The latest articles on DEV Community by KkInTech15 (@kkintech15). https://dev.to/kkintech15 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2489469%2Fd8d1d52a-e8d7-43c4-b575-37f2e64061f9.jpeg https://dev.to/kkintech15 en KkInTech15 Mon, 07 Jul 2025 00:33:42 +0000 https://dev.to/kkintech15/building-a-devsecops-pipeline-local-testing-with-maven-sonarqube-trivy-and-jfrog-artifactory-5a2a https://dev.to/kkintech15/building-a-devsecops-pipeline-local-testing-with-maven-sonarqube-trivy-and-jfrog-artifactory-5a2a <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcyiil8ypl62qrmdjyxcz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcyiil8ypl62qrmdjyxcz.png" alt="Image description" width="800" height="407"></a></p> <p>In this post, I'm sharing the local testing phase of a real-world DevSecOps pipeline that integrates essential tools for code quality, security scanning, and artifact management — all tested on EC2 instances in AWS.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqqp6pbt0dpfdvl5x94t0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqqp6pbt0dpfdvl5x94t0.png" alt="Image description" width="796" height="293"></a></p> <p><strong>🧪 Local Testing Workflow (Completed)</strong></p> <p>I’ve validated the full DevSecOps pipeline locally using the following steps:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ mvn clean, test, compile, package, deploy ✅ SonarQube analysis via scanner publishing results to the SonarQube UI ✅ Trivy scanning the file system and detecting known vulnerabilities in dependencies (especially in pom.xml) ✅ Maven pushing the final .jar artifact to JFrog Artifactory </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzbbf7nzhb4y4doyq4xub.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzbbf7nzhb4y4doyq4xub.png" alt="Image description" width="800" height="253"></a></p> <p><strong>🔍 SonarQube Setup Highlights</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- Installed SonarQube 10.5 - Configured PostgreSQL - Created systemd service for automatic restart - Verified access to SonarQube via browser UI - Used the following sonar-project.properties to enable code scanning and coverage reporting: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sonar.projectKey=my-app sonar.projectName=My App sonar.projectVersion=1.0 sonar.host.url=http://&lt;sonar-server-ip&gt;:9000 sonar.sources=src/main/java sonar.tests=src/test/java sonar.java.binaries=target/classes sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1jixfchbqhleox05d3r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1jixfchbqhleox05d3r.png" alt="Image description" width="800" height="273"></a></p> <p><strong>🗃️ JFrog Artifactory Setup (OSS Edition 7.71.23)</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- Installed Artifactory with Derby DB (lightweight, avoids PostgreSQL setup for testing) - Created /opt/jfrog/var/data/derby with proper permissions - Deployed .jar to Artifactory using Maven's distributionManagement block in pom.xml: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;distributionManagement&gt; &lt;repository&gt; &lt;id&gt;jfrog-artifactory&lt;/id&gt; &lt;name&gt;JFrog Maven Local Repository&lt;/name&gt; &lt;url&gt;http://&lt;artifactory-server-ip&gt;:8082/artifactory/maven-local&lt;/url&gt; &lt;/repository&gt; &lt;/distributionManagement&gt; </code></pre> </div> <ul> <li>Artifactory was made accessible on port 8082 with default UI credentials</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nc9knbefvzow9mcp2j5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nc9knbefvzow9mcp2j5.png" alt="Image description" width="800" height="323"></a></p> <p><strong>🔒 Trivy Scanning</strong></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* Installed Trivy CLI on the Maven + Artifactory instance * Scanned: * Entire file system for vulnerable packages * The pom.xml for dependency issues * Focused on identifying Log4J-related vulnerabilities and other CVEs </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>trivy fs . --scanners vuln --severity HIGH,CRITICAL </code></pre> </div> <p>❗ For this phase, I didn’t scan .jar directly (which is not recommended unless SBOM is enforced). That’ll be added in a later post.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fefzbagonip2dkbd4v49m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fefzbagonip2dkbd4v49m.png" alt="Image description" width="800" height="390"></a></p> <p><strong>📊 Jacoco for Code Coverage</strong></p> <ul> <li>Integrated with Maven using the jacoco-maven-plugin: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;plugin&gt; &lt;groupId&gt;org.jacoco&lt;/groupId&gt; &lt;artifactId&gt;jacoco-maven-plugin&lt;/artifactId&gt; &lt;version&gt;0.8.8&lt;/version&gt; ... &lt;/plugin&gt; </code></pre> </div> <ul> <li>Coverage report generated at: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>target/site/jacoco/index.html </code></pre> </div> <p><strong>📌 What’s Next</strong></p> <p>In the next phase, I will integrate:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>* Jenkins for complete CI/CD automation * SonarQube, Trivy, and Artifactory into Jenkins pipeline * GitHub Webhooks or EventBridge (for event-driven builds) * More advanced vulnerability policies </code></pre> </div> <p>Stay tuned! 👨‍💻</p> <p><strong>🙌 Connect With Me</strong></p> <p>I’m building and learning in public to stay focused, attract meaningful DevOps opportunities, and grow in the open.<br> You can also connect with me on LinkedIn where I post DevOps projects regularly.</p> <p>Thanks for reading!</p>