Why Your CI/CD Pipeline Isn't Secure—And How to Fix It with DevSecOps​

PS: I am looking for a job for the role of “Devops Engineer“ or “Fullstack Developer“, If you know someone who could refer or help, A referral would be appreciated ❤️

We will be focusing on building a pipeline with Github actions, Docker, and security with Trivy Scan and ArgoCD.

Features of this project:

  • Deploying a Tik Tak Toe React Application

  • Running Unit tests on our application

  • Using Github Actions Workflow for the CI CD part

  • Using Docker to containerize the Application and generating an Image

  • Using AWS ec2 instance to run our deployed application container on the ec2 machine to make our application run on working IP Address of the ec2 instance’s Public IP.

Prerequisites for this project:

  1. A working React Application (client only) will do.

  2. Docker installed on your local system

  3. Knowledge about Docker, writing yaml files and CI Workflows

  4. AWS Account and ec2 t2.medium instance for our argo cd part

Step 1: Running your project locally

You should be able to run your project locally on your system.

Next, Build your project.

npm run build

Step 2: Write a Dockerfile in the root of your project with a .dockerignore file

Now let’s build a container image for our project

Docker Containerization

docker build -t <IMAGE_NAME>:v1 .

It will build an image and give you the container image.

Now run your image using this command

docker run -d -p 1101:80 <IMAGE_NAME>

Your React Application would be running on “http://localhost:1101

How to check if your container is running ?

docker ps

Step 3: Write the CI-CD workflow yaml file

This Yaml file consists of 5 stages

  1. Unit Testing of application

  2. Static Code Analysis

  3. Build

  4. Docker Build and Push + Trivy Image Scan

  5. Update Kubernetes deployment.yaml file

Then starting a AWS ec2 instance and installing docker, kind, and later installing argocd on the instance.

The next steps were performed directly on the AWS ec2 session manager, so the codes and screenshots were not available.

However, we successfully deployed our k8s cluster and our app on the Public Ip given by the ec2 instance.

You can see the source code here:

https://github.com/JaguarsCodehub/devsecops-demo

0
Subscribe to my newsletter

Read articles from Jyotindra Tavanoji directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jyotindra Tavanoji
Jyotindra Tavanoji

Empowering startups with technology and design