Wanderlust DevSecOps project
Wanderlust DevSecOps CI/CD Project Documentation
1. Introduction
Wanderlust is a full-stack travel listing platform designed to allow users to explore, create, and manage travel destinations.
The application demonstrates a real-world DevSecOps implementation where development, security, and operations are integrated
into a single automated pipeline.
This project focuses on building a secure and automated CI/CD pipeline using modern DevOps tools such as Jenkins, Docker,
SonarQube, OWASP Dependency Check, and Trivy.
The objective of this project is to automate the process of building, testing, scanning, and deploying the application
while maintaining high security and code quality standards.
The system architecture includes a frontend built with React, a backend built with Node.js and Express, and databases
like MongoDB and Redis for storage and caching.
The pipeline ensures that every code change pushed to GitHub automatically triggers build, security scanning, and deployment.
2. Project Objectives
The main objectives of the Wanderlust DevSecOps project include:
• Implementing a complete CI/CD pipeline using Jenkins
• Integrating security tools within the CI/CD pipeline
• Automating code quality analysis
• Detecting vulnerabilities in dependencies
• Scanning Docker images for security risks
• Automating deployment using Docker Compose
• Demonstrating DevSecOps best practices
This project showcases how modern development teams can integrate security checks early in the development lifecycle
to prevent vulnerabilities from reaching production.
3. Technology Stack
Frontend:
React.js
Backend:
Node.js
Express.js
Database:
MongoDB
Redis (for caching)
DevOps Tools:
GitHub – Source code management
Jenkins – CI/CD pipeline automation
Docker – Containerization
Docker Compose – Multi-container orchestration
SonarQube – Static code analysis
OWASP Dependency Check – Dependency vulnerability scanning
Trivy – Container vulnerability scanning
4. System Architecture
The Wanderlust architecture follows a client-server model.
User interacts with the React frontend which communicates with the backend API built using Node.js and Express.
The backend handles authentication, listing management, and database operations.
MongoDB stores application data such as listings, users, and reviews.
Redis is used to cache frequently accessed data to improve performance.
Docker containers isolate application services to ensure consistent environments.
5. DevSecOps Pipeline Overview
The CI/CD pipeline is implemented using Jenkins and follows multiple automated stages.
Pipeline Flow:
1. Code Commit
2. Jenkins Pipeline Trigger
3. Install Dependencies
4. Static Code Analysis
5. Security Scanning
6. Docker Image Build
7. Container Security Scan
8. Push Images to Docker Hub
9. Deployment using Docker Compose
Each stage performs specific validation checks to ensure code quality and security.
6. Jenkins Pipeline Configuration
The Jenkins pipeline is defined using a Jenkinsfile stored in the repository.
The pipeline consists of the following stages:
Stage 1 – Clone Code from GitHub
Stage 2 – Install Frontend and Backend Dependencies
Stage 3 – SonarQube Code Analysis
Stage 4 – Sonar Quality Gate Validation
Stage 5 – OWASP Dependency Check
Stage 6 – Docker Image Build
Stage 7 – Trivy Security Scan
Stage 8 – Push Docker Images to Docker Hub
Stage 9 – Deploy using Docker Compose
The pipeline ensures automated build and deployment after every code change.
7. Static Code Analysis with SonarQube
SonarQube is used to analyze the codebase for potential bugs, code smells, and vulnerabilities.
It evaluates:
• Code duplication
• Complexity
• Security vulnerabilities
• Maintainability
The Quality Gate feature determines whether the code meets predefined standards.
If the Quality Gate fails, developers can review the issues before deployment.
8. Dependency Vulnerability Scanning
OWASP Dependency Check scans third-party libraries used in the application.
It compares project dependencies against the National Vulnerability Database (NVD)
to identify known security vulnerabilities.
If vulnerable libraries are detected, developers can update them before deployment.
9. Containerization with Docker
Docker is used to package the application into portable containers.
Separate Docker images are built for:
Frontend
Backend
Docker ensures consistent execution across different environments such as development,
testing, and production.
Benefits include:
• Environment consistency
• Easy deployment
• Scalability
10. Container Security Scanning
Trivy scans Docker images for vulnerabilities.
It detects:
• OS vulnerabilities
• Library vulnerabilities
• Secret leaks
• Misconfigurations
This ensures container images are secure before being pushed to Docker Hub.
11. Docker Hub Integration
After successful builds and scans, Docker images are pushed to Docker Hub.
Example images:
wanderlust-back:v1
wanderlust-front:v2
This allows easy image distribution and deployment.
12. Deployment using Docker Compose
Docker Compose is used to orchestrate multiple containers.
Services include:
Frontend container
Backend container
MongoDB container
Redis container
Docker Compose automatically starts all services and connects them through
an internal Docker network.
13. Security Practices
Security is integrated throughout the pipeline.
Practices implemented:
Static code analysis
Dependency vulnerability scanning
Container vulnerability scanning
Environment variable protection
Secrets management
These practices help ensure a secure software delivery lifecycle.
14. Project Challenges
During development several challenges were encountered.
Common challenges included:
Pipeline configuration issues
Dependency vulnerabilities
Docker build errors
Security scan warnings
These were resolved by adjusting pipeline scripts and updating dependencies.
15. Conclusion
The Wanderlust DevSecOps project demonstrates how security and automation can be
integrated into modern software development.
By combining CI/CD practices with security tools, the project ensures that
applications are built, tested, and deployed in a secure and automated manner.
This project highlights the importance of DevSecOps practices in building
scalable and secure applications.