Sample spring application with Jenkins pipeline script to demonstrate secure pipelines
- minikube v1.13.0 - Refer here for installation
- helm v3.3.1 - Refer here for installation
- Setup minikube
minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true
-
Stup Jenkins server
helm repo add jenkinsci https://charts.jenkins.io helm repo update helm install jenkins jenkinsci/jenkins
Note: Make a note of the password
-
[Optional] Forward Jenkins server port to access from local machine
kubectl port-forward svc/jenkins 8080:8080 open http://localhost:8080
-
Add additonal plugins to Jeninks server (Manage Jenkins -> Manage plugins)
- BlueOcean
- Configuration as Code
- OWASP Dependency-Track
-
Setup Dependency Track server
helm repo add evryfs-oss https://evryfs.github.io/helm-charts/ helm repo update kubectl create ns dependency-track helm install dependency-track evryfs-oss/dependency-track --namespace dependency-track kubectl port-forward svc/dependency-track 8081:80 -n dependency-track open http://localhost:8081
Note: dependency-track will take some time to start (~1hr on low end Mac)
-
Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys
-
Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Save
-
Login to Dependency track -> Projects -> Create Project -> Fill Name and save -> Copy the UUID of the project from the URL
-
Update the UUID in the Jenkinsfile in the Depedency Track upload section
Hint: URL (if you have followed the exact steps) http://dependency-track.dependency-track.svc.cluster.local
Note: This UUID step is not required ideally, Projects will get created automatically - Looks like some open issue
Create a new Jenkins pipeline with this repo and trigger build
- Login to Jenkins -> New Item -> Enter name and choose Pipeline -> Choose GitHub project and set project URL
- Under pipeline section, Choose Pipeline script from SCM
- Choose git as SCM and provide repo details
- Save
Refer the below screenshot for the stages in the pipeline
Stage | Tool |
---|---|
Secrets Scanner | truffleHog |
Dependency Checker | OWASP Dependency checker |
SAST | OWASP Find Security Bugs |
OSS License Checker | LicenseFinder |
SCA | Dependency Track |
Image Scanner | Trivy |
Image Hardening | Dockle |
K8s Hardening | KubeSec |
IaC Hardening | checkov |
DAST | OWASP Baseline Scan |
Image Malware scanning - ClamAV