This is a Jenkins Declarative pipeline written on Groovy to assist requirements tagging and STIGs and tests suggestions. Requirements are managed in GitHub Issues. When a requirement is opened, the pipeline detects whether it is related to security and sets a tag ("security"/"non-security"). If a requirement is related to sequrity, next steps of pipeline manage STIGs and RQCODE tests suggestion.
Make sure this is updated based on the sections included:
- Prerequisites for use
- Groovy
- Jenkins + Github connection
- Docker support in Jenkins
- Installation:
git clone https://github.com/VeriDevOps/project-example.git-
Copy Jenkinsfile-security-requirements-analysis to your project's repository
-
Set up a project in Jenkins pointing at this Jenkinsfile
- In repository set up a webhook triggered on Issue event
- In repository set up a webhook triggered on Issue event
-
Install list of prerequisite plugins (plugins.txt) to Jenkins
-
Change variables at the top of Jenkinsfile-security-requirements-analysis
| Variable name | Type | Default | Meaning |
|---|---|---|---|
| ISSUE_SECURITY_LABEL | String | "SECURITY" | what label to set if a requirement is related to security |
| ISSUE_NON_SECURITY_LABEL | String | "NON-SECURITY" | what label to set if a requirement is not related to security |
| SEND_STIG_SUGGESTIONS_TO_RQCODE | Boolean | true | if set to true, STIGs implementation suggestion will be sent to VDO-Patterns repository |
| ARQAN_CLASSIFICATION_API_ENDPOINT | String | "http://51.178.12.108:8000" | URL of the ARQAN classification service |
| VDO_PATTERNS_REPO | Dictionary | [owner: "anaumchev", name: "VDO-Patterns", url: "https://github.com/anaumchev/VDO-Patterns.git"] | Access details for the repo with tests implementation |
We appreciate feedback and contribution to this repo! Before you get started, please see the following:
- Use Issues for code-level support, usage, questions, specific cases
- Feel free to reach us