A complete DevSecOps CI/CD pipeline — build, SAST, container security scan, deploy to Kubernetes, and Prometheus/Grafana observability — where security and monitoring are defaults, not additions.
Problem
Security and observability are typically bolted on after incidents. This project builds a pipeline where they are enforced from the start: every commit is statically analysed, every image is scanned for vulnerabilities, and every deployment ships with monitoring already wired in.
Approach
Built a Jenkins pipeline with 8 stages: Checkout → Build → SAST (SonarQube) → Docker Build → Trivy Image Scan → Push → Deploy to Kubernetes → Smoke Test.
Configured SonarQube quality gate to fail the pipeline on critical code issues.
Ran Trivy to scan the built Docker image and fail the pipeline on CRITICAL CVEs.
Deployed to Kubernetes using kubectl with a rolling update strategy.
Provisioned Prometheus ServiceMonitor and Grafana dashboard as code — deployed alongside the application.
Smoke test stage hits the service health endpoint post-deploy and fails the pipeline if unreachable.
Results
Code
Jenkins declarative pipeline with SonarQube gate, Trivy scan, and K8s deploy.
pipeline {
agent any
stages {
stage('SAST') {
steps {
withSonarQubeEnv('sonarqube') {
sh 'mvn sonar:sonar'
}
timeout(time: 5, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
stage('Trivy Scan') {
steps {
sh 'trivy image --exit-code 1 --severity CRITICAL myapp:$BUILD_NUMBER'
}
}
stage('Deploy') {
steps {
sh 'kubectl set image deployment/myapp app=myapp:$BUILD_NUMBER'
sh 'kubectl rollout status deployment/myapp'
}
}
}
}Stack
Why it matters