Sprint 1: Initial Setup and Basic Vulnerability Scanning
- Goal: Establish the foundation by setting up a basic image scanning process and verifying scanner output.
Sprint 2: Integrating Vulnerability Scanning with CI/CD Pipelines
- Goal: Ensure the vulnerability scanner works as part of the CI/CD pipeline, preventing builds from passing if vulnerabilities are detected.
Sprint 3: Report Generation and Notification System
- Goal: Develop a reporting and notification system that keeps the DevOps team informed of vulnerabilities.
Sprint 4: Web Dashboard for Historical Vulnerability Tracking
- Goal: Provide a user-friendly dashboard that tracks vulnerability history and allows for trend analysis.
Sprint 5: Advanced Scanner Customization and Exception Handling
- Goal: Make the scanner more flexible, enabling exceptions for approved vulnerabilities and improving error handling.
- Set Up AWS Environment
Before using AWS ECR for storing container images, you need to: ✅ Create an AWS Account (if not already done) ✅ Install AWS CLI on your Jenkins Server ✅ Configure IAM permissions for Jenkins ✅ Create an ECR Repository
Step-by-Step Guide 🔹 Step 1: Install AWS CLI Using the Official Installer On your Jenkins server, install AWS CLI:
sudo apt update
✅ Since awscli might not be in your repository, install it manually using AWS official installer.
✅ Download the AWS CLI Installer: curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
✅ If you don’t have unzip installed, install it first: sudo apt install -y unzip
✅ Unzip the Package: unzip awscliv2.zip
✅ Run the Installer: sudo ./aws/install
✅ Verify Installation: aws --version
🔹 Step 2: Configure AWS CLI aws configure
🔹 Step 3: Create an Amazon ECR Repository aws ecr create-repository --repository-name container-image-vulnerability
Repository URL - "AWS-Account-Id.dkr.ecr.us-east-1.amazonaws.com/container-image-vulnerability"
🔹 Step 4: Install and Set Up Jenkins Jenkins will be used to automate the build, scan, and push process.
🔹 Step 5: Install Jenkins If Jenkins is not installed, run:
sudo apt update sudo apt install -y openjdk-17-jdk wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee /usr/share/keyrings/jenkins-keyring.asc echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/" | sudo tee /etc/apt/sources.list.d/jenkins.list
--Remove the existing Jenkins repo (if needed) sudo rm -f /etc/apt/sources.list.d/jenkins.list
--Re-add the correct Jenkins GPG key
curl -fsSL https://pkg.jenkins.io/debian/jenkins.io-2023.key | sudo tee
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
--Add the Jenkins repository securely
echo "deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/" | sudo tee
/etc/apt/sources.list.d/jenkins.list > /dev/null
--Update package lists and install Jenkins sudo apt update && sudo apt upgrade -y
sudo apt install -y jenkins
Start Jenkins: sudo systemctl enable --now jenkins
Retrieve the Jenkins initial password: sudo cat /var/lib/jenkins/secrets/initialAdminPassword "fc289560b20a4ed1a5ce2577d0fa573f" ✅ Open http://your-server-ip:8080, enter the password, and complete the setup.
🔹 Step 6: Install Required Jenkins Plugins In Jenkins, go to Manage Jenkins → Plugin Manager → Available and install: ✅ Pipeline (for declarative pipelines) ✅ Git (to fetch source code) ✅ Docker Pipeline (to manage Docker builds)
🔹 Step 7: Configure Jenkins Credentials for AWS ECR Since Jenkins will push images to ECR, it needs AWS credentials.
🔹 Step I: Add AWS Credentials to Jenkins Go to Jenkins Dashboard → Manage Jenkins → Manage Credentials Select Global credentials → Add Credentials Select "AWS Credentials" Enter: Access Key ID Secret Access Key ID: aws-ecr-credentials ✅ Click Save
🔹 Step 8: Install Docker on Jenkins Server Since Jenkins will build Docker images, install Docker:
sudo apt update sudo apt install -y docker.io
Verify: docker --version
✅ Add Jenkins to the Docker group:
sudo usermod -aG docker jenkins sudo systemctl restart jenkins
🔹 Step 9: Install Trivy (Vulnerability Scanner) Trivy is used to scan Docker images before pushing them to ECR.
🔹 Step I: Install Trivy
sudo apt update sudo apt install -y wget curl gnupg sudo mkdir -p /etc/apt/keyrings curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo tee /etc/apt/keyrings/trivy.asc echo "deb [signed-by=/etc/apt/keyrings/trivy.asc] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/trivy.list sudo apt update sudo apt install -y trivy
✅ Verify installation: trivy --version
🔹 Step II: Test Trivy Run a test scan on a public image:
trivy image alpine:latest
🎯 Final Checklist ✅ AWS CLI Installed & Configured ✅ IAM User Created with ECR Permissions ✅ Amazon ECR Repository Created ✅ Jenkins Installed & Configured ✅ Docker Installed & Running on Jenkins Server ✅ Trivy Installed & Tested ✅ Jenkins Pipeline Configured with AWS Credentials ✅ Pipeline Tested Successfully🚀🚀 Prerequisites for Secure Image Pipeline using Jenkins
Get our webhook url from Slack app
Fix:✅✅ Store Webhook in Jenkins Credentials -Go to Jenkins UI
- Manage Jenkins → Manage Credentials
- Select Global (or specific folder) → Click Add Credentials
- Set Type to Secret text
- Paste Slack Webhook URL as Secret
- Set ID: SLACK_WEBHOOK
In this sprint, you will visualize vulnerability trends over time using Grafana and Prometheus. The key objectives are: ✅ Set up a Grafana dashboard for Trivy vulnerability reports. ✅ Connect Prometheus to Grafana to collect and store vulnerability metrics. ✅ Implement filters to view specific images, date ranges, and severity levels. ✅ Test and refine the dashboard for usability and responsiveness.
🔹 🔹 Grafana Installation -
Step 1: Connect to EC2 Instance ssh -i your-key.pem ubuntu@your-ec2-ip
Step 2: Install Grafana Update the package list -
sudo apt update && sudo apt upgrade -y
- Install dependencies sudo apt install -y software-properties-common apt-transport-https wget
Step 3: Add the Grafana repository and key sudo mkdir -p /etc/apt/keyrings wget -q -O - https://apt.grafana.com/gpg.key | sudo tee /etc/apt/keyrings/grafana.asc
Step 4: Add Grafana to the repository list
echo "deb [signed-by=/etc/apt/keyrings/grafana.asc] https://apt.grafana.com stable main" | sudo tee /etc/apt/sources.list.d/grafana.list
Step 5: Install Grafana sudo apt update sudo apt install -y grafana
Step 6: Start & Enable Grafana Service
sudo systemctl start grafana-server sudo systemctl enable grafana-server sudo systemctl status grafana-server You should see the status as Active (running).
Step 7: Access Grafana Web UI
- Open your browser and go to: http://:3000
Login Credentials: Username: admin Password: admin (You will be prompted to change it)
🚀 Install Prometheus on Ubuntu EC2 Instance
Step 1: Update System Packages
sudo apt update && sudo apt upgrade -y Step 2: Create a Prometheus User
sudo useradd --no-create-home --shell /bin/false prometheus Step 3: Create Directories for Prometheus
sudo mkdir /etc/prometheus sudo mkdir /var/lib/prometheus
Step 4: Download Prometheus
-
Find the latest version: Run this command to get the latest version: curl -s https://api.github.com/repos/prometheus/prometheus/releases/latest | grep "tag_name"
-
Download Prometheus (replace v2.51.2 with the latest version if needed)
- Extract the files
tar -xvf prometheus-2.51.2.linux-amd64.tar.gz cd prometheus-2.51.2.linux-amd64/
Step 5: Move Binaries to /usr/local/bin/
sudo mv prometheus /usr/local/bin/ sudo mv promtool /usr/local/bin/
Verify the installation:
prometheus --version
Step 6: Move Configuration Files
sudo mv prometheus.yml /etc/prometheus/ sudo mv consoles/ /etc/prometheus/ sudo mv console_libraries/ /etc/prometheus/
Step 7: Change Ownership
sudo chown -R prometheus:prometheus /etc/prometheus sudo chown -R prometheus:prometheus /var/lib/prometheus sudo chown prometheus:prometheus /usr/local/bin/prometheus sudo chown prometheus:prometheus /usr/local/bin/promtool
Step 8: Create a Systemd Service File
sudo nano /etc/systemd/system/prometheus.service Paste the following:
[Unit] Description=Prometheus Wants=network-online.target After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/prometheus
--config.file=/etc/prometheus/prometheus.yml
--storage.tsdb.path=/var/lib/prometheus/
--web.console.templates=/etc/prometheus/consoles
--web.console.libraries=/etc/prometheus/console_libraries
[Install] WantedBy=multi-user.target Save and exit (CTRL + X, then Y, then Enter).
Step 9: Reload Systemd and Start Prometheus
sudo systemctl daemon-reload sudo systemctl start prometheus sudo systemctl enable prometheus
- Check the status: sudo systemctl status prometheus
Step 10: Allow Port 9090 in Security Group Prometheus runs on port 9090. Ensure this port is open in your AWS Security Group settings.
Step 11: Access Prometheus Web UI Open a browser and go to: http://:9090