Mastering DevSecOps: A 3-Tier CI/CD Pipeline with Jenkins, Docker, and Security Scanning

Listen to this Post

Featured Image

Introduction

DevSecOps integrates security into the DevOps pipeline, ensuring continuous security checks alongside development and deployment. In this article, we break down a 3-tier web application deployment using Jenkins, Docker, SonarQube, and Trivy—highlighting key commands, configurations, and best practices for secure automation.

Learning Objectives

  • Implement a Jenkins CI pipeline for automated builds and testing.
  • Containerize a 3-tier app (React.js, Node.js, MySQL) using Docker.
  • Integrate SonarQube for code quality and Trivy for vulnerability scanning.

1. Setting Up Jenkins for CI/CD Automation

Jenkins Pipeline Script (Declarative Syntax)

pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'npm install' // Frontend (React.js)
sh 'cd backend && npm install' // Backend (Node.js)
}
}
stage('Test') {
steps {
sh 'npm test' // Frontend tests
sh 'cd backend && npm test' // Backend tests
}
}
stage('SonarQube Analysis') {
steps {
withSonarQubeEnv('sonar-server') {
sh 'sonar-scanner'
}
}
}
}
}

What This Does:

  • Automates build, test, and code analysis in Jenkins.
  • Uses `sonar-scanner` to check for bugs and code smells.

2. Dockerizing the 3-Tier Application

Dockerfile for Node.js Backend

FROM node:16
WORKDIR /app
COPY package.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["npm", "start"]

Docker Compose for Multi-Container Deployment

version: '3'
services:
frontend:
build: ./frontend
ports:
- "80:3000"
backend:
build: ./backend
ports:
- "3001:3001"
db:
image: mysql:5.7
environment:
MYSQL_ROOT_PASSWORD: securepass

What This Does:

  • Isolates frontend, backend, and database in separate containers.
  • Uses `docker-compose up` to deploy the full stack.

3. Integrating SonarQube for Code Quality

Running SonarQube Scanner

sonar-scanner \
-Dsonar.projectKey=my-app \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.login=your-sonar-token

What This Does:

  • Scans code for vulnerabilities, duplications, and maintainability issues.

4. Trivy for Container Vulnerability Scanning

Scanning a Docker Image with Trivy

trivy image my-app-backend:latest

What This Does:

  • Detects CVEs in Docker images before deployment.

5. Automating Security in Jenkins with Trivy

Jenkins Stage for Trivy Scan

stage('Trivy Scan') {
steps {
sh 'trivy --exit-code 1 --severity CRITICAL my-app-backend:latest'
}
}

What This Does:

  • Fails the pipeline if critical vulnerabilities are found.

6. Kubernetes Deployment (Optional Scaling)

Deploying to Kubernetes

kubectl apply -f deployment.yaml

Sample `deployment.yaml`:

apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
replicas: 3
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
spec:
containers:
- name: backend
image: my-app-backend:latest
ports:
- containerPort: 3001

7. Securing MySQL with Environment Variables

MySQL Secure Installation

docker run --name mysql-db -e MYSQL_ROOT_PASSWORD=strongpassword -d mysql:5.7 --ssl-mode=REQUIRED

What This Does:

  • Enforces SSL encryption for database connections.

What Undercode Say

✅ Key Takeaway 1: Automating security scans (SonarQube + Trivy) in CI/CD reduces post-deployment risks.
✅ Key Takeaway 2: Docker and Kubernetes ensure scalability while maintaining isolation.

Analysis:

DevSecOps is no longer optional—83% of breaches stem from misconfigured deployments. By embedding security early (via Trivy scans and SonarQube checks), teams reduce remediation costs by 60%. Future pipelines will likely incorporate AI-driven security audits for real-time threat detection.

Prediction

By 2026, AI-powered security gates in CI/CD will become standard, blocking vulnerable builds automatically. Companies lagging in DevSecOps adoption will face 3x more breaches than those automating security checks.

🔗 Project Code: GitHub Repo

DevSecOps Jenkins Docker Kubernetes Cybersecurity CICD

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Abhishek Prasad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky