In one of my previous blogs, I wrote about Jenkins and how it can help in creating CICD, which enhances the quality of the product and the way it is deployed in one of my previous blogs.
This article details a project that employs the concepts of Jenkins, Sonarqube, and Trivy and ways to deploy and configure them in AWS. Let us begin.
Before we begin, there are some basic points we need to know about these tools.
SonarQube
An open-source tool called SonarQube is made to constantly check the quality of code in software projects to find errors, security holes, and bad code. Since its creation by SonarSource, it has grown in favor among programmers and companies that want to keep their codebases in top condition.
Here's an overview of its key features and functionalities:
Code Quality Analysis
Programming languages written in Java, C#, JavaScript, Python, and other languages are all analyzed by SonarQube. To identify problems that can affect the code's quality, maintainability, reliability, and security, it compares the code to a set of predetermined standards.
Static Code Analysis
Static code analysis is what it does; it looks at code without running it. Early in the development process, this analysis aids in locating possible bugs, security flaws, and other problems.
Code Smell Detection
Code smells, or specific patterns or structures in code that can point to a more serious issue or inefficiency, are recognised by SonarQube. Code that is too complicated, redundant, or uses inconsistent coding practices are a few examples.
Security Vulnerability Detection
SonarQube not only identifies problems with code quality but also security flaws in the source. It looks for typical security flaws such exposed sensitive data, cross-site scripting (XSS), and injection attacks.
Integration with Development Tools
Popular development tools including IDEs (Integrated Development Environments) like Eclipse, Visual Studio, and IntelliJ IDEA, as well as CI/CD (Continuous Integration/Continuous Deployment) pipelines, are all integrated with SonarQube. This makes it possible for developers to get feedback on problems and the quality of their code right within their development process.
Customizable Rules
Although SonarQube has a default set of rules, customers can expand and modify these rules to better fit their own project objectives, best practices, and coding standards.
Reporting and Dashboards
It offers thorough reports and dashboards that give historical trends in code quality. These reports can be used by developers and project managers to monitor work progress, set priorities, and make data-driven choices that will enhance the quality of the code.
Support for Multiple Languages
SonarQube is appropriate for a variety of software development projects because it supports a large number of programming languages.
Trivy
An open-source vulnerability scanner for OS systems, package managers, and containers is called Trivy. Its purpose is to assist security teams and developers in finding holes in container images and making sure their software stack has secure components.
Here's an overview of Trivy's key features and functionalities:
Container Image Scanning
Trivy's main objective is to find vulnerabilities in container images. It investigates a container image's layers, looking for known vulnerabilities in the installed dependencies and packages at each level.
Support for Multiple Artifact Types
Although Trivy is frequently used for scanning container images, it may also be used to scan other types of artifacts, including operating system packages (like RPM and DEB) and package managers specialized to a given language (like npm and pip). Because of its adaptability, users may conduct thorough vulnerability scans on various software stack components.
Integration with CI/CD Pipelines
Software development processes can automate vulnerability scanning by integrating Trivy into CI/CD pipelines. By doing this, it is made sure that vulnerabilities are found early in the lifecycle and fixed before deployment.
Database of Vulnerabilities
To find known vulnerabilities, Trivy uses a variety of community-maintained sources as well as vulnerability databases like the National Vulnerability Database (NVD). To make sure it recognizes the most recent security threats, it updates its vulnerability database regularly.
Fast Scanning
Because of its speed, Trivy can complete scans rapidly, even on big container images. This reduces the overhead associated with integrating vulnerability screening into development operations.
Detailed Reports
Trivy creates thorough reports listing all of the vulnerabilities discovered in the analyzed artifacts after a scan is finished. Each vulnerability's details, including its severity rating, impacted packages, and suggested repair actions, are usually included in the reports.
Customizable Policies
Trivy allows users to create bespoke vulnerability scanning policies depending on their specific needs and risk tolerance. This adaptability allows organisations to modify the scanning process to their specific security policies and compliance criteria.
Open-Source and Community-Supported
Trivy is an open-source project with a vibrant community of contributors and users. This community-driven development strategy ensures that Trivy remains current and responsive to the changing threat scenario.
Jenkins
I wrote about this tool already here.
Docker
Docker is a platform that lets developers create, deploy, and operate applications in containers. Containers are lightweight, portable, and self-sufficient environments that contain all of the components (code, runtime, system libraries, and dependencies) required to run an application.
Here are some key aspects of Docker:
Containerization
Docker employs containerization technology to encapsulate applications and their dependencies. This enables programs to run reliably across several settings, from development to production, without being influenced by variances in the underlying infrastructure.
Docker Engine
Docker's key component is the Docker Engine, which is in charge of container creation, execution, and management. The Docker Engine is made up of a daemon process named dockerd, a REST API for communicating with the daemon, and a command-line interface (CLI) tool called docker that allows users to communicate with Docker.
Docker Images
Containers are built from Docker images, which are lightweight, standalone, and portable packages that include everything required to run an application, such as the application code, runtime, libraries, and dependencies. Docker images are created using a Dockerfile, which is a text file that includes instructions for creating the image.
Docker Hub
Docker Hub is a cloud-based registry service offered by Docker that allows users to locate, distribute, and save Docker images. It functions as a central repository for Docker images, allowing users to quickly download images from public repositories or publish their own images, either privately or publicly.
Docker Compose
Docker Compose is a tool for creating and managing multi-container Docker apps. It defines the services, networks, and volumes that comprise an application using a YAML file, allowing complicated application architectures to be defined and managed as a single entity.
Orchestration with Docker Swarm and Kubernetes
Docker Swarm and Kubernetes are container orchestration solutions for deploying, scaling, and managing containerized applications across a cluster of servers. Docker Swarm is the native orchestration tool for Docker, whereas Kubernetes is a Google-developed open-source platform.
Portability and Consistency
Docker containers are highly portable and consistent across a variety of contexts, making it simple to create, test, and deploy apps reliably. Developers can build and test programs locally in Docker containers before deploying them to production with no modifications, assuring consistency and stability.
The concept of Webhooks
Webhooks are a way for web applications to communicate with each other in real time. They are a mechanism for automatically sending notifications or data from one application when a specific event occurs to another application, usually through HTTP POST requests.
Great!! Now that we know what tools are we using, let's start with the project. To begin with, we need an EC2 instance that can manage all these workloads, so I would say to use the below combination (make sure that you finish the project in one go and delete the infra once this is complete since the instance is not in the free tier configuration).
EC2 Configuration:
Type: t2.medium
Base Image: Ubuntu (I have used ami-080e1f13689e07408)
Storage: 30GiB
While configuring the security groups, open the ports 8080(for docker), 9000(for SonarQube), 22 (for SSH), and 80 and 443(for HTTP and HTTPS).
Pro-tip: Use an Elastic IP address so that in case if you stop your instance between the project, even if the IP address of the instance changes, the elastic IP keeps the configuration same when you configure the applications.
Let's begin configuring the instance.
Let's configure the ports in the security group
Create an Elastic IP and attach it to the EC2 instance
Now let's connect to the EC2 instance using the cloudshell (you can ssh into the instance too ๐๐ but since I configured my instance without the keypair, I used cloudshell) and elevate the privileges.
Let's update the instance using:
apt update -y
Let's upgrade our configuration inside the instance using:
apt upgrade -y
Alright! Now we are ready for phase 1.
Phase - 1: Installing Jenkins
We need to install Java first, which is a prerequisite for installing and configuring Jenkins. You can visit the Jenkins documentation before you decide on the Java version.
Every 12 weeks, an LTS (Long-Term Support) release is selected from the stream of regular releases as the stable release for that time period. It can be installed via the Debian-stable apt repository. Let's install the same and then update our instance.
Once the machine is updated using the apt update command, we are ready to install Jenkins. Let's install Jenkins now.
Once this is installed, it is now time to enable the Jenkins service and start it.
Great! Once all this is done, the only thing left is to add the plugins.
Let's configure Jenkins
since we are already in elevated user mode, just do a
cat /var/lib/jenkins/secrets/initialAdminPassword
to view the initial config password.
Once you get the admin password, configure the admin account and also install the suggested plugins.
Once all this is complete, you should be able to see the Jenkins dashboard.
Let's configure the plugins now.
Using the available plugins on the left-hand pane, we can search for the required plugins. In our case:
1> SonarQube Scanner
2> Sonar Quality Gates
3> Sonar Gerrit
4> SonarQube Generic Coverage
5> JFrog
6> Quality Gates
Once these are installed, it is now time to configure our pipeline. Navigate to the job and click on the "Pipeline" on the left. Configure the rest of the options:
Definition: Pipeline script from SCM
SCM: GIT
Repository: <your GIT repository URL where you are hosting the application code>
Click on Save once these are set.
Phase - 2 Installing Docker
Let's install the dependencies first
Pro-tip: Change the permissions for the docker.sock to avoid any issues while running your code for containerizing your application.
Phase - 3 Running SonarQube
Let us make the Docker run the SonarQube application on port 9000
Great! Now since Docker is running the SonarQube application it's time to test our implementation and configure SonarQube application
Configuring SonarQube Application
You will first be required to reset your password after accessing the SonarQube application's login page, where the default username and password are admin. Once you have successfully logged in, the SonarQube application's homepage appears.
Fantastic! We were able to construct a webhook for the sonar application with the help of that little configuration.
Phase - 4 Time to install and configure Maven and Trivy
As with all installations, you just need to run:
apt install maven -y
We need to install trivy so that we can inspect and find the vulnerabilities in the docker container that will be used in the pipeline. Here is how you install it:
If you have completed it until now, well done!! It is time for the final phase, configuring all these on Jenkins and building the pipeline.
Phase - 5 Configuring the Tools installed on Jenkins
The pipeline state shows failed in my case since I used the incorrect credentials for docker to showcase how the pipeline status looks. I later rectified the same and re-built the pipeline and it started showing green.
Logging/Monitoring
While all this process is going on, we can have a look on various logs. Here are a few snapshots for reference from Jenkins build, SonarQube and Trivy
Conclusion
So by doing all this what do we understand? The answer to this question is the importance of building CICD pipelines and integrating various tools with it. In a nutshell, CI CID pipelines are absolutely useful in deploying and automating tasks that can take a long time to execute if they are to be manually run. However, with the introduction of CICD everything gets streamlined. It is also worth noting that tools like Docker have been playing marvelous role in making the application lightweight and also deployable anywhere with all the required dependencies. With tools like Trivy and SonarQube administrators/DevOps engineers can be absolutely sure about the quality of the code and threat analysis in the environment.
Last but not the least:
Remember to clean up the resources you have created on the project since these can incur a good amount of billing.
I hope you found this project helpful. Do let me know if there was something that could have been done better.