Implementing a DevSecOps CI/CD Pipeline for Multi‑Language Applications with Jenkins

Overview

In fast‑paced software development, a robust CI/CD pipeline is essential for automating builds, tests, security checks, and deployments. The article demonstrates how to orchestrate a DevSecOps pipeline using Jenkins, Groovy scripts, and a suite of tools to handle multi‑language applications securely.

Prerequisites

The pipeline requires Git, Jenkins, Sonar‑Scanner, Snyk, Java/Maven/Node.js/Python (depending on the project), Docker, Aqua Trivy, Kubernetes, and ZAP Proxy. These tools are integrated through Jenkins environment variables and stages.

Pipeline Configuration

The Jenkins job is configured to pull the Jenkinsfile from SCM. Two options are shown: writing the pipeline script directly in the job or referencing a Jenkinsfile stored in the repository.

Stages

The pipeline consists of the following stages:

Clean Workspace – removes previous artifacts.

Git Checkout – clones the source code from the configured repository.

SonarCloud – runs SAST code‑quality analysis.

Snyk Analysis – performs vulnerability scanning of dependencies.

Detect and Set Java – automatically determines the Java version and configures the JDK tool.

Frontend Build and Test – runs npm install and test when a package.json is present.

Java Spring Boot Build and Test – builds and tests Maven projects.

.NET Build and Test – builds and tests .NET solutions.

PHP Build and Test – installs Composer dependencies and runs PHPUnit.

iOS Build and Test – invokes xcodebuild for Xcode projects.

Android Build and Test – runs Gradle build and test tasks.

Ruby on Rails Build and Test – bundles gems, runs migrations, and executes Rails tests.

Flask Build and Test – installs Python requirements and runs unittest discovery.

Django Build and Test – installs requirements, runs migrations, and executes Django tests.

Rust Build and Test – builds and tests Cargo projects.

Ruby Sinatra Build and Test – installs Bundler and runs Rake tests.

Build and Push Docker Image – builds a Docker image from a Dockerfile and pushes it to a registry.

Trivy Scan – scans the Docker image for vulnerabilities using Aqua Trivy.

Kubernetes Deployment – deploys the image to a Kubernetes cluster using a deployment manifest.

Run DAST Using ZAP – executes a ZAP Proxy scan against the deployed service.

Key Groovy Script (Jenkinsfile)

// Define the detectJavaVersion function outside of the pipeline block

def detectJavaVersion() {
    def javaVersionOutput = sh(script:'java -version 2>&1',returnStatus:false,returnStdout:true).trim()
    def javaVersionMatch = javaVersionOutput =~ /openjdk version "(\d+\.\d+)/

    if (javaVersionMatch) {
        def javaVersion = javaVersionMatch[0][1]

        if (javaVersion.startsWith("1.8")) { return '8' }
        else if (javaVersion.startsWith("11")) { return '11' }
        else if (javaVersion.startsWith("17")) { return '17' }
        else { error("Unsupported Java version detected: ${javaVersion}") }
    } else { error("Java version information not found in output.") }
}

pipeline {
    agent any
    environment {
        SONARCLOUD = 'Sonarcloud'
        SNYK_INSTALLATION = 'snyk@latest'
        SNYK_TOKEN = 'Snyk'
        DOCKER_REGISTRY_CREDENTIALS = 'Docker_Server'
        DOCKER_IMAGE = 'ganesharavind124/anacart:latest'
        DOCKER_TOOL = 'Docker'
        DOCKER_URL = 'https://index.docker.io/v1/'
        KUBE_CONFIG = 'kubernetes'
    }
    stages { /* All stages described above */ }
}

Conclusion

The pipeline showcases end‑to‑end automation for building, testing, securing, containerizing, and deploying applications written in Java, Node.js, Python, .NET, PHP, Ruby, Rust, and more, while integrating industry‑standard security tools to enforce DevSecOps best practices.