// Jenkinsfile.devsecops for Python Microservices Project // This pipeline extends the standard CI/CD with DevSecOps practices. pipeline { agent any environment { DOCKER_REGISTRY = 'your-docker-registry' DOCKER_IMAGE_TAG = "${env.BUILD_NUMBER}" // SonarQube server configuration (replace 'sonarqube-server' with your SonarQube server name in Jenkins) // SONAR_SCANNER_HOME = tool 'SonarScanner' // Assumes SonarScanner is configured as a tool in Jenkins // TRIVY_VERSION = '0.28.1' // Specify Trivy version if needed } stages { stage('Unit Tests') { steps { script { def services = ['user-service-py', 'product-service-py', 'order-service-py', 'notification-service-py'] for (int i = 0; i < services.size(); i++) { def service = services[i] dir(service) { echo "Running unit tests for ${service}..." sh 'pip install -r requirements.txt' sh 'python -m unittest discover' } } } } } stage('Static Application Security Testing (SAST) - SonarQube') { steps { script { // SonarQube performs static code analysis, which includes SAST capabilities. // It identifies security vulnerabilities, code smells, and bugs. withSonarQubeEnv(credentialsId: 'sonarqube-token', scannerHome: 'SONAR_SCANNER_HOME') { // Replace 'sonarqube-token' with your actual SonarQube token credential ID def services = ['user-service-py', 'product-service-py', 'order-service-py', 'notification-service-py'] for (int i = 0; i < services.size(); i++) { def service = services[i] dir(service) { echo "Running SonarQube SAST analysis for ${service}..." catchError(buildResult: 'UNSTABLE', stageResult: 'UNSTABLE') { sh "sonar-scanner -Dsonar.projectKey=${service} -Dsonar.projectName=${service}" } } } } } } } stage('Dependency Vulnerability Scanning (SCA)') { steps { script { // Safety scans Python project dependencies for known vulnerabilities. // It needs to be installed on the Jenkins agent. def services = ['user-service-py', 'product-service-py', 'order-service-py', 'notification-service-py'] for (int i = 0; i < services.size(); i++) { def service = services[i] dir(service) { echo "Running Safety SCA for ${service}..." sh 'pip install safety' // 'catchError' allows the pipeline to continue even if vulnerabilities are found, // marking the build as UNSTABLE. catchError(buildResult: 'UNSTABLE', stageResult: 'UNSTABLE') { sh 'safety check -r requirements.txt' } } } } } } stage('Build Docker Images') { steps { script { echo "Building Docker images for Python services..." sh 'make docker-build DOCKER_REGISTRY=${DOCKER_REGISTRY} DOCKER_IMAGE_TAG=${DOCKER_IMAGE_TAG}' } } } stage('Container Image Scanning') { steps { script { // Trivy is an open-source vulnerability scanner for container images. // It needs to be installed on the Jenkins agent. def services = ['user-service-py', 'product-service-py', 'order-service-py', 'notification-service-py'] for (int i = 0; i < services.size(); i++) { def service = services[i] echo "Scanning Docker image for ${service} with Trivy..." catchError(buildResult: 'UNSTABLE', stageResult: 'UNSTABLE') { sh "trivy image --severity HIGH,CRITICAL --exit-code 0 ${DOCKER_REGISTRY}/${service}:${DOCKER_IMAGE_TAG}" } } } } } stage('Deploy to Kubernetes') { steps { script { echo "Deploying Python microservices to Kubernetes..." sh 'make k8s-deploy' echo "Deployment to Kubernetes complete." } } } } post { always { echo "Pipeline finished." } failure { echo "Pipeline failed. Check logs for errors." } unstable { echo "Pipeline finished with UNSTABLE status (e.g., SonarQube or security scan issues)." } success { echo "Pipeline finished successfully." } } }