A production-grade DevSecOps pipeline for a Three-Tier Todo Application, demonstrating end-to-end security integration from code to deployment on AWS EKS with ALB Ingress.
This project showcases a complete DevSecOps Three-Tier pipeline with multiple security scanning tools integrated at every stageβfrom secret detection to container vulnerability scanningβbefore deploying to AWS EKS with Application Load Balancer (ALB) Ingress Controller.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ALB Ingress Controller β
β (Internet-facing Load Balancer) β
ββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β
βββββββββββ΄ββββββββββ
β β
ββββββΌβββββ ββββββΌβββββ
βFrontend β βBackend β
β(React) βββββββββΆβ(Java) β
βService β βService β
βββββββββββ ββββββ¬βββββ
β
ββββββΌβββββ
βDatabase β
β(MySQL) β
βββββββββββ
Frontend (Tier 1):
βββ React.js # UI Framework
βββ Node.js # JavaScript Runtime
βββ npm # Package Manager
Backend (Tier 2):
βββ JDK 17 # Java Development Kit
βββ Maven # Build Tool
βββ Spring Boot # Backend Framework
Database (Tier 3):
βββ MySQL # Relational Database
CI/CD:
βββ Jenkins # Pipeline Orchestration
βββ Git/GitHub # Version Control
βββ kubectl # Kubernetes CLI
Containerization:
βββ Docker # Container Platform
βββ Docker Hub # Container Registry (17rj)
Orchestration:
βββ AWS EKS # Managed Kubernetes (ap-south-1)
βββ ALB Ingress # Application Load Balancer Controller
βββ RBAC # Role-Based Access Control
Artifact Repository:
βββ Nexus # Artifact Management
Secret Scanning:
βββ TruffleHog # Detect hardcoded secrets in Git
Dependency Scanning (SCA):
βββ Snyk # Software Composition Analysis
βββ OWASP Dependency # Check known vulnerabilities
Code Quality (SAST):
βββ SonarQube # Static Application Security Testing
Container Security:
βββ Dockle # Docker Image Best Practices Linter
Dynamic Testing (DAST):
βββ OWASP ZAP # Web Application Security Scanner
| Stage # | Stage Name | Tool/Action | Purpose | Status |
|---|---|---|---|---|
| 1 | Clean Workspace | Jenkins | Clean previous build artifacts | β |
| 2 | Checkout Code | Git | Clone repository from GitHub | β |
| 3 | Frontend Compilation | Node.js | Validate JavaScript syntax | β |
| 4 | Backend Compilation | Maven | Compile Java source code | β |
| 5 | TruffleHog Secret Scan | TruffleHog | Detect secrets in Git history | β |
| 6 | Snyk Frontend SCA | Snyk | Scan npm dependencies | β |
| 7 | Snyk Backend SCA | Snyk | Scan Maven dependencies | β |
| 8 | SonarQube Code Analysis | SonarQube | SAST - Code quality & security | β |
| 9 | Quality Gate | SonarQube | Enforce quality standards | β |
| 10 | Build Artifact | Maven | Package backend JAR file | β |
| 11 | Publish to Nexus | Nexus | Upload artifacts to repository | β |
| 12 | OWASP Dependency Check | OWASP DP | Check for vulnerable dependencies | β |
| 13 | Docker Build Frontend | Docker | Build frontend container image | β |
| 14 | Docker Build Backend | Docker | Build backend container image | β |
| 15 | Docker Tag Images | Docker | Tag images for registry | β |
| 16 | Dockle Frontend Scan | Dockle | Scan frontend image security | β |
| 17 | Dockle Backend Scan | Dockle | Scan backend image security | β |
| 18 | Push Docker Images | Docker Hub | Push to container registry | β |
| 19 | Kubernetes Deploy | kubectl | Deploy to EKS cluster | β |
| 20 | Retrieve ALB URL | kubectl | Get Application Load Balancer URL | β |
| 21 | Kubernetes Verify | kubectl | Verify all resources running | β |
| 22 | OWASP ZAP Security Scan | ZAP | Dynamic application security testing | β |
| 23 | Cleanup | Docker | Remove old images | β |
# Cluster Configuration
Name: expdevops-cluster
Region: ap-south-1 (Mumbai)
Kubernetes Version: 1.28+
Node Type: t3.medium (minimum)
Nodes: 2-3 worker nodes# ALB Ingress Controller must be installed
Version: v2.7.0+
IAM OIDC Provider: Enabled
Service Account: aws-load-balancer-controller
Namespace: kube-system
# Required IAM Permissions:
- ec2:DescribeRouteTables
- ec2:DescribeSubnets
- ec2:DescribeSecurityGroups
- elasticloadbalancing:*Setup Guide: See ALB Controller Installation
β Pipeline Plugin
β Git Plugin
β Docker Pipeline Plugin
β Kubernetes CLI Plugin
β SonarQube Scanner Plugin
β OWASP Dependency-Check Plugin
β Config File Provider Plugin
β Snyk Security Plugin
β Credentials Plugin
Jenkins β Global Tool Configuration:
JDK:
Name: jdk-17.0
Install automatically: Yes
Version: JDK 17.0.10
Maven:
Name: maven-3.9
Install automatically: Yes
Version: 3.9.6
NodeJS:
Name: nodejs-23.9
Install automatically: Yes
Version: 23.9.0
SonarQube Scanner:
Name: sonar-scanner
Install automatically: Yes
Version: Latest
Credential ID | Type | Purpose
----------------------|-------------------|---------------------------
docker-cred | Username/Password | Docker Hub login
kube-cred | Secret file | Kubernetes config
sonar-cred | Secret text | SonarQube token
snyk-cred | Secret text | Snyk API token
nvd-api-key | Secret text | NVD API key
nexus-settings | Config file | Maven settings.xml
URL: http://your-sonarqube-server:9000
Project Key: devsecopsthreetier
Quality Gate: Configured
URL: http://your-nexus-server:8081
Repository: maven-releases
Authentication: Configured in settings.xml
Registry: Docker Hub
Username: 17rj
Repositories:
- three-tier-todo-frontend
- three-tier-todo-backend
# TruffleHog
pip3 install trufflehog
# Snyk
npm install -g snyk
# Dockle
wget https://github.com/goodwithtech/dockle/releases/download/v0.4.14/dockle_0.4.14_Linux-64bit.tar.gz
tar zxvf dockle_0.4.14_Linux-64bit.tar.gz
sudo mv dockle /usr/local/bin/
# Docker
sudo apt install docker.io -y
sudo usermod -aG docker $USER && newgrp docker
# HELM
sudo snap install helm --classic# Create namespace
kubectl create namespace threetierapp
# Apply RBAC for Jenkins
kubectl apply -f jenkins-rbac.yamlThree-Tier-Todo-Application/
βββ frontend/ # React.js application
β βββ src/
β β βββ components/
β β βββ pages/
β β βββ App.jsx
β βββ Dockerfile
β βββ package.json
β βββ nginx.conf
β
βββ backend/ # Spring Boot application
β βββ src/
β β βββ main/
β β β βββ java/
β β β βββ resources/
β β βββ test/
β βββ pom.xml
β βββ Dockerfile
β
βββ K8s/ # Kubernetes manifests
β βββ secrets-configmap.yml
β βββ db-ds-service.yml
β βββ backend-ds-service.yml
β βββ frontend-ds-service.yml
β βββ ingress.yml
β βββ jenkins-rbac.yaml
β
βββ Jenkinsfile # Pipeline Defination
βββ istio/
βββ docker-compose.yaml # Local development
βββ snapshot/ # Screenshots
βββ README.md
git clone https://github.com/17J/Three-Tier-Todo-Application.git
cd Three-Tier-Todo-Applicationgit clone https://github.com/17J/Terraform-AWS-EKS.git
cd Terraform-AWS-EKS/terraform/terraform initterraform planterraform apply -auto-approvekubectl get nodes# Associate OIDC provider
eksctl utils associate-iam-oidc-provider \
--region ap-south-1 \
--cluster expdevops-cluster \
--approve
# Create IAM policy
curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.7.0/docs/install/iam_policy.json
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json
# Create service account
eksctl create iamserviceaccount \
--cluster=expdevops-cluster \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--attach-policy-arn=arn:aws:iam::YOUR_ACCOUNT_ID:policy/AWSLoadBalancerControllerIAMPolicy \
--override-existing-serviceaccounts \
--approve
# Install controller via Helm
helm repo add eks https://aws.github.io/eks-charts
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=expdevops-cluster \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller# Create namespace
kubectl create namespace threetierapp
# Apply Jenkins RBAC
kubectl apply -f K8s/jenkins-rbac.yaml1. Create new Pipeline job
2. Configure Git repository
3. Point to Jenkinsfile
4. Add all required credentials
5. Run pipeline
Todo List Dashboard |
Add New Task |
Task Management |
- β Secret Detection (TruffleHog) - Scans Git history for leaked credentials
- β Dependency Scanning (Snyk + OWASP) - Identifies vulnerable packages
- β SAST (SonarQube) - Static code analysis for bugs & vulnerabilities
- β Container Scanning (Dockle) - Docker image best practices validation
- β DAST (OWASP ZAP) - Dynamic application security testing
- β Quality Gates - Automated quality enforcement
- β RBAC in Kubernetes - Least privilege access control
- β Network Policies - Ingress controller security
- β Artifact Traceability - Nexus repository integration
- β Build Reproducibility - Tagged Docker images
- β Audit Trails - Jenkins build logs
- π CI/CD Automation - Fully automated pipeline from code to production
- π³ Containerization - Docker multi-stage builds
- βΈοΈ Orchestration - Kubernetes with auto-scaling
- π GitOps - Version-controlled infrastructure
- π Zero Trust - RBAC and network policies
- π‘οΈ Defense in Depth - Multiple security layers
- π Continuous Monitoring - Security scans at every stage
- π¨ Fail Fast - Early detection of vulnerabilities
- β‘ High Availability - Multi-replica deployments
- π Scalability - Kubernetes HPA support
- π Observability - Logging and monitoring ready
- π Load Balancing - AWS ALB with health checks
SCANNER_HOME # SonarQube scanner path
FRONTEND_IMAGE_NAME # Frontend Docker image name
BACKEND_IMAGE_NAME # Backend Docker image name
IMAGE_TAG # Build number
DOCKER_REGISTRY # Docker Hub username
K8S_NAMESPACE # Kubernetes namespace# Backend
SPRING_DATASOURCE_URL=jdbc:mysql://mysql-service:3306/tododb
SPRING_DATASOURCE_USERNAME=root
SPRING_DATASOURCE_PASSWORD=***
# Frontend
REACT_APP_API_URL=/api# Check controller logs
kubectl logs -n kube-system deployment/aws-load-balancer-controller
# Verify IAM permissions
kubectl describe sa aws-load-balancer-controller -n kube-system
# Check ingress status
kubectl describe ingress todo-app-ingress -n threetierapp# Test permissions
kubectl auth can-i create deployments \
--as=system:serviceaccount:threetierapp:jenkins \
-n threetierapp
# Recreate service account token
kubectl delete secret jenkins-token -n threetierapp
kubectl create secret generic jenkins-token \
--from-literal=token=$(kubectl create token jenkins -n threetierapp)# Check pod logs
kubectl logs -n threetierapp <pod-name>
# Verify secrets
kubectl get secrets -n threetierapp
# Check service endpoints
kubectl get endpoints -n threetierapp# Deploy to Kubernetes
kubectl apply -f K8s/secrets-configmap.yml -n threetierapp
kubectl apply -f K8s/db-ds-service.yml -n threetierapp
kubectl apply -f K8s/backend-ds-service.yml -n threetierapp
kubectl apply -f K8s/frontend-ds-service.yml -n threetierapp
kubectl apply -f K8s/ingress.yml -n threetierapp
# Get ALB URL
kubectl get ingress todo-app-ingress -n threetierapp# Trigger pipeline
# Pipeline will automatically:
# 1. Run all security scans
# 2. Build and push Docker images
# 3. Deploy to Kubernetes
# 4. Configure ALB ingress
# 5. Run DAST scan# Frontend logs
kubectl logs -f deployment/frontend -n threetierapp
# Backend logs
kubectl logs -f deployment/backend -n threetierapp
# Database logs
kubectl logs -f statefulset/mysql -n threetierapp# All resources
kubectl get all -n threetierapp
# Ingress status
kubectl get ingress -n threetierapp
# Pod status
kubectl get pods -n threetierapp -o wideContributions are welcome! Please follow these steps:
- Fork the repository
- Create feature branch (
git checkout -b feature/AmazingFeature) - Commit changes (
git commit -m 'Add AmazingFeature') - Push to branch (
git push origin feature/AmazingFeature) - Open Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
Rahul Joshi
π§ Email: 17rahuljoshi@gmail.com
π GitHub: @17J
Give a β if this project helped you learn DevSecOps practices!
- AWS EKS Documentation
- ALB Ingress Controller Guide
- Jenkins Pipeline Syntax
- SonarQube Documentation
- OWASP Top 10
Built with β€οΈ for the DevSecOps Community