Building a Secure CI/CD Pipeline on Oracle Cloud with DevSecOps Tools

Merlin SahaMerlin Saha
4 min read

Table of contents

Automated Secure CI/CD Pipeline for Oracle Cloud Infrastructure with DevSecOps Practices (Jenkins, OWASP Dependency Check, Trivy, SonarQube, VCN, Compartment, Security Group, Maven, GitHub, Docker, Docker Hub, ArgoCD, Kubernetes) Using Terraform, Ansible, and Bash Scripts

Introduction

We'll walk through the tools to set up an automated secure CI/CD pipeline for Oracle Cloud Infrastructure (OCI) using popular DevSecOps tools and techniques. We'll explore two deployment choices: one on Oracle Cloud Virtual Machines and the other on Kubernetes installed on Oracle Cloud Virtual Machines. Additionally, we'll leverage Terraform, Ansible and Bash scripts to automate the provisioning and configuration of the required infrastructure and tools and Argo CD for Deployment.

Technologies Used:

  1. Jenkins: An open-source automation server that facilitates Continuous Integration and Continuous Deployment (CI/CD) processes.

  2. OWASP Dependency-Check: A utility that identifies project dependencies and checks for known, publicly disclosed vulnerabilities.

  3. Trivy: A simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for CI/CD pipelines.

  4. SonarQube: A platform for continuous code quality analysis, providing insights into code quality, security vulnerabilities, and technical debt.

  5. Oracle Autonomous Database: A fully managed, preconfigured database environment that is designed to provide high performance, high availability, and automated patching and upgrades.

  6. Virtual Cloud Network (VCN): OCI's software-defined networking service that provides connectivity between resources in the cloud.

  7. Compartment: A logical container in OCI for isolating and controlling access to resources.

  8. Security Group: A virtual firewall that controls inbound and outbound traffic at the instance level in OCI.

  9. Maven: A build automation tool used primarily for Java projects, managing dependencies and building and packaging applications.

  10. GitHub: A web-based version control and collaboration platform for software development.

  11. Docker: An open-source platform for building, shipping, and running applications in containers.

  12. Docker Hub: A cloud-based registry service for storing, distributing, and managing Docker container images.

  13. ArgoCD: A declarative continuous delivery tool for Kubernetes applications.

  14. Kubernetes: An open-source container orchestration system for automating deployment, scaling, and management of containerized applications.

  15. Terraform: An infrastructure-as-code (IaC) tool that allows you to provision and manage cloud resources using a declarative configuration language.

  16. Ansible: An open-source IT automation tool that automates software provisioning, configuration management, and application deployment.

  17. Bash Scripts: Shell scripts written in the Bash scripting language for automating various tasks.

Check PoC video here in French

Step 1: Provision Infrastructure using Terraform

  1. Use Terraform to provision the required infrastructure resources in OCI, including:

    • Virtual Cloud Network (VCN)

    • Subnets

    • Compute instances (for Jenkins, SonarQube, etc.)

    • Oracle Autonomous Database instance

    • Security groups

    • Compartments

    • Etc.

Step 2: Configure Jenkins(Agent and Master) on OCI, automically with Ansible Playbook and Bash Script

  1. Install Java and Jenkins on the designated Compute instance.

  2. Intall Kubernetes

  3. Install Trivy on the Jenkins Compute instance.

  4. Install Docker

  5. Configure Jenkins Master and Ajent.

  6. Deploy ArgoCD

Step 3: Integrate OWASP Dependency-Check

  1. Install OWASP Dependency-Check on the Jenkins Compute instance.

  2. Create a Jenkins pipeline job and add a stage to run OWASP Dependency-Check.

  3. Configure OWASP Dependency-Check to scan your application's dependencies for known vulnerabilities.

Step 4: Integrate Trivy for Container Image Scanning

  1. Add a stage in your Jenkins pipeline to scan the built container image using Trivy.

  2. Configure Trivy to scan for vulnerabilities in the container image and its dependencies.

Step 5: Integrate SonarQube for Code Quality Analysis

  1. Use Terraform to provision a SonarQube server on OCI.

  2. Add a stage in your Jenkins pipeline to run SonarQube analysis on your code.

  3. Configure SonarQube to analyze your code for bugs, code smells, and security vulnerabilities.

Step 6: Configure the CI/CD Pipeline

  1. Define the stages in your Jenkins pipeline:

    • Checkout code from GitHub

    • Build the application using Maven

    • Run OWASP Dependency-Check

    • Build and scan the container image with Trivy

    • Run SonarQube analysis

    • Include a stage for building and pushing the container image to Docker Hub.

    • Add a stage in the pipeline to trigger ArgoCD deployment after successful pipeline execution.

    • Etc.

  2. Configure Jenkins to trigger the pipeline automatically on code commits or manually as needed.

Step 6: Deployment Choice 1, Oracle Cloud Virtual Machines

  1. Deploy the application on Oracle Cloud Virtual Machines

Step 7: Deployment Choice 2, Kubernetes on Oracle Cloud Virtual Machines

  1. Configure ArgoCD to automatically deploy your application to the Kubernetes cluster based on the pipeline output.

Contratulations to have read till here !

Step 8: Source code

Source code here with a README file: https://github.com/devsahamerlin/iac-spring-boot-atp-jenkins-oci-devsecops

Video Link here in French: https://www.youtube.com/watch?v=mvBNh6scVHk

By following steps in video you will leveraging tools like Terraform, Ansible, and Bash scripts, to automate the provisioning and configuration of an end-to-end secure CI/CD pipeline for Oracle Cloud Infrastructure. This pipeline incorporates DevSecOps practices using popular tools like Jenkins, OWASP Dependency Check, Trivy, and SonarQube, ensuring that security is addressed throughout the entire software development lifecycle.

The deployment choices provided cater to different scenarios: the first choice deploys the application on Oracle Cloud Virtual Machines, while the second choice leverages Kubernetes for container orchestration and deployment on Oracle Cloud Virtual Machines. In both choices, all required resources, including Oracle Autonomous Database, are provisioned using the provided Terraform code.

1
Subscribe to my newsletter

Read articles from Merlin Saha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Secure CI/CD PipelineOracle Autonomous DatabaseDevSecOpsOracle CloudTerraformterraform-cloudJenkinsowasptrivysonarqubemavenGitHubDockerdockerhubArgoCD

Written by

Merlin Saha
Merlin Saha

"Unlocking Cloud Potential: A Journey of Innovation and Expertise" Welcome to my corner of the digital realm, where the convergence of cutting-edge technology and business innovation unfolds.