DEV Community

Cover image for πŸš€ Secure Your Deployments: A DevSecOps + GitOps CI/CD Pipeline with Jenkins, ArgoCD, and Kubernetes
Kapil Bhalodiya
Kapil Bhalodiya

Posted on • Edited on

πŸš€ Secure Your Deployments: A DevSecOps + GitOps CI/CD Pipeline with Jenkins, ArgoCD, and Kubernetes

A complete breakdown of how I automated code quality, security, containerization, GitOps deployment, and monitoring β€” using only open-source tools.

πŸš€ Why I Built This Pipeline

In today’s cloud-native era, simply deploying code isn’t enough.
We need to:

βœ… Ensure code quality
βœ… Scan for security vulnerabilities
βœ… Automate deployments
βœ… Monitor everything
βœ… Get feedback instantly

So, I decided to build a DevSecOps + GitOps pipeline that ties together:

πŸ” Jenkins for CI/CD

πŸ“¦ Docker + GitHub + DockerHub

πŸ” SonarQube, Trivy, OWASP Dependency Check

☸️ Kubernetes + ArgoCD

πŸ“ˆ Prometheus, Grafana, Loki, Alertmanager

πŸ’¬ Slack + Gmail notifications

πŸŽ₯ See It in Action

Watch the pipeline executing:

🧠 Pipeline Flow Breakdown

Let's walk through each step in this real-world production-ready CI/CD setup.

🟒 1. Developer Pushes Code to GitHub

Triggers a Jenkins multibranch pipeline via GitHub webhook

🟑 2. Jenkins CI Begins β€” With Parallel Security Gates

parallel {
  stage('SonarQube') {
    steps {
      sh 'sonar-scanner -Dsonar.projectKey=my-app ...'
    }
  }
  stage('Trivy Scan') {
    steps {
      sh 'trivy fs . --exit-code 1'
    }
  }
  stage('OWASP Check') {
    steps {
      sh './dependency-check/bin/dependency-check.sh -s .'
    }
  }
}

Enter fullscreen mode Exit fullscreen mode

βœ… Code quality, container vulnerabilities, and dependency checks all run in parallel

πŸ”΅ 3. Docker Build + Push

docker build -t <image-name>:<Image-tage> .
docker push <image-name>:<Image-tage>
Enter fullscreen mode Exit fullscreen mode

Built containers are pushed to DockerHub or any secure private registry.

🟠 4. Jenkins CD Updates Kubernetes Manifests

Jenkins updates the Kubernetes deployment.yaml with the new Docker image:

sed -i -E 's|^(\\s*tag:) .*|\\1 "${imageTag}"|' values.yaml
git commit -am "update image tag"
git push origin main
Enter fullscreen mode Exit fullscreen mode

This commit lands in a separate Infra GitHub Repo, which is continuously watched by ArgoCD.

πŸ”΄ 5. ArgoCD (GitOps) Deploys to Kubernetes

  • ArgoCD syncs automatically with the updated manifest repo.
  • It deploys the new version into the Kubernetes cluster.

🟣 6. Monitoring & Logging Kicks In

Prometheus scrapes metrics from the cluster and app.
Grafana Dashboards display:

  • Application performance
  • Pod CPU/memory usage
  • Business metrics

Loki collects logs
Alertmanager sends alerts on failure, high latency, etc.

πŸ“¨ 7. Instant Notifications

Pipeline stages notify:

βœ… Gmail for critical alerts

βœ… Slack #ci-cd for success/failure, build times

Example Slack message:

βœ… Docker image built and pushed
πŸš€ ArgoCD deployed version to cluster

πŸ§ͺ Challenges I Faced

  • Managing parallel Jenkins stages with proper failure handling
  • Avoiding secret exposure in git history
  • Setting up ArgoCD auto-sync correctly
  • Tuning Prometheus scraping and Grafana alert rules
  • Handling secure scanning without breaking pipelines

πŸ’‘ What I Learned

πŸ” Security gates should be integrated early (shift-left) in CI

☸️ GitOps brings traceability and rollback safety

πŸ“ˆ Observability is critical for real production setups

πŸ“¬ Notifications save time during active development cycles

πŸ”— Try It Yourself

πŸ“¬ Final Thoughts

This pipeline is more than a pet project β€” it’s a blueprint for building production-ready, secure, and scalable deployment workflows using only open-source tools.

If you're starting your DevOps journey or want to adopt GitOps at scale, this setup might help you avoid months of trial and error.

πŸ’¬ Feel free to drop your thoughts, suggestions, or questions in the comments.
I’m open to feedback and collaborations!

Top comments (0)