CI pipeline with automated security scanning producing deployable container artifacts
Automated CI pipeline that builds Docker images from application source code, scans for vulnerabilities using Trivy, and pushes verified images to Docker Hub. Demonstrates modern DevOps practices with Jenkins, Docker, and security-first automation. The CD workflow is handled separately using ArgoCD in a companion repository.
GitHub (Code Push)
↓
Jenkins CI Pipeline (AWS EC2)
├─→ Job 1: Build Docker Image
├─→ Job 2: Trivy Security Scan (HIGH/CRITICAL)
└─→ Job 3: Push to Docker Hub
↓
Docker Hub (Container Registry)
↓
[Consumed by CD Pipeline]
Note: The CD workflow is managed separately using ArgoCD in the CD Pipeline repository, which deploys applications to AWS EKS following GitOps principles.
Three chained Jenkins jobs forming the complete CI pipeline
Detailed view of pipeline stages and execution status
Automated pipeline execution from code commit to registry push
Job 1: Build Docker Image
Job 2: Security Scanning with Trivy
Job 3: Push to Docker Hub
Successfully pushed and tagged image in Docker Hub registry
| Category | Tools |
|---|---|
| CI/CD | Jenkins (self-hosted on AWS EC2) |
| Containerization | Docker |
| Security Scanning | Trivy |
| GitOps | ArgoCD |
| Container Registry | Docker Hub |
| Orchestration | Kubernetes (AWS EKS) |
| Infrastructure | AWS (EC2, EKS) |
- ✅ Automated Builds: Triggers on GitHub code commits
- ✅ Security First: Trivy scans for HIGH and CRITICAL vulnerabilities before deployment
- ✅ Separated CI/CD: CI pipeline (build/test/push) separated from CD pipeline (deployment)
- ✅ Automated CI Workflow: Three-stage Jenkins pipeline executes automatically
- ✅ Container Registry Integration: Automatic push to Docker Hub after successful scan
- Trigger: Developer pushes code to GitHub
- Build: Jenkins pulls code and builds Docker image from Dockerfile
- Scan: Trivy analyzes image for security vulnerabilities
- Gate: Only images passing security checks proceed
- Push: Verified image pushed to Docker Hub with latest tag
The CI pipeline produces deployable container artifacts. The CD workflow is handled separately:
- Artifact Storage: Verified images stored in Docker Hub registry
- GitOps Management: Kubernetes manifests in Git define desired cluster state
- ArgoCD Reconciliation: ArgoCD ensures EKS cluster matches manifest definitions
- Image Updates: When pods are recreated, Kubernetes pulls updated images from Docker Hub
Note: The CD workflow uses ArgoCD in a separate repository following GitOps separation of concerns. See the CD repository for details on deployment workflow and Istio service mesh configuration.
The pipeline consists of three chained Jenkins jobs:
- Pulls source code from Bookinfo application
- Builds Docker image using Dockerfile
- Tags image as
productpage-app
- Runs Trivy vulnerability scanner
- Scans for HIGH and CRITICAL severity issues
- Fails pipeline if critical vulnerabilities found
- Tags image with Docker Hub username
- Authenticates to Docker Hub
- Pushes verified image to Docker Hub registry
- Produces deployable container artifact for CD pipeline consumption
- Vulnerability Scanning: Every image scanned before deployment
- Severity Filtering: Only HIGH/CRITICAL issues block deployments
- GitOps: No direct cluster access; all changes via Git
- Least Privilege: Jenkins service account with minimal AWS permissions
.
├── Dockerfile # Container image definition
├── README.md # This file
└── pictures/ # Architecture diagrams and screenshots
Want to replicate this pipeline? See SETUP.md for detailed installation instructions including:
- AWS EC2 setup for Jenkins
- Jenkins installation and configuration
- Docker and Trivy installation
- Jenkins job creation steps
- ArgoCD integration
- Designing multi-stage CI/CD pipelines with job chaining
- Integrating security scanning into automated workflows
- Implementing GitOps principles with separate CI/CD repos
- Managing Jenkins on AWS EC2 infrastructure
- Docker image optimization and security best practices
- CD Pipeline with ArgoCD - GitOps deployment to EKS
- Bookinfo Application - Sample microservices app
Application: Bookinfo microservices (Product Page component)
Base Image: Python-based application
Build Tool: Docker
CI Server: Jenkins 2.x on Amazon Linux 2
Scanner: Trivy (Aqua Security)
Deployment Target: AWS EKS cluster