CI/CD pipeline project with Trivy FS, and SonarQube Analysis(Part -2)

CI/CD pipeline project with Trivy FS, and SonarQube Analysis(Part -2)

Docker is a tool that makes it easy to run applications in containers. Containers are like small packages that hold everything an application needs to run. To create these containers, developers use something called a Dockerfile.

A Dockerfile is like a set of instructions for making a container. It tells Docker what base image to use, what commands to run, and what files to include. For example, if you were making a container for a website, the Dockerfile might tell Docker to use an official web server image, copy the files for your website into the container, and start the web server when the container starts.

Install the docker with the following commands given below in the EC2 instance CLI.

##Install in Amazon Ubuntu
#!/bin/bash
sudo apt update -y
sudo apt install apt-transport-https ca-certificates curl 
software-properties-common -y
curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64]
https://download.docker.com/linux/ubuntu bionic stable" -y
sudo apt update -y
apt-cache policy docker-ce -y
sudo apt install docker-ce -y
#sudo systemctl status docker
sudo chmod 777 /var/run/docker.sock

Check the docker version installed in the instance with the following command given below.

Imagine you're a chef preparing a meal for a big event. To ensure your dish is not just delicious but also safe to eat, you constantly taste, smell, and check the ingredients. In the world of software development, SonarQube plays a similar role. It's like your trusty food inspector, but for your code! In this blog, we'll demystify SonarQube in the simplest and easiest way possible.

SonarQube is a tool that helps you check the quality of your code. It's like a detective for your software, looking for potential issues, bugs, and even security vulnerabilities.

Install the Sonarqube through the docker image with the commands given below.

List the containers that have been running.

Start the container with the docker start command in order to start the SonarQube.

Open the Sonarqube with the port number 9000.

Login through the sonarqube with the default username and password.

Update the default password with the new password for the sonarqube.

The Dashboard for the soanrqube for the sonarqube looks as shown below.

Generate the acess token for integrating with jenkins.

Sonarqube Dashboard->My Account->Security->Create Token

Enter the name, and type in order to generate the token which is valid for 30 days.

Integrate the SonarQube with the Jenkins by the following procedure.

Administration->Configuration->Webhooks

Select the create option in order to create the webhooks.

Give the name and jenkins url in order to integrate the jenkins.

Apache Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation from a central piece of information.

Maven is a powerful build automation tool used to work with java projects. It provides comprehensive set of feature which one can use to managing project dependencies, building, testing, and packaging java application

Trivy is an open source single binary application written in Go and designed to find vulnerabilities, misconfigurations, secrets, SBOMs (Software Bill of Materials) in Container Images and Virtual Machine Images. It is a versatile security utility tool with built-in scanners that can look for security issues on a number of targets

Next we integrate sonarqube with jenkins.

Goto Jenkins Dashboard->Manage Jenkins->System

After that search for SonarQuce servers where we have to add the SonarQube

After selecting the add sonarqube next we have to provide name, server url of sonarqube and the server authentication token.

After that we have to provide the docker hub registry user credentials for adding the docker with jenkins.

After the build, Jenkins integrates with SonarQube to perform static code analysis on the codebase, providing insights into code quality and security.

Jenkins can report the SonarQube analysis results, allowing developers to address any identified issues and maintain high-quality code.