// DEVSECOPS

Building a DevSecOps Pipeline with Jenkins & SonarQube

Mar 26, 2024DEVSECOPS2 MIN READ

In this project we will integrate SonarQube in Jenkins and automate security testing with a CI/CD pipeline.

Technologies:

Jenkins (Local installation)
SonarQube (Dockerized)

We will use a vulnerable web application named Vulnado for testing.

Jenkins Installation

There are different ways to install Jenkins but I chose the easiest way. You can install Jenkins with package managers like apt/snap or follow the official installation guide. Also you can run Jenkins on Docker but this is not preferred.

Jenkins install

Docker Installation

We are installing Docker to run SonarQube on Docker:

Docker install

Configuring Jenkins

After installation you can reach Jenkins’s web interface from browser at localhost:8080 (default):

Jenkins web interface

Getting the initial admin password:

Jenkins password

After you logged in, Jenkins asks which plugins to install. I chose suggested plugins:

Plugin installation

Create the first admin user:

Admin user creation

Configure the Jenkins URL:

URL config

And here’s the Jenkins main page:

Jenkins main page

Creating the Pipeline

Press “New Item”, select Pipeline and give it a name:

New pipeline

In the opened page scroll down to the Pipeline section. This is the editor we are going to use:

Pipeline editor

Jenkins has a syntax for pipeline scripting. It’s easy to understand and use.

Stage 1: Install the Project

The first part of our pipeline - installing the project from Git:

Install stage

Stage 2: Build the Project

Second part - building the project (before build: sudo apt-get install maven -y):

Build stage

After building, your pipeline should look like this:

Pipeline after build

Setting Up SonarQube

We have installed and built the project in Jenkins. Now let’s start security testing!

Pull the SonarQube image:

Docker pull sonarqube

Run SonarQube in a container:

Docker run

Check if it’s working:

Container running

Access SonarQube at localhost:9000 with default credentials admin:admin:

SonarQube login

Reset your password:

Reset password

SonarQube Project Setup

Choose “Create a local project”:

Create project

Fill the name and key:

Project details

Choose “Use global settings”:

Global settings

Choose Jenkins as analysis method:

Jenkins analysis

Choose GitHub:

GitHub integration

Choose Maven - SonarQube gives us a Jenkinsfile but this script needs modification:

Maven config

Integrating SonarQube with Jenkins

In SonarQube, go to My Account > Security > Generate new token (Global Analysis Token):

Generate token

In Jenkins Dashboard > Manage Jenkins:

Manage Jenkins

Install the SonarQube Scanner plugin:

SonarQube plugin

Go to Manage Jenkins > Credentials > Add credential:

Add credential

Select “Secret text” and paste the SonarQube Global Analysis Token:

Secret text

Manage Jenkins > System > SonarQube installations. Give a name, write the URL, and choose the token:

SonarQube config

Final Pipeline

Your pipeline should look like this:

Final pipeline

And this is how stages should look:

Pipeline stages

And this is the SonarQube dashboard with results:

SonarQube dashboard