Automating Docker Deployments with DevSecOps🚀
Building a Secure and Scalable 3-Tier Web Application with DevSecOps
Introduction
In today's fast-paced software development world, integrating security into the DevOps pipeline (DevSecOps) has become crucial. In this blog post, I will walk you through the journey of developing and deploying a 3-tier web application using SonarQube, OWASP, Trivy, Docker, and Jenkins. We'll explore how these tools enhance the security and efficiency of the development lifecycle.
Project Overview
Our project is a web application named "Wanderlust", which is a blog application. The tech stack includes:
Frontend: Built with React
Backend: Node.js and Express.
Database: MongoDB.
Deployment: Docker, AWS.
Why DevSecOps ?
DevSecOps integrates security practices into the DevOps process, ensuring that security is a shared responsibility throughout the development lifecycle. This approach helps in:
Identifying vulnerabilities early.
Automating security checks.
Ensuring compliance with security standards.
Step 1 : Create a AWS EC2 instance with t2.medium instance type
Step 2 : Install Docker docker-compose and Jenkins on AWS EC2 instance.
Install Docker and Docker-compose by following commands
sudo apt-get update sudo apt-get install docker.io -y sudo apt-get install docker-compose
Pre-Requisite for Jenkins:
- Java (JDK)
Run the below commands to install Java and Jenkins
- Install Java(JDK)
sudo apt update
sudo apt install openjdk-11-jre
- Ensure Java is installed
java --version
- Now, you can proceed with installing Jenkins
curl -fsSL https://pkg.jenkins.io/debian/jenkins.io-2023.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt-get update
sudo apt-get install jenkins
To make Jenkins accessible externally on AWS, follow these steps:
Log in to AWS Management Console and go to EC2 Dashboard.
Select your instance, then click on the Security groups under the Description tab.
Edit inbound rules, add a Custom TCP Rule for port 8080, and set the source to Anywhere (0.0.0.0/0).
Save the rules and access Jenkins via http://:8080.
Unlock Jenkins using following command, use that generated Password.
sudo cat /var/lib/jenkins/secrets/initialAdminPassword/
Create Your Admin User.
After creating user you get Jenkins URL save to somewhere for further use.
Step 3 : Install SonarQube Using Docker image
docker run —itd --name sonarqube—server —p 9000:9000 sonarqube:lts—community
To make SonarQube accessible externally on AWS, Add Security Group for port 9000.
You get following interface, initial username and password both are admin.
login and change your password.
Step 4 : Establish connection between Jenkins and SonarQube
Now we have to send project through Jenkins to SonarQube and then SonarQube will send report to Jenkins. So we can do that using Jenkins URL from Step 2 and we use webhook for connection.
And for security purpose we have to create token from SonarQube's Administration's Configuration and click on create.
Now fill required information and create a web hook with any name and our Jenkins URL/sonarqube-webhook/.
After creation of webhook now create token which is required for security purpose, for that we have to navigate on Administration > Security give any name to token and click on Generate.
Now copy that URL and store somewhere for further use.
Now navigate on Jenkins dashboard and go to manage Jenkins > Credentials > System > Global credentials (unrestricted) and click on Add Credentials.
Fill the fields, at secret block paste our stored secret, give id and description.
Step 5 : Setup SonarQube server and required plugins
- Navigate to Jenkins Dashboard > Manage Jenkins > System scroll down and setup SonarQube serve with our id of token from step 4.
- Add required plugins in Jenkins:
SonarQube Scanner
SonarQube Gates
OWASP dependency-check
Docker
- Now setup SonarQube Scanner installations.
Step 6 : Setup Dependency-check (OWAPS)
Step 7 : Install Trivy on instance
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get install trivy
Step 9 : Create a pipeline
Click on new project on Jenkins Dashboard , give name to pipeline, click on pipeline and click ok.
- Configure Pipeline.
Write your stages for Declarative Pipeline.
pipeline {
agent any
environment {
SONAR_HOME = tool name: 'Sonar'
}
stages {
stage('Clone Code from Github') {
steps {
git url: "https://github.com/krishnaacharyaa/wanderlust.git", branch: "devops"
}
}
stage('Sonarqube Quality Analysis') {
steps {
withSonarQubeEnv('Sonar') {
sh "${SONAR_HOME}/bin/sonar-scanner -Dsonar.projectName=wanderlust -Dsonar.projectKey=wanderlust"
}
}
}
stage('OWASP Dependency Check') {
steps {
dependencyCheck additionalArguments: '--scan ./', odcInstallation: "dc"
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage('Sonar Quality Gate Scan') {
steps {
timeout(time: 2,unit: "MINUTES"){
waitForQualityGate abortPipeline: false
}
}
}
stage('Trivy file system scan') {
steps {
sh 'trivy fs --format table -o trivy-fs-report.html .'
}
}
stage('Deploy Using docker Compose'){
steps{
sh 'docker-compose up -d'
}
}
}
}
Now Our Pipeline is automating our deplayments
Step 10 : Clean Up
- Delete our EC2 instance.