Skip to content

A demonstration of a continuous integration pipeline focused on security testing

License

Notifications You must be signed in to change notification settings

secure-pipeline/jenkins-example

Repository files navigation

This repository contains a sample Jenkins continuous integration setup focused on security testing.

As well as installing Jenkins this projects creates a number of jobs which:

  • Download RailsGoat and run it's unit tests
  • Scan for known viruses using ClamAV
  • Check for insecure dependencies with bundler audit
  • Run a static anaylsis using the Brakeman security scanner
  • Spider and report issues found via OWASP ZAP
  • Generate some code metrics using Sloccount
  • Run the Capybara integration tests

We use the RailsGoat application as an example, for your own work you could swap this out for your own applications.

Getting started

First install Vagrant, which we're using the manage the virtual machines on which we're installing the tools.

Once you have Vagrant installed you'll need a few plugins.

vagrant plugin install vagrant-serverspec
vagrant plugin install vagrant-hosts
vagrant plugin install vagrant-cucumber-host

You'll need a basic Ruby environment for the following steps. First install Bundler which manages Ruby dependencies. Then install the Ruby and Puppet dependencies.

bundle install
bundle exec librarian-puppet install

Have a look in the Gemfile and Puppetfile for a pull list of what is being downloaded. If you don't have the bundle command available see the Bunder site for installation instructions.

And finally, lets boot the virtual machines.

vagrant up

DigitalOcean provider

By default this will use Virtualbox, but if you'd rather run a remote virtual machine it also contains a DigitalOcean configuration.

vagrant up --provider=digital_ocean

This relies on environment variables DIGITAL_OCEAN_CLIENT_ID and DIGITAL_OCEAN_CLIENT_API_KEY.

Build an image

As well as being able to launch local and remote instances, the repository also contains a Packer template for building an image in DigitalOcean. This could be adopted for other providers easily enough. With Packer install run the following:

packer build template.json

This requires the environment variables DIGITALOCEAN_API_KEY and DIGITALOCEAN_CLIENT_ID to be set.

Colophon

This uses a fair few open sources tools. Thanks in particular to:

About

A demonstration of a continuous integration pipeline focused on security testing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published