Building a Jenkins CI/CD Pipeline with Docker Compose, SonarQube, Trivy, and Monitoring for My Node.js App

Intro

In this post, I'm sharing how I set up a full CI/CD pipeline using Jenkins for my Node.js application hosted on GitHub. It includes code quality checks, vulnerability scans, and a remote Docker Compose deployment. I’ll also walk you through the main challenges I faced—especially around branch-based deployment and Docker Compose, and how I tackled them.

What I Built

• CI/CD Tool: Jenkins

• Code Analysis: SonarQube

• Security Scans: OWASP Dependency Check + Trivy

• Deployment: Docker Compose on an EC2 instance

• Monitoring: Prometheus + Grafana

• SSL/HTTPS: Manually installed Certbot with NGINX reverse proxy

Jenkins Pipeline Overview

I have created a pipeline as follows

1. Checkout Code from the starter branch (Node.js app).

2. Run SonarQube analysis.

3. Run OWASP Dependency Check for libraries.

4. Perform a Sonar Quality Gate check.

5. Use Trivy to scan the file system and code vulnerablities

6. Use SSH to connect to my EC2 instance and:

   • Pull the starter branch for app code

   • Pull the main branch for Docker Compose config

   • Run docker-compose up --build

The Biggest Challenge: Split Branches

My deployment setup had a twist:

• The application code lives in the starter branch.

• The docker-compose.yml and all deployment-related config are in the main branch.

This caused a big headache because Jenkins needed to deploy using files from both branches—but GitHub won’t let you check out two branches at once.

Solution

To solve this:

1. I used SSH inside Jenkins to connect to my EC2 instance.

2. From there, I:

   • Pulled the latest changes from the starter branch to get the Node.js app.

   • Then switched to the main branch to get docker-compose.yml.

   • Finally ran:

     Copy

     Copy

  docker-compose up -d --build

This separation gave me clean modularity between the app and deployment infra.

Monitoring with Prometheus & Grafana

I also set up Prometheus and Grafana for monitoring. They run as part of the Docker Compose stack.

Another problem i am facing that i need to solve

Every time I rebuild the stack with docker-compose up --build, I lose my Prometheus configuration and Grafana dashboards.

what to do

i am thinking what to do if you have any idea how to solve this issue you can give me suggestions

More updates on this soon!

🔐 SSL with Certbot (Manually)

I’m not using Certbot inside Docker. Instead, I installed it directly on my EC2 server to manage HTTPS for my domain sharesampatti.com.

It’s working for now, but I’m running into some issues with certificate renewals and NGINX config that I plan to debug and document in a future update.

What's Next?

• Fixing Prometheus and Grafana persistence

• Smoothing out SSL renewal with Certbot

• Writing better health checks and alerts

• Maybe switching to GitHub Actions or GitLab CI for comparison

Final Thoughts

This setup wasn’t straightforward. I hit real-world deployment issues, but solving them taught me a lot about:

• CI/CD branching strategies

• Docker Compose deployment in multi-branch repos

• Remote deployment via SSH

• Persistent monitoring stack setups

If you’re struggling with similar challenges, feel free to drop your questions. I’ll be updating this post as I refine things.

Stay tuned!