DevSecOps Pipeline with GitHub Actions for Node.js (Step-by-Step Guide)

Introduction

In modern software development, delivering applications quickly is not enough.
Security must be integrated into the development lifecycle.

That’s why I built a DevSecOps pipeline for my Node.js application using GitHub Actions, Docker, and Trivy.
This pipeline automates build, security scanning, and deployment, ensuring secure and reliable delivery.

Why DevSecOps?

DevSecOps means integrating security into every step of CI/CD.
Instead of detecting vulnerabilities at the end, we identify them early during development.

Benefits:

• Early detection of vulnerabilities

• Improved code quality

• Faster and safer releases

• Reduced production risks

Why GitHub Actions over Jenkins?

I have worked with Jenkins before. Jenkins is powerful but requires:

• Server setup and maintenance

• Plugin installations

• Managing updates and configurations

GitHub Actions is easier because:

• No server setup required

• Pipeline configuration is stored in the repository

• Simple YAML-based workflow

• Built-in integrations and faster setup

Tools Used

In this project, I used:

• GitHub Actions for CI/CD automation

• Docker for containerizing the Node.js application

• Trivy for vulnerability scanning

• Docker Hub for image storage

• SonarQube for code quality and security scanning

• SSH for deploying to a Docker server

Project Structure

The project contains:

my-node-app/
├── src/
├── package.json
├── package-lock.json
├── Dockerfile
└── .github/
    └── workflows/
        └── devsecops.yml

GitHub Secrets Setup

To secure sensitive information, GitHub Secrets were configured in the repository settings:

• DOCKER_USERNAME – Docker Hub username

• DOCKER_PASSWORD – Docker Hub password or access token

• SONAR_TOKEN – SonarQube authentication token

• SONAR_HOST_URL – SonarQube server URL

• SERVER_IP – Docker server IP address

• SERVER_USER – Docker server username

• SSH_PRIVATE_KEY – SSH private key for server login

• SSH_PORT – SSH port (default 22)

Step-by-Step Pipeline Flow

Step 1: Setup the Node.js Project

Start with a working Node.js application and push it to GitHub.

Step 2: Configure GitHub Repository

Create a repository and push the Node.js code.

Step 3: Add GitHub Actions Workflow

Add the workflow file in https://github.com/vinuthnak12/Zomato-Repo.git to automate CI/CD.

Step 4: Install Dependencies & Run Tests

The pipeline installs dependencies and runs tests to ensure code stability.

Step 5: SonarQube Code Quality Scan

SonarQube scans the code for bugs, code smells, and vulnerabilities.

Step 6: Docker Build

The pipeline builds a Docker image for the application and tags it with a unique version.

Step 7: Trivy Vulnerability Scan

Trivy scans the Docker image for vulnerabilities in OS and dependencies.

Step 8: Push Docker Image to Docker Hub

If the image passes the scan, it is pushed to Docker Hub for storage.

Step 9: Deploy to Docker Server

The pipeline connects to the Docker server via SSH and performs deployment:

• Pulls the latest Docker image

• Stops the old container

• Removes the old container

• Runs the new container

Conclusion

This DevSecOps pipeline ensures secure and automated delivery of the Node.js application.
By using GitHub Actions, Docker, Trivy, and SonarQube, the pipeline improves security, stability, and deployment speed.