Secure Pipelines Demo
Sample spring application with Jenkins pipeline script to demonstrate secure pipelines
Pre Requesites
- minikube v1.18.1 - Refer here for installation
- helm v3.5.3 - Refer here for installation
Setup Setps
Minikube setup
- Setup minikube
minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit
Jenkins setup
-
Stup Jenkins server
helm repo add jenkins https://charts.jenkins.io helm repo update helm install jenkins jenkins/jenkins
-
Wait for the jenkins pod to start
-
Get admin user password of Jenkins
kubectl exec --namespace default -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo
Note: Make a note of the password
-
[Optional] Forward Jenkins server port to access from local machine
kubectl port-forward svc/jenkins 8080:8080 open http://localhost:8080
-
Add additonal plugins to Jeninks server (Manage Jenkins -> Manage plugins)
- BlueOcean
- Configuration as Code
- OWASP Dependency-Track
Dependency Track setup
-
Refer Dependency Track v4 Installation Guide
Note: dependency-track will take some time to start (~1hr on low end Mac)
Link Jenkins and Dependency Track
-
Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys -> Also add the Permissions - PROJECT_CREATION_UPLOAD, POLICY_VIOLATION_ANALYSIS, VULNERABILITY_ANALYSIS
-
Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Also enable Auto Create Projects -> Test Connection -> Save
Hint: URL (if you have followed the exact steps) http://dependency-track-apiserver.dependency-track.svc.cluster.local
New Jenkins Pipeline
Create a new Jenkins pipeline with this repo and trigger build
- Login to Jenkins -> New Item -> Enter name and choose Pipeline -> Choose GitHub project and set project URL
- Under pipeline section, Choose Pipeline script from SCM
- Choose git as SCM and provide repo details
- Save
Pipeline
Refer the below screenshot for the stages in the pipeline
Pipeline View
Stage View
Dependency Track
Tools
Stage | Tool |
---|---|
Secrets Scanner | truffleHog |
Dependency Checker | OWASP Dependency checker |
SAST | OWASP Find Security Bugs |
OSS License Checker | LicenseFinder |
SCA | Dependency Track |
Image Scanner | Trivy |
Image Hardening | Dockle |
K8s Hardening | KubeSec |
IaC Hardening | checkov |
DAST | OWASP Baseline Scan |
TODO
Image Malware scanning - ClamAV