Integrating Trivy and SonarQube with Jenkins Pipeline

Lasantha Sanjeewa Silva
3 min readSep 17, 2024

--

Architecture Diagram

In this project, I will create a full CI/CD pipeline using Jenkins, incorporating SonarQube for code quality analysis and Trivy for container security scanning.

SonarQube is used for code quality scans and code coverage, while Trivy is utilized for filesystem and Docker image security scanning.

Step 1

Create an Ubuntu EC2 instance using a t2.medium or larger instance type. Ensure to generate a key pair for connecting to the EC2 instance. Finally, proceed with the instance creation.

EC2 Instance

Step 2

Next, access the EC2 instance, select the security group, and add inbound rules to allow traffic for Jenkins, SonarQube, and the final application.

  • 8080 port: Jenkins
  • 9000 port: SonarQube
  • 8081 port: Web Application
Security Group Inbound Rules

Step 3

Next, connect to the EC2 instance using EC2 Instance Connect or an SSH client. Log in as the admin user and run the following script to install Jenkins.

Get the admin password using the following command.

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Step 4

Next, run SonarQube on the Ubuntu EC2 instance using the script provided below. Since SonarQube will run inside a Docker container, ensure Docker is installed before executing the SonarQube setup.

Next, log in to the SonarQube console at EC2_Public_IP:9000, and generate a token for the administrator.

SonarQube Admin Token

Step 5

Install Trivy using the following command. Trivy is used for filesystem scanning and container image scanning.

Step 6

Next, log in to Jenkins at Public_IP:8080 and create a user account.

Install SonarQube, Docker, and the Docker Pipeline plugin in Jenkins.

Step 7

In Jenkins global settings, configure the SonarQube and Docker installations.

SonarQube Installation
Docker Installation

Step 8

Add two Jenkins credentials: one for Docker and one for SonarQube.

Global Credentials

Step 9

Next, click ‘Create Job’ and select ‘Pipeline’ as the template.

Create Jenkins Job

Next, enable ‘Discard Old Builds’ and set the ‘Max # of Builds’ to 2.

Discard Old Builds

Next, go to the last option and select ‘Pipeline Script from SCM.’ Choose ‘Git’ as the repository type and select your Git credentials. Ensure that the Jenkinsfile inside the Git repository includes the repository URL. You can either clone or fork my sample Git repository for this purpose.

Pipeline Script from SCM

Finally, save the pipeline configuration and click ‘Build Now’ to start the build process.

Jenkins Pipeline

Finally, you should see the application running.

Website

Git Repository: https://github.com/sanju2/jenkins-cicd-pipeline.git

Thanks for reading the Article.

Connect with me
LinkedIn https://www.linkedin.com/in/lasanthasilva
Twitter https://twitter.com/LasanthaSilva96

--

--