E2E CI-CD Pipeline for nodejs Application
Multi-Tier Web-application
Multi-Tier Web-application E2E Continuous Integration (CI) & Continuous Delivery (CD) Pipeline
In this article, we will be creating an automated CI/CD pipeline for nodejs project using Jenkins, Docker, Sonarqube,trivy, OWASP and Docker Compose. With this pipeline, your project will be automatically built, tested, and deployed to your AWS EC2 instance every time you make changes to the source code in your GitHub repository.
Tech Stack Used in this Activity
- Git-Git Hub
Git is a version control system that manages and keeps track of Source code. GitHub, on the other hand, is a service that lets you host, share, and manage your code files on the internet
- Sonarqube
For code quality management. It is designed to help developers and development teams identify and fix code issues early in the software development lifecycle. SonarQube analyzes source code for bugs, vulnerabilities, code smells, and code duplications, and provides detailed reports with actionable insights
- Jenkins
Jenkins is an open-source automation server that allows you to automate various tasks in your software development workflow, such as building, testing, and deploying applications. It provides a web-based interface and supports a wide range of plugins for integrating with different tools and technologies.
- OWASP Dependency check
OWASP The Open Web Application Security Project (OWASP) Dependency-Check is a software composition analysis (SCA) tool that identifies project dependencies with known vulnerabilities. It helps developers and security professionals identify and mitigate potential risks associated with using vulnerable libraries and components
- Docker
Docker is an open-source platform that allows you to automate the deployment, scaling, and management of applications using containerization. Containers provide a lightweight and portable way to package applications and their dependencies, enabling them to run consistently across different environments.
6. Docker Compose
Docker Compose is a tool that helps you define and share multi-container applications. With Compose, you can create a YAML file to define the services and with a single command, you can spin everything up or tear it all down.
7. Trivy
It's a user-friendly vulnerability scanner for Docker images and containers. It works with various operating systems (Debian, CentOS, Alpine, RHEL) and package managers (Yarn, npm, Composer), enabling comprehensive security checks.
8. npm
npm stands for Node Package Manager. It's a library and registry for JavaScript software packages. npm also has command-line tools to help you install the different packages and manage their dependencies.
9.PostgreSQL
It is a highly stable database management system, backed by more than 20 years of community development which has contributed to its high levels of resilience, integrity, and correctness. PostgreSQL is used as the primary data store or data warehouse for many web, mobile, geospatial, and analytics applications.
Required Plugins for Jenkins
NodeJS Plugin
SonarQube Scanner for Jenkins
Eclipse Temurin installer Plugin
Docker Plugin
Docker Compose Plugin
OWASP Dependency-Check Plugin
Jenkins, Docker & Sonarqube Services are Up and Running
Create a New project on Jenkins using Pipeline
Jenkinsfile:pipeline {
agent any
tools {
jdk 'jdk17'
nodejs 'nodejs16'
}
environment{
SCANNER_HOME= tool 'sonar-scanner'
}
stages {
stage('Git Checkout') {
steps {
git branch: 'main', url: 'https://github.com/jaiswaladi246/fullstack-bank.git'
}
}
stage('OWASP Dependency Check') {
steps {
dependencyCheck additionalArguments: '--scan ./app/backend --disableYarnAudit --disableNodeAudit', odcInstallation: 'dp'
dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
}
}
stage('TRIVY SCAN') {
steps {
sh "trivy fs ."
}
}
stage('SonarQube- Analysis') {
steps {
withSonarQubeEnv('sonar-scanner') {
sh " $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=SonarAnalysis-Report -Dsonar.projectKey=Bank "
}
}
}
stage('Install npm Dependencies') {
steps {
sh "npm install"
}
}
stage('Backend') {
steps {
dir('/var/lib/jenkins/workspace/Bank-Application/app/frontend') {
sh "npm install"
}
}
}
stage('Frontend') {
steps {
dir('/var/lib/jenkins/workspace/Bank-Application/app/backend') {
sh "npm install"
}
}
}
stage('Deploy to Conatiner') {
steps {
sh "npm run compose:up -d"
}
}
}
}
The Jenkins pipeline run successfully
full stage view
If the build is a success we will get a sonarqube analysis report
Trivy scanning report
Finally the application is deployed in the docker containers
Once the build is successful browse the instance public with port 3001/docs
Once the build is successful browse the instance public with port 3000
Congratulations🥳🥳, we have successfully created an Automated CI/CD pipeline for nodejs application.
Thank You 😍😍
for the source code check out the below GitHub URL
Repository
https://github.com/Raghava0684/Bank-Application/tree/master
References:
Jenkins file
https://github.com/Raghava0684/Bank-Application/blob/master/Jenkinsfile
Node js
https://computingforgeeks.com/how-to-install-node-js-on-ubuntu-debian/?expand_article=1
Trivy
trivy-installation-commands
---INSTALLATION STEPS---
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
trivy -v = for version check
https://medium.com/@silvesterphilip/using-trivy-to-secure-containers-on-amazon-ec2-a65f37f300d2
Docker Compose
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-compose-on-ubuntu-20-04