A production-style DevSecOps CI/CD pipeline that automates building, testing, security scanning, containerization, deployment, and monitoring of a Java Spring Boot web application.
Built as part of PG-DITISS Course in Pune — demonstrating real-world DevSecOps practices used in enterprise environments.
This project implements a fully automated CI/CD pipeline that integrates security at every stage — from code commit to production deployment — with real-time monitoring using Prometheus and Grafana.
The application under test is a Board Game Listing Web App (Java Spring Boot + AWS EC2), used as a realistic target to demonstrate the full pipeline.
Developer
│
▼
GitHub (Code Push)
│
▼
Jenkins (CI/CD Orchestration)
│
├─── Maven Compile & Test
│
├─── SonarQube (SAST - Static Code Analysis)
│
├─── OWASP Dependency-Check (Vulnerable Dependencies)
│
├─── Docker Build & Push (DockerHub)
│
├─── Trivy (Container Image Vulnerability Scan)
│
└─── Kubernetes Deploy (Pods + Services)
│
▼
Prometheus + Blackbox Exporter
│
▼
Grafana Dashboard
| Category | Tools |
|---|---|
| CI/CD | Jenkins, GitHub, Maven |
| Language/Framework | Java 17, Spring Boot |
| SAST | SonarQube |
| Dependency Scanning | OWASP Dependency-Check |
| Container Security | Trivy |
| Containerization | Docker |
| Orchestration | Kubernetes (Pods, Deployments, Services) |
| Monitoring | Prometheus, Blackbox Exporter, Grafana |
| Cloud | AWS EC2 |
stage('Compile') {
steps {
sh 'mvn compile'
}
}stage('Test') {
steps {
sh 'mvn test'
}
}stage('Build') {
steps {
sh 'mvn package'
}
}- SonarQube — Static Application Security Testing (SAST), code quality analysis
- OWASP Dependency-Check — Scans Maven dependencies for known CVEs
- Trivy — Scans Docker images for OS and library vulnerabilities
- Application packaged into a Docker image using
Dockerfile - Image pushed to DockerHub registry
- Kubernetes
DeploymentandServiceapplied viadeployment-service.yaml - App exposed via NodePort/LoadBalancer service
- Prometheus scrapes metrics from the application and infrastructure
- Blackbox Exporter monitors endpoint availability (uptime probing)
- Grafana visualizes all metrics in real-time dashboards
├── Jenkinsfile.txt # Jenkins pipeline definition
├── Dockerfile.txt # Docker image build instructions
├── deployment-service.yaml # Kubernetes Deployment + Service manifest
├── pom.xml # Maven build configuration
├── sonar-project.properties # SonarQube project config
├── mvnw / mvnw.cmd # Maven wrapper scripts
└── README.md
- SAST with SonarQube catches code-level vulnerabilities before build
- OWASP Dependency-Check identifies vulnerable third-party libraries
- Trivy ensures container images are scanned before deployment
- Pipeline fails if critical vulnerabilities are found — security as a gate, not an afterthought
| Tool | Purpose |
|---|---|
| Prometheus | Metrics collection from app + infra |
| Blackbox Exporter | HTTP endpoint uptime monitoring |
| Grafana | Visualization dashboards |
- Jenkins server (with JDK 17 and Maven 3 configured as tools)
- SonarQube server running
- Docker installed and DockerHub credentials configured in Jenkins
- Kubernetes cluster (Minikube or cloud-based)
- Prometheus + Grafana stack deployed
- Clone this repository
git clone https://github.com/coderritesh/End-to-End-DevSecOps-CI-CD-Pipeline-with-Security-Monitoring.git-
Configure Jenkins:
- Add DockerHub credentials (
docker-cred) - Add SonarQube server in Jenkins settings
- Install required plugins: SonarQube Scanner, OWASP Dependency-Check, Docker Pipeline, Kubernetes
- Add DockerHub credentials (
-
Create a Jenkins Pipeline job pointing to this repo's
Jenkinsfile -
Run the pipeline — all stages execute automatically
-
Access Grafana dashboard to monitor the deployed application
- Integrating security tools (SonarQube, OWASP, Trivy) into CI/CD pipelines
- Container image vulnerability scanning before deployment
- Kubernetes deployment and service configuration
- Real-time application monitoring with Prometheus and Grafana
- End-to-end automation from code push to production
Ritesh Gurav