-
Notifications
You must be signed in to change notification settings - Fork 6
/
Jenkinsfile
153 lines (146 loc) · 4.68 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
/*
This pipeline will carry out the following on the project:
1. Git secret checker
2. Software Composition Analysis
3. Static Application Security Testing
4. Container security audit
5. Dynamic Application Security Testing
6. Host system security audit
7. Host application protection
*/
testenv = "null"
pipeline {
/* Which agent are we running this pipeline on? We can configure different OS */
agent any
stages {
stage('Checkout project'){
steps {
echo 'downloading git directory..'
git 'https://github.com/web-codegrammer/DevSecops-Test-Pipeline.git'
}
}
stage('git secret check'){
steps{
script{
echo 'running trufflehog to check project history for secrets'
sh 'trufflehog --regex --entropy=False --max_depth=1 python3 truffleHog.py https://github.com/web-codegrammer/DevSecops-Test-Pipeline'
}
}
}
stage('SCA'){
steps{
echo 'running python safety check on requirements.txt file'
sh 'safety check -r $WORKSPACE/owasp-top10-2017-apps/a7/gossip-world/app/requirements.txt'
/*
echo 'running liccheck on dependencies'
sh """
virtualenv --no-site-packages .
source bin/activate
pip install -r $WORKSPACE/owasp-top10-2017-apps/a7/gossip-world/app/requirements.txt
liccheck -s ~/my_strategy.ini -r $WORKSPACE/owasp-top10-2017-apps/a7/gossip-world/app/requirements.txt
deactivate
"""
*/
}
}
stage('SAST') {
steps {
echo 'Testing source code for security bugs and vulnerabilities'
sh 'bandit -r $WORKSPACE/owasp-top10-2017-apps/a7/gossip-world/app/ -ll || true'
}
}
stage('Container audit') {
steps {
echo 'Audit the dockerfile used to spin up the web application'
script{
def exists = fileExists '/var/jenkins_home/lynis/lynis'
if(exists){
echo 'lynis already exists'
}else{
sh """
wget https://downloads.cisofy.com/lynis/lynis-2.7.5.tar.gz
tar xfvz lynis-2.7.5.tar.gz -C ~/
rm lynis-2.7.5.tar.gz
"""
}
}
dir("/var/jenkins_home/lynis"){
sh """
mkdir $WORKSPACE/$BUILD_TAG/
./lynis audit dockerfile $WORKSPACE/owasp-top10-2017-apps/a7/gossip-world/deployments/Dockerfile | ansi2html > $WORKSPACE/$BUILD_TAG/docker-report.html
mv /tmp/lynis.log $WORKSPACE/$BUILD_TAG/docker_lynis.log
mv /tmp/lynis-report.dat $WORKSPACE/$BUILD_TAG/docker_lynis-report.dat
"""
}
}
}
stage('Setup test env') {
steps {
sh """
#refresh inventory
echo "[local]" > ~/ansible_hosts
echo "localhost ansible_connection=local" >> ~/ansible_hosts
echo "[tstlaunched]" >> ~/ansible_hosts
tar cvfz /var/jenkins_home/pythonapp.tar.gz -C $WORKSPACE/owasp-top10-2017-apps/a7/ .
ssh-keygen -t rsa -N "" -f ~/.ssh/psp_ansible_key || true
ansible-playbook -i ~/ansible_hosts ~/createAwsEc2.yml
"""
script{
testenv = sh(script: "sed -n '/tstlaunched/{n;p;}' /var/jenkins_home/ansible_hosts", returnStdout: true).trim()
}
echo "${testenv}"
sh 'ansible-playbook -i ~/ansible_hosts ~/configureTestEnv.yml'
}
}
stage('DAST') {
steps {
script{
//Test the web application from its frontend
/*
def exists = fileExists '/var/jenkins_home/nikto-master/program/nikto.pl'
if(exists){
echo 'nikto already exists'
}else{
sh """
wget https://github.com/sullo/nikto/archive/master.zip
unzip master.zip -d ~/ || true
rm master.zip
"""
}
*/
def seleniumIp = env.SeleniumPrivateIp
if("${testenv}" != "null"){
sh "python ~/authDAST.py $seleniumIp ${testenv} $WORKSPACE/$BUILD_TAG/DAST_results.html"
//sh "perl /var/jenkins_home/nikto-master/program/nikto.pl -h http://${testenv}:10007/login"
}
}
}
}
stage('System security audit') {
steps {
echo 'Run lynis audit on host and fetch result'
sh 'ansible-playbook -i ~/ansible_hosts ~/hostaudit.yml --extra-vars "logfolder=$WORKSPACE/$BUILD_TAG/"'
}
}
stage('Deploy WAF') {
steps {
echo 'Deploy modsecurity as reverse proxy'
sh 'ansible-playbook -i ~/ansible_hosts ~/configureWAF.yml'
}
}
}
post {
always {
echo 'We could bring down the ec2 here'
/*
echo 'Tear down activity'
script{
if("${testenv}" != "null"){
echo "killing host ${testenv}"
sh 'ansible-playbook -i ~/ansible_hosts ~/killec2.yml'
}
}
*/
}
}
}