Sample spring application with Jenkins pipeline script to demontrate secure pipelines
- minikube v1.12.1 - Refer here for installation
- helm v3.2.1 - Refer here for installation
- Setup minikube
minikube start --nodes=1 --cpus=4 --memory=8g --disk-size=35g --embed-certs=true
-
Stup Jenkins server
helm repo add stable https://kubernetes-charts.storage.googleapis.com helm repo update helm install jenkins stable/jenkins
Note: Make a note of the password
-
[Optional] Forward Jenkins server port to access from local machine
kubectl port-forward svc/jenkins 8080:8080 open http://localhost:8080
-
Add additonal plugins to Jeninks server (Manage Jenkins -> Manage plugins)
- BlueOcean
- Configuration as Code
- OWASP Dependency-Track
-
Setup Dependency Track server
helm repo add evryfs-oss https://evryfs.github.io/helm-charts/ helm repo update kubectl create ns dependency-track helm install dependency-track evryfs-oss/dependency-track --namespace dependency-track
Note: dependency-track will take some time to start (~1hr on low end Mac)
-
Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys
-
Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Save
-
Login to Dependency track -> Projects -> Create Project -> Fill Name and save -> Copy the UUID of the project from the URL
-
Update the UUID in the Jenkinsfile in the Depedency Track upload section
Note: This UUID step is not required ideally, Projects will get created automatically - Looks like some open issue
Create a new Jenkins pipeline with this repo and trigger build
- Login to Jenkins -> New Item -> Enter name and choose Pipeline -> Choose GitHub project and set project URL
- Under pipeline section, Choose Pipeline script from SCM
- Choose git as SCM and provide repo details
- Save
Refer the below screenshot for the stages in the pipeline
Stage | Tool | Comments |
---|---|---|
Secrets Scanner | truffleHog | |
Dependency Checker | OWASP Dependency checker | |
SAST | OWASP Find Security Bugs | |
OSS License Checker | LicenseFinder | |
SCA | Dependency Track | |
Image Scanner | Trivy | |
Image Hardening | Dockle | |
K8s Hardening | KubeSec | |
Image Malware scanning | ClamAV | TODO |
DAST | OWASP Baseline Scan |