Sample spring application with Jenkins pipeline script to demonstrate secure pipelines
- minikube v1.24.0 - Refer here for installation
- helm v3.7.2 - Refer here for installation
- Setup minikube
minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit minikube addons enable ingress
-
Stup Jenkins server
helm repo add jenkins https://charts.jenkins.io helm repo update helm install jenkins jenkins/jenkins
-
Wait for the jenkins pod to start
-
Get admin user password of Jenkins
kubectl exec --namespace default -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo
Note: Make a note of the password
-
[Optional] Forward Jenkins server port to access from local machine
kubectl port-forward svc/jenkins 8080:8080 open http://localhost:8080
-
Add additonal plugins to Jeninks server (Manage Jenkins -> Manage plugins)
- BlueOcean
- Configuration as Code
- OWASP Dependency-Track
- Update Kubernetes plugin to version 3802
-
Refer Dependency Track v4 Installation Guide
Note: dependency-track will take some time to start (~1hr on low end Mac)
-
Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys -> Also add the Permissions - PROJECT_CREATION_UPLOAD, POLICY_VIOLATION_ANALYSIS, VULNERABILITY_ANALYSIS
-
Login to Jenkins -> Manage Jenkins -> Configure Credentials -> Click on "global domain" -> Click on Add Credentials.
-
Select Kind as "Secret Text" -> Add the api-key from Dependency Track application in above step -> Add id as "dependency-track-api-key" -> Click on Create
-
Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key (Use above secret file created) -> Also enable Auto Create Projects -> Test Connection -> Save
Hint: URL (if you have followed the exact steps) http://deptrack-dependency-track-apiserver.deptrack.svc.cluster.local (Format: serviceName.namespace.svc.cluster.local)
Create a new Jenkins pipeline with this repo and trigger build
- Login to Jenkins -> New Item -> Enter name and choose Pipeline -> Choose GitHub project and set project URL
- Under pipeline section, Choose Pipeline script from SCM
- Choose git as SCM and provide repo details
- Save
minikube ssh
docker pull licensefinder/license_finder
Once the docker pull is completed, then run the pipeline Job in Jenkins.
Refer the below screenshot for the stages in the pipeline
Stage | Tool |
---|---|
Secrets Scanner | truffleHog |
Dependency Checker | OWASP Dependency checker |
SAST | OWASP Find Security Bugs |
OSS License Checker | LicenseFinder |
SCA | Dependency Track |
Image Scanner | Trivy |
Image Hardening | Dockle |
K8s Hardening | KubeSec |
IaC Hardening | checkov |
DAST | OWASP Baseline Scan |
Image Malware scanning - ClamAV