The aim of the AppSec pipeline is to provide the ability to perform automated security assessments against a system. The pipeline should help reduce the amount of time spent on repetitive AppSec activities, to optimise use of a security team. It should also be a tool that can serve as a consistent process which can be followed by security teams.
-
Setup the pipeline by running:
$ ./startup.bash
This will also start a webhook service between DefectDojo and StackStorm. This process must be kept running throughout the life of the pipeline. -
Download a Burp Suite Professional .jar file and place it in the
/burp-rest-api/lib
directory. -
Access the
Burpdock
container by running:$ sudo docker exec -it burpdock bash
-
Inside the container, navigate to
opt/burpdock/burp-rest-api
and build the Burp Suite .jar by running:$ gradle clean build
An error message may show up during the build, but this is irrelevant and can be ignored. -
Once Burp is built, launch the API service:
$ java -jar build/libs/burp-rest-api-1.0.0.jar
You will be prompted to enter your Burp Professional license. Keep this process running throughout the life of the pipeline.
StackStorm
- Container:
$ sudo docker exec -it stackstorm bash
- UI:
localhost
DefectDojo
- Container:
$ sudo docker exec -it banzai_dojo_1 bash
- UI:
localhost:8000
Burp Rest API
- Container:
$ sudo docker exec -it burpdock bash
Google Gruyere
- Container:
$ sudo docker exec -it gruyere bash
- UI:
localhost:8008
For more detailed information, go to the repository's Wiki page: https://github.com/brianlam38/Banzai/wiki.
- Brian Lam
- Jacqueline Lee