{"id":13625984,"url":"https://github.com/boozallen/devsecops-example-helloworld","last_synced_at":"2025-10-05T14:31:36.727Z","repository":{"id":45508982,"uuid":"97970681","full_name":"boozallen/devsecops-example-helloworld","owner":"boozallen","description":"Example of a CI/CD Pipeline using Jenkins Multi-branch Pipelines hosted at AWS","archived":true,"fork":false,"pushed_at":"2018-05-07T20:30:32.000Z","size":2128,"stargazers_count":92,"open_issues_count":5,"forks_count":149,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-09-30T18:05:37.176Z","etag":null,"topics":["aws-cloudformation","docker","jenkins-pipeline","junit4","sonarqube","spring-boot","webdriver"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/boozallen.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-07-21T17:11:59.000Z","updated_at":"2024-08-25T02:15:16.000Z","dependencies_parsed_at":"2022-07-16T18:30:31.618Z","dependency_job_id":null,"html_url":"https://github.com/boozallen/devsecops-example-helloworld","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boozallen%2Fdevsecops-example-helloworld","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boozallen%2Fdevsecops-example-helloworld/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boozallen%2Fdevsecops-example-helloworld/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/boozallen%2Fdevsecops-example-helloworld/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/boozallen","download_url":"https://codeload.github.com/boozallen/devsecops-example-helloworld/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235405233,"owners_count":18984868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-cloudformation","docker","jenkins-pipeline","junit4","sonarqube","spring-boot","webdriver"],"created_at":"2024-08-01T21:02:07.140Z","updated_at":"2025-10-05T14:31:31.248Z","avatar_url":"https://github.com/boozallen.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# DevSecOps CI/CD Pipeline Example\n\n# Jenkins Multibranch Pipeline\n\nThis example uses a [Jenkins multi-branch pipelines].\nThe code for this pipeline can be found [here](./Jenkinsfile).\n\nJenkins multi-branch pipelines build all your branches in your repository under source code\ncontrol (e.g. github) automatically. Note that you can explicitly include/exclude branch using\nregular expressions.\nThis allows for a development approach with short-lived feature and bugfix \nbranches that can be build, deployed, and tested simultaneously.\nThis is important, because it  allows developers to update and test the pipeline as part of \nthe change request (or bugfix) they are working on,\nso the pipeline code always stays in sync with the the application code.\nFurthermore, __\"standard\"__ development processes can now not only be applied to the\napplication code, but also to the pipeline code, specifically source code control, testing, \nand code review.\n\n## Pipeline Steps\n\n1. Build the Java [Spring Boot] [application](./webapp/src/main) using [Apache Maven]\n   This includes running [unit tests](./webapp/src/test//java).\n2. Performs a security scan on the Java code base using [SonarQube] via Maven\n3. Build and register a version of the [Docker image](./Dockerfile)\n4. Deploy the image to the `dev` environment\n5. Run the automated browser tests against the application in the `dev` environment.\n   The [browser tests](./webapp/src/test/python/helloworld) are written in\n   [Python](./webapp/src/test/python) using the [Python Selenium Webdriver API binding].\n6. Deploy the image to the `test` environment\n7. Run the automated browser tests against the application in the `test` environment\n8. Pause for confirmation that the new image can be deployed to the `prod` environment.\n   Allow for some manual tests to be executed before \n   This step times out after some (configurable amount of) time.\n9. Deploy the image to the `prod` (or live) environment\n\nWeb Application:\n  ![Hello World web app](./doc/images/hello-world-webapp.png)\n\nPipeline executions:\n   ![Jenkins Pipeline](./doc/images/Jenkins-hello-world-master.png)\n\nPause step (step 8):\n   ![Pause Pipeline](./doc/images/Jenkins-hello-world-master-pause.png)\n\nSonarQube (security scan) output:\n   ![SonarQube](./doc/images/SonarQube-Example.png)\n\nNote that in the above steps, steps 5 and up in the pipeline are __only__ \nexecuted against the `master` branch.\nThe pipeline code is configured to treat development (feature/bugfix) branches as\nadditional `dev` environments.\nThese temporary additional `dev` environments can quickly be created using the application's\n[cloud-formation script](./cloud-formation/helloworld/app/main.yml) and\nsetting the `Environment` parameter to `dev-\u003cbranch-name\u003e` and the `SecurityContext` parameter\nto `dev`.\nThe new `dev-\u003cbranch-name\u003e` environment now operates in the same security context as the `dev`\nenvironment`.\n\nNow when a new temporary development branch is created of the master branch,\nthe Jenkins pipeline will automatically discover the new branch and\nexecute the pipeline code from that specific branch allow a developer to build and test\nthe branch specific changes in isolation, including changes to the pipeline code.\n\nMultiple branch executions (`feature1` and `master`) after creating the `feature1` branch:\n![Multiple branch executions](./doc/images/Jenkins-hello-world-multiple-branches.png)\n\nDevelopment branch (`feature`) execution details:\n![Multiple branch executions](./doc/images/Jenkins-hello-world-development-branch-execution.png)\n\n\n\n## Development Process\n\nThe following outlines how this development pipeline would be used in a (typical) development\nprocess:\n1.  A user story (or bug) ticket is assigned to a developer\n2.  Create a temporary and short-lived development (feature/bugfix) branch environment\n    using the Hello World application\n    [cloud formation script](../cloud-formation/helloworld/app/main.yml).\n    Run the script setting the `Environment` parameter to `dev-\u003cname\u003e` and the \n    the `SecurityContext` parameter to `dev`.\n3.  A development branch is created in the repository using the format feature/\u003cname\u003e or \n    bug-fix/\u003cname\u003e from the `master` branch\n4.  The developer implements and tests the changes, include new and/or updated automated tests.\n5.  Changes are committed to the branch and tested.\n    The developer references the ticket in the commit message to allow for integration\n    with the ticketing system, e. GitHub-Jira Integration.\n6.  Changes are pushed to the central git server.\n7.  A git webhook triggers the Jenkins pipeline for the feature branch.\n8.  If pipeline build fails, either fix infrastructure issue, or return to step 3\n9.  Manually test the changes\n10. Once satisfied acceptance criteria are met, create a Pull Request (PR) to the master branch \n    and assign a reviewer.\n11. Reviewer verifies changes.\n12. If not accepted, return to step 3\n13. Reviewer accepts changes, the reviewer or developer merges the PR into `master` and \n    deletes the branch\n14. Delete the temporary development branch environment.\n15. A git webhook triggers the Jenkins pipeline for the master branch\n16. Manual tests (if any are executed against the Test environment\n17. If problems are detected, return to step 3\n18. Accept changes and push to production\n\n\n## Possible Extensions\n\n1. Automate the creation and deletion of temporary development branch environment\n1. Create separate test suites to allow for a smoke vs. a full suite of tests.\n   Smoke tests would always be applied to each environment, including production.\n   The full suite of tesst would only be executed against pre-production environments.\n2. Application/browser tests are executed against all targetted brower/platform configurations\n   using a hosted service, such as [Browserstack] or [Saucelabs].\n3. Add performance testing in the pipeline, e.g. using [Taurus] and/or [Apache jMeter].\n4. Penetration tests are executed as part of the pipeline,e.g. using OWAPS' [ZAProxy]\n5. Integrate a notification mechanism with the pipeline, e.g. [Slack](./doc/slack-integration.md)\n6. If an Restful API component is added, use [Newman] to run API tests using [Postman] \n   test collections via [Newman Docker image].\n\n\n## How to Install\n[Installation instructions](./doc/Install.md) can be found [here]((./doc/Install.md)).\n\n\n\n[Jenkins multi-branch pipelines]: https://jenkins.io/blog/2015/12/03/pipeline-as-code-with-multibranch-workflows-in-jenkins/\n[ZAProxy]: https://github.com/zaproxy/zaproxy\n[Taurus]: https://gettaurus.org/\n[Apache jMeter]: http://jmeter.apache.org/\n[Browserstack]: https://www.browserstack.com/\n[Postman]: https://www.getpostman.com/docs/postman/scripts/test_scripts\n[Newman]: https://github.com/postmanlabs/newman\n[Newman Docker image]: https://hub.docker.com/r/postman/newman_ubuntu1404/\n[Spring Boot]: https://projects.spring.io/spring-boot/\n[Python Selenium Webdriver API binding]: http://selenium-python.readthedocs.io/api.html\n[Apache Maven]: https://maven.apache.org/\n[SonarQube]: https://www.sonarqube.org/\n[GitHub-Jira Integration]: https://confluence.atlassian.com/adminjiracloud/connect-jira-cloud-to-github-814188429.html\n[Saucelabs]: https://saucelabs.com/","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboozallen%2Fdevsecops-example-helloworld","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fboozallen%2Fdevsecops-example-helloworld","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fboozallen%2Fdevsecops-example-helloworld/lists"}