings
- Improved DevOps workflow: Consistent report location and naming
π How It Works
The new configuration runs three separate Trivy scans for each container image:
- HTML report: Beautiful, browser-viewable vulnerability analysis
- Text report: Traditional console output for quick review
- JSON report: Structured data for automation and integrations
π‘οΈ NEW: Adding Source Code Security Scanning with Trivy Filesystem Scanner
Moving Security Left: Detecting Vulnerabilities Before They Reach Your Containers
While scanning container images is crucial, the best security starts at the source. By adding filesystem scanning to our pipeline, we can identify vulnerabilities in our application dependencies and configuration files before they’re packaged into containers.
This “shift-left” approach to security helps catch issues earlier in the development lifecycle, reducing both risk and remediation costs.
π What Does Trivy Filesystem Scanning Find?
- Dependency Vulnerabilities: Detects known CVEs in package.json, package-lock.json, and other dependency files
- Misconfigurations: Identifies security issues in configuration files like Dockerfiles and YAML
- License Violations: Flags dependencies with restrictive or non-compliant licenses
- Secrets Detection: Identifies hardcoded credentials, API keys, and other sensitive data
π» Implementation: The Trivy Filesystem Scan Stage
Add this stage to your Jenkins pipeline before the Docker Build stage:
stage('Trivy Filesystem Scan') {
steps {
script {
def trivyDir = "${WORKSPACE}/trivy-reports"
sh "mkdir -p ${trivyDir}"
// Define targets for filesystem scanning
def fsTargets = [
[path: "${WORKSPACE}/wanderlust-3tier-project/backend", name: "backend-fs"],
[path: "${WORKSPACE}/wanderlust-3tier-project/frontend", name: "frontend-fs"]
]
// Run filesystem scans for source code vulnerabilities
for (target in fsTargets) {
echo "π Scanning filesystem at ${target.path}..."
// Scan for vulnerabilities in dependencies
sh """
docker run --rm \
-v ${target.path}:/target \
-v ${trivyDir}:/reports \
aquasec/trivy fs \
--security-checks vuln \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format table \
/target > ${trivyDir}/trivy-${target.name}-vuln.txt
"""
// Scan for security issues in configuration files
sh """
docker run --rm \
-v ${target.path}:/target \
-v ${trivyDir}:/reports \
aquasec/trivy fs \
--security-checks config \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format json \
/target > ${trivyDir}/trivy-${target.name}-config.json
"""
// Generate an HTML report for easier reading
sh """
docker run --rm \
-v ${target.path}:/target \
-v ${trivyDir}:/reports \
aquasec/trivy fs \
--security-checks vuln,config \
--severity HIGH,CRITICAL \
--exit-code 0 \
--format template \
--template '@/contrib/html.tpl' \
/target > ${trivyDir}/trivy-${target.name}-report.html
"""
}
// Add filesystem scan summary to the main report
sh """
echo "\\n## Source Code Vulnerability Scan" >> ${trivyDir}/summary.md
echo "### Backend Source Vulnerabilities" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
grep -A 10 "CRITICAL\\|HIGH" ${trivyDir}/trivy-backend-fs-vuln.txt | head -20 >> ${trivyDir}/summary.md
echo "\\n... (See full report for more details)" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
echo "\\n### Frontend Source Vulnerabilities" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
grep -A 10 "CRITICAL\\|HIGH" ${trivyDir}/trivy-frontend-fs-vuln.txt | head -20 >> ${trivyDir}/summary.md
echo "\\n... (See full report for more details)" >> ${trivyDir}/summary.md
echo '```' >> ${trivyDir}/summary.md
"""
}
}
}
π§ How It Works
The filesystem scan stage performs three distinct types of scans on both frontend and backend source code directories:
- Vulnerability Scan: Searches for known vulnerabilities in application dependencies
- Outputs results to a readable text file
- Only reports HIGH and CRITICAL severity issues to reduce noise
- Configuration Scan: Analyzes configuration files for security issues
- Outputs results in JSON format for potential programmatic processing
- Checks Dockerfiles, YAML files, and other config files for best practices
- Combined HTML Report: Creates a comprehensive, browser-friendly report
- Combines both vulnerability and configuration scanning
- Provides an easy-to-navigate interface for reviewing findings
All scan results are added to the existing summary report, providing a complete view of both source code and container vulnerabilities in one place.
π Complete Security Workflow
With this addition, our pipeline now provides comprehensive security in a layered approach:
- Source Code Analysis: SonarQube scans for quality issues and bugs
- Dependency Scanning: Trivy filesystem scan finds vulnerable packages
- Configuration Checks: Trivy detects misconfigurations in project files
- Container Scanning: Trivy image scan identifies vulnerabilities in the final containers
This multi-layered security approach gives you confidence that your application is protected at every stage of the development lifecycle.
π Sample Filesystem Scan Results
When your pipeline runs, you’ll see scan results like this for your source code:
Report Summary
ββββββββββββ¬βββββββββ¬ββββββββββββββββββ
β Target β Type β Vulnerabilities β
ββββββββββββΌβββββββββΌββββββββββββββββββ€
β - β - β - β
ββββββββββββ΄βββββββββ΄ββββββββββββββββββ
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
The clean report above indicates no vulnerabilities were foundβgreat news! But if issues are detected, they’ll be displayed in an easy-to-read format with severity levels, affected packages, and available fixes.
π οΈ Implementation Notes
Simply replace your existing Trivy stage with this enhanced version to immediately benefit from the improved reporting capabilities. All reports will be saved to the trivy-reports directory in your workspace.
β JUST UPDATED: The complete enhanced pipeline is now available in our GitHub repository!
# Clone the repo to get the latest security scanning improvements
git clone https://github.com/rjshk013/devops-projects
cd wanderlust-3tier-project
# Check out the new Trivy configuration in Jenkinsfile_trivyfull_report fileπ§ͺ 1οΈβ£2οΈβ£ Test the Deployed Application Locally
π Once your CI/CD pipeline has completed successfully, your application is now live and accessible on your host machine. Hereβs how to verify:
π Access Frontend:
π Open your browser and go to:http://localhost:5173/
You should see your React-based frontend app running π
π οΈ Access Backend (API):
π Open another tab and hit:http://localhost:5000/
π³ Verify Running Containers on Host Machine
To ensure both your frontend and backend services are up and running after deployment, run the following command on your host terminal:
docker ps
π GitHub Repository
ποΈ You can find the complete source code, Jenkinsfile, Docker Compose setup, and scripts used in this article right here:
π GitHub β Wanderlust 3-Tier DevSecOps CI/CD Project
β Conclusion: Your DevSecOps Lab Is Now Live π
Youβve just built a real-world CI/CD pipeline that:
- π§ Automates code building and testing with Jenkins
- π§ Ensures code quality through SonarQube
- π‘οΈ Scans for vulnerabilities using Trivy
- π³ Runs entirely in Docker Compose
- π₯οΈ Deploys applications seamlessly on the same local server
And the best part? You did it all with zero cloud cost β 100% open-source, local, and production-grade ready! π―
π― Whatβs Next?
- β
Optimized pipeline speed using parallel stages in Jenkins
β Reduced Docker image sizes with multistage builds
β Upgraded security scanning by replacing Trivy with Snyk for deep dependency and container vulnerability checks
This setup isnβt just a tutorial β itβs a launchpad into real-world DevOps workflows. Now youβre equipped to experiment, expand, and evolve your own secure software delivery system ππ»
