This repository contains a Jenkins pipeline (Jenkinsfile) for the Continuous Integration (CI) process of a Node.js application.
The pipeline covers dependency and security scanning, unit testing, coverage, image building and vulnerability scanning, deployment to EC2, GitOps manifest updating, DAST scanning, and uploading reports to S3.
- Install Dependencies: Installs Node.js dependencies.
- Dependency Scanning: Scans for vulnerable dependencies with NPM Audit and OWASP Dependency Check.
- Unit Tests & Coverage: Runs tests and code coverage, publishing results.
- SAST (SonarQube): Runs static analysis and enforces code quality gates.
- Build Docker Image: Builds a Docker image for the app.
- Trivy Vulnerability Scan: Scans the built Docker image for vulnerabilities, generates reports.
- Push Docker Image to ECR: Pushes the image to Amazon Elastic Container Registry.
- Deploy to EC2: Pulls and runs the new image on a remote EC2 instance.
- Integration Testing: Runs integration tests on the EC2 deployment.
- Update Kustomize Image Tag: Updates the image tag in a GitOps Kubernetes manifest repository.
- DAST (OWASP ZAP): Runs dynamic security tests against the deployed app.
- Upload Reports to S3: Uploads all relevant reports to AWS S3 for archiving and review.
- Jenkins with:
- Pipeline, NodeJS, Credentials Binding, AWS, SonarQube, HTML Publisher plugins
- Jenkins Tools configured:
- Node.js (label:
node) - SonarQube Scanner (label:
sonarqube-scanner-610) - OWASP Dependency Check (label:
OWASP-DepCheck-11)
- Node.js (label:
- Jenkins Credentials:
mongo-db-creds,mongo-db-username,mongo-db-password: MongoDB accessgit-pat-token: GitHub token with push access to the GitOps repoaws-creds: AWS credentials for ECR/S3 accessec2-ssh-key: SSH private key for EC2 access
- AWS ECR: Repository created and accessible for Docker pushes
- AWS EC2: Instance set up and accessible for deployment
- SonarQube server configured in Jenkins as
sonar-qube-server - Trivy and yq available on Jenkins agent(s)
- OWASP ZAP (Docker image) available
- S3 bucket (
orbit-engine-jenkins-reports) exists for report uploads - GitOps Repo: kubernetes-manifest or your own, using Kustomize overlays
| Name | Description | Example Value |
|---|---|---|
| MONGO_URI | MongoDB connection string | mongodb+srv://supercluster.d83jj.mongodb.net/superData |
| MONGO_DB_CREDS | Jenkins credentials for MongoDB | username:password |
| SONAR_SCANNER_HOME | SonarQube scanner installation path | From Jenkins tool configuration |
| GITHUB_TOKEN | GitHub PAT for manifest repo push | From Jenkins credentials |
| ECR_REPO_URL | AWS ECR repository URL | 400014682771.dkr.ecr.us-east-2.amazonaws.com |
| IMAGE_NAME | Full image name with repo | ${ECR_REPO_URL}/solar-system |
| IMAGE_TAG | Tag for Docker image (commit SHA) | ${GIT_COMMIT} |
- Runs
npm install --no-audit
- NPM Audit: Checks for critical vulnerabilities.
- OWASP Dependency Check: Scans for known component vulnerabilities.
- Prints MongoDB credentials (for debugging).
- Runs
npm testand collects JUnit results. - Runs code coverage, collects and publishes HTML report.
- Runs SonarQube scanner for static code analysis.
- Waits for quality gate result and fails if gate is not met.
- Builds Docker image tagged with commit SHA.
- Scans image for vulnerabilities (LOW-MEDIUM-HIGH and CRITICAL).
- Generates JSON, HTML, and JUnit XML reports.
- Logs in to ECR and pushes the Docker image.
- SSH to EC2, pulls the new image, stops/removes old container, and runs the new version with required environment variables.
- Runs a provided
integration-testing-ec2.shscript against the EC2 deployment.
- Clones the GitOps manifest repo.
- Uses
yqto update theoverlays/dev/kustomization.yamlimage tag. - Commits and pushes the change using the GitHub token.
- Runs ZAP DAST scan against the deployed app API.
- Publishes multiple report formats (HTML, Markdown, JSON, XML).
- Gathers all major output files and uploads them to S3 for archival.
- JUnit XML: For dependency, unit, coverage, trivy, and zap tests
- HTML Reports: For dependency check, coverage, trivy, and zap
- S3 Upload: Backs up the entire report directory per build
After a successful build and deployment, the pipeline updates the kubernetes-manifest repository's overlays/dev/kustomization.yaml with the new Docker image tag.
This triggers your CD pipeline to rollout the new version via ArgoCD or similar.
If your CD pipeline is in another repo, link to its documentation:
- AWS/EC2/ECR Issues: Check credentials and permissions in Jenkins.
- MongoDB Connection: Ensure secrets are correct and network is open.
- SonarQube/Trivy/OWASP Tools: Ensure tools are installed and paths are correct.
- Manifest Update: Confirm GitHub token has push rights to the GitOps repo.
- S3 Upload: Check bucket policies and IAM permissions.