A production-grade DevSecOps implementation for WanderLust, a MERN-stack travel blog application. This project wraps a fully automated CI/CD pipeline around the application, enforcing security at every stage — from code commit to live Kubernetes deployment — with GitOps-driven delivery and real-time observability.
Application credit: The WanderLust MERN application was originally developed by krishnaacharyaa. This repository is focused entirely on the DevSecOps engineering layer built on top of it.
DevSecOps GitOps Architecture 
The pipeline is divided into two automated jobs:
Jenkins CI Job — triggered on every push to main
- Pulls source code from GitHub
- Runs OWASP Dependency Check against all third-party libraries
- Performs SonarQube static analysis and enforces the quality gate
- Executes Trivy filesystem scan
- Builds Docker images and pushes them to DockerHub
Jenkins CD Job — triggered automatically after CI passes
- Updates the Docker image tag in the Kubernetes manifests repository
- ArgoCD detects the manifest change and auto-syncs to the EKS cluster
- Prometheus and Grafana provide live cluster monitoring
- Gmail SMTP sends pipeline completion notifications
| Category | Tools |
|---|---|
| Application | React.js, Node.js, MongoDB, Redis |
| Containerization | Docker, DockerHub |
| CI/CD Orchestration | Jenkins (Master-Worker architecture) |
| Code Quality | SonarQube |
| Security Scanning | OWASP Dependency Check, Trivy |
| Container Orchestration | Kubernetes — AWS EKS |
| GitOps | ArgoCD |
| Monitoring | Prometheus, Grafana |
| Alerting | Alertmanager, Gmail SMTP |
Built on a Jenkins master-worker node architecture. Every commit triggers a run through the complete security and build lifecycle with no manual intervention.
| Stage | What it does |
|---|---|
| Checkout SCM | Pulls latest source from GitHub |
| Workspace Cleanup | Removes stale artifacts from prior builds |
| Install Dependencies | Runs npm install for frontend and backend |
| OWASP Dependency Check | Scans third-party libraries against the NVD CVE database |
| Trivy Filesystem Scan | Checks the repository filesystem for vulnerabilities |
| SonarQube Analysis | Static analysis with quality gate enforcement — pipeline aborts on failure |
| Build Docker Images | Builds images for all four services |
| Trivy Image Scan | Scans built container images before any push |
| Docker Push | Pushes verified images to DockerHub |
| Post Actions | Archives build artifacts and sends email notification |
Both application images are publicly available on Docker Hub at hub.docker.com/u/dvanhu and are built and pushed automatically by the Jenkins CI pipeline on every successful run.
| Repository | Image | Pull Command |
|---|---|---|
| Frontend | dvanhu/wanderlust-frontend |
docker pull dvanhu/wanderlust-frontend |
| Backend | dvanhu/wanderlust-backend |
docker pull dvanhu/wanderlust-backend |
SonarQube runs against the full codebase on every pipeline execution. The quality gate must pass before any Docker image is built or pushed.
Latest analysis results:
| Metric | Result |
|---|---|
| Quality Gate | Passed |
| New Bugs | 0 |
| New Vulnerabilities | 0 |
| New Security Hotspots | 0 |
| New Code Smells | 0 |
| Reliability / Security / Maintainability | A / A / A |
ArgoCD watches the Kubernetes manifests repository and reconciles the live cluster state with the declared state on every commit. No manual kubectl apply is ever needed.
Deployment state:
| Property | Value |
|---|---|
| Application Health | Healthy |
| Sync Status | Synced to main |
| Auto Sync | Enabled |
| Synced Resources | 10 |
| Healthy Resources | 17 |
Deployed resources:
mongo-pv/mongo-pvc— Persistent volume and claim for MongoDBbackend-service,frontend-service,mongo-service,redis-service— Kubernetes Services with EndpointSlicesbackend-deployment,frontend-deployment,mongo-deployment,redis-deployment— Deployments, each running 1/1 pods
Prometheus scrapes pod-level metrics from the cluster. Grafana surfaces them on the Kubernetes / Compute Resources / Namespace (Pods) dashboard with 5-second auto-refresh.
Live network metrics (5-minute window):
| Pod | Receive Bandwidth | Transmit Bandwidth | Received Packets |
|---|---|---|---|
| backend-deployment | 87.7 B/s | 39.0 B/s | 398 mp/s |
| mongo-deployment | 23.6 B/s | 69.8 B/s | 280 mp/s |
| redis-deployment | 11.7 B/s | 11.7 B/s | 182 mp/s |
| frontend-deployment | 0 B/s | 0 B/s | 0 p/s |
CPU usage is tracked per pod over a rolling 1-hour window with quota, request, and limit overlays — all pods run well within their declared resource boundaries.
Wanderlust-Mega-DevSecOps-Project/
├── backend/ # Node.js API server
│ ├── controllers/
│ ├── models/
│ ├── routes/
│ ├── services/
│ ├── Dockerfile
│ └── server.js
├── frontend/ # React.js client
│ ├── src/
│ ├── Dockerfile
│ └── vite.config.ts
├── database/ # MongoDB Dockerfile
├── kubernetes/ # Kubernetes manifests
│ ├── backend.yaml
│ ├── frontend.yaml
│ ├── mongodb.yaml
│ ├── redis.yaml
│ ├── persistentVolume.yaml
│ └── persistentVolumeClaim.yaml
├── Assets/
│ └── DevSecOps+GitOps.gif # Architecture diagram
├── Jenkinsfile # Full CI/CD pipeline definition
├── docker-compose.yml # Local development setup
├── alertmanager-config.yaml # Alertmanager configuration
└── wanderlust-alert.yaml # Custom alert rules
- Security gates at every stage — OWASP CVE scanning, Trivy filesystem and image scanning, and SonarQube quality enforcement all run before a single artifact is published
- Zero-touch deployments — ArgoCD reconciles the cluster continuously; updating a manifest tag is all it takes to trigger a full rollout with rollback history intact
- Fully containerized workloads — all four services run as isolated pods on EKS with persistent storage for MongoDB
- Production-grade observability — per-pod CPU, memory, and network bandwidth metrics with configurable alerting via Alertmanager
- Clean separation of CI and CD — the CI pipeline owns build and security; the CD pipeline owns delivery and notification