In this post, I'm sharing the local testing phase of a real-world DevSecOps pipeline that integrates essential tools for code quality, security scanning, and artifact management β all tested on EC2 instances in AWS.
π§ͺ Local Testing Workflow (Completed)
Iβve validated the full DevSecOps pipeline locally using the following steps:
β
mvn clean, test, compile, package, deploy
β
SonarQube analysis via scanner publishing results to the SonarQube UI
β
Trivy scanning the file system and detecting known vulnerabilities in dependencies (especially in pom.xml)
β
Maven pushing the final .jar artifact to JFrog Artifactory
π SonarQube Setup Highlights
- Installed SonarQube 10.5
- Configured PostgreSQL
- Created systemd service for automatic restart
- Verified access to SonarQube via browser UI
- Used the following sonar-project.properties to enable code scanning and coverage reporting:
sonar.projectKey=my-app
sonar.projectName=My App
sonar.projectVersion=1.0
sonar.host.url=http://<sonar-server-ip>:9000
sonar.sources=src/main/java
sonar.tests=src/test/java
sonar.java.binaries=target/classes
sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
ποΈ JFrog Artifactory Setup (OSS Edition 7.71.23)
- Installed Artifactory with Derby DB (lightweight, avoids PostgreSQL setup for testing)
- Created /opt/jfrog/var/data/derby with proper permissions
- Deployed .jar to Artifactory using Maven's distributionManagement block in pom.xml:
<distributionManagement>
<repository>
<id>jfrog-artifactory</id>
<name>JFrog Maven Local Repository</name>
<url>http://<artifactory-server-ip>:8082/artifactory/maven-local</url>
</repository>
</distributionManagement>
- Artifactory was made accessible on port 8082 with default UI credentials
π Trivy Scanning
* Installed Trivy CLI on the Maven + Artifactory instance
* Scanned:
* Entire file system for vulnerable packages
* The pom.xml for dependency issues
* Focused on identifying Log4J-related vulnerabilities and other CVEs
trivy fs . --scanners vuln --severity HIGH,CRITICAL
β For this phase, I didnβt scan .jar directly (which is not recommended unless SBOM is enforced). Thatβll be added in a later post.
π Jacoco for Code Coverage
- Integrated with Maven using the jacoco-maven-plugin:
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.8</version>
...
</plugin>
- Coverage report generated at:
target/site/jacoco/index.html
π Whatβs Next
In the next phase, I will integrate:
* Jenkins for complete CI/CD automation
* SonarQube, Trivy, and Artifactory into Jenkins pipeline
* GitHub Webhooks or EventBridge (for event-driven builds)
* More advanced vulnerability policies
Stay tuned! π¨βπ»
π Connect With Me
Iβm building and learning in public to stay focused, attract meaningful DevOps opportunities, and grow in the open.
You can also connect with me on LinkedIn where I post DevOps projects regularly.
Thanks for reading!
Top comments (0)