DevSecOps | Integrate SonarQube and Trivy


       




Highly Recommend using repo here -Day12 to practise this project instead of code snippets, In case of confusion, Please do watch video that is explained in English, the code here in the blog is not changed to keep screenshots intact

SonarQube

SonarQube is a code coverage tool, that ensures code is easily readable, avoided duplicate lines of code, code coverage, Bugs, Quality gates and lot more. 

Since SonarQube is more for Developers as checks are based on completely code level. But as a DevOps it becomes our part to configure SonarQube

SonarQube uses Sonar-Scanner tool to fetch the data from the code and update the data in database, in case there is no database, sonar uses local H2 database(not recommended)

If we need to install SonarQube manually, we need to install Java, SonarQube , and for Database postgres or any DB 

But as an alternative, we can use DockerImage of SonarQUbe which makes our job lot easier

Since i have found a blog where SonarQube is configured inside Jenkins and its easy to understand, and not to infringe the data, please do navigate from link below and follow the steps

Though the blog was done for localhost, we have configured by taking sonarqube in different sever and docker was installed before following the Blog

Docker Installation

SonarQube Configuration


Trivy

Where as Trivy on other end, helps us to know vulnerabilities inside image, while trivy can scan vulnerabilities inside Docker images, File systems, repos, Helm charts and lot more. It is widely used to scan docker images before deployment to kubernetes

It is better to configure Trivy in the same server where our Images are built, in our case, it is BuildServer

This part of security reduces vulnerabilities

You can download Trivy from Official documentation - Trivy Official
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

To scan images

trivy image sagarkakkala385/react-nginx

To scan image with filters
trivy image --severity HIGH,CRITICAL <image_name>

To get output in json format

 trivy image --format json --output report.json sagarkakkala385/react-nginx

To Scan repo

trivy repo https://github.com/Hari0o/Gold_Site_Ecommerce.git

Post Configuring SonarQube and Trivy you can see the pattern followed will be this way

Code > Scan Using SonarQube (if passed , next stage ; if failed, developers need to fix code ) > Build code and create image > Image Scanned by Trivy (if no vulnerabilities, next stage'; if there are vulnerabilities, DevOps need to fix) > Deployment stage steps


Now our architecture looks somewhat this way




This concludes our blog.


🔹 Important NoteAlso, before proceeding to the next session, please do the homework to understand the session better - DevOps Homework



I Post most of my content in Telugu related to contrafactums(changing lyrics to original songs),fun vlogs, Travel stories and much more to explore, You can use this link as single point of link to access - Sagar Kakkala One Stop

🖊feedback, queries and suggestions about blog are welcome in the comments.

Comments

Post a Comment