Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
Jenkinsfile_GitHub_Org_Scan
Jenkinsfile_SingleGitHubRepo_Scan
README.md

README.md

IBM Application Security on Cloud Jenkins Integrations


The files located in this folder are end to end automation using the IBM Application Security on Cloud service to run SAST (Static Application Security Testing) against source code orchestrated with Jenkins.

Below are Jenkins Pipeline templates using the Scripted Pipeline Syntax and guides to help you implement this control before entering continuous integration.

Supported Tools & Services

Supported Jenkins Executor Operating System

  • Any Linux distribution

Supported Pipeline Scenarios

Basic Pre-Reqs


Get Setup on IBM Application Security on Cloud

  • Vist IBM Application Security on Cloud to setup your account.
  • Once you have an account, from the My Applications tab, click Create App and give the app a unique name.
  • Take note of the URL (ie. https://appscan.ibmcloud.com/AsoCUI/serviceui/main/myapps/oneapp/ASOC_APPLICATION_ID where ASOC_APPLICATION_ID will be the ID we use later for the environment property ASOC_APPLICATION_ID in your Jenkinsfile.

Jenkins Plugins Required

NOTE: Install the Jenkins plugins below on your Jenkins master before proceeding.

  • IBM Application Security on Cloud - This plugin allows you to integrate Jenkins with IBM Application Security on Cloud

  • Credentials Binding - This plugin allows credentials to be bound to environment variables for use in build steps, this is particularly useful for passing username and passwords into builds.

  • SSH Agent - This plugin allows you to provide SSH credentials to builds via a ssh-agent in Jenkins.

  • Slack Notification - The Slack plugin allows for configuring a default Slack channel, or a Slack channel may be defined on a per build task basis. See directions on Slack Plugin's GitHub home page.

  • Blue Ocean - Blue Ocean is a new project that rethinks the user experience of Jenkins. Designed from the ground up for Jenkins Pipeline and compatible with Freestyle jobs, Blue Ocean reduces clutter and increases clarity for every member of your team through the following key features:

    • Sophisticated visualizations of CD pipelines, allowing for fast and intuitive comprehension of software pipeline status.
    • Pipeline editor that makes automating CD pipelines approachable by guiding the user through an intuitive and visual process to create a pipeline.
    • Personalization of the Jenkins UI to suit the role-based needs of each member of the DevOps team.
    • Pinpoint precision when intervention is needed and/or issues arise. The Blue Ocean UI shows where in the pipeline attention is needed, facilitating exception handling and increasing productivity.
    • Native integration for branch and pull requests enables maximum developer productivity when collaborating on code with others in GitHub.
  • Pipeline - Jenkins Pipeline (or simply "Pipeline" with a capital "P") is a suite of plugins which supports implementing and integrating continuous delivery pipelines into Jenkins.

  • Docker - Docker plugin allows user to use a docker host to dynamically provision build agents, run a single build, then tear-down the agent. Stable Releases: 1.1.3 or higher

NOTE: This plugin is critical to pulling docker images from Artifactory dynamically into the Swarm Cloud or your Docker Cloud. Staying at the above stable releases is typically a good idea. Upgrading this plugin should come with caution.

  • Github - This plugin integrates Jenkins with Github projects.The plugin currently has three major functionalities:

    • Create hyperlinks between your Jenkins projects and GitHub
    • Trigger a job when you push to the repository by groking HTTP POSTs from
    • post-receive hook and optionally auto-managing the hook setup.
    • Report build status result back to github as Commit Status (documented on SO)
    • Base features for other plugins
  • GitHub Branch Source - This plugin provides branch sources for GitHub in Multibranch projects and organization folders from GitHub.

  • Artifactory - The Jenkins Artifactory Plugin brings Artifactory's Build Integration support to Jenkins. This integration allows your build jobs to deploy artifacts automatically to Artifactory and have them linked to the build job that created them.

Add IBM ASoC Credentials to Jenkins Master

  • Visit https://yourjenkins/credentials/store/system/domain/_/
  • Click Add Credentials.
  • In the Kind drop-down list, select IBM Application Security on Cloud Credentials.
  • Enter your IBM ASoC generated API Key ID into the ID field.
  • Enter your API Key Secret into the Secret field.

Add GitHub API Key as Credentials to Jenkins Master

  • Visit https://yourjenkins/credentials/store/system/domain/_/
  • Click Add Credentials.
  • In the Kind drop-down list, select Username with password.
  • Enter your GitHub ID into the Username field.
  • Enter your GitHub Personal Access API Token Credential into the Password field.
  • Give your ID field something meaningful as a variable name to reference in the Jenkinsfile later. ( ie. github.access.token)

Add Artifactory API Key as Credentials to Jenkins Master

NOTE: This isn't necessary if you don't have Artifactory and can be toggled by a variable in the Jenkinsfile itself for use.

  • Visit https://yourjenkins/credentials/store/system/domain/_/
  • Click Add Credentials.
  • In the Kind drop-down list, select Username with password.
  • Enter your Artifactory Username into the Username field.
  • Enter your Artifactory API Token Credential into the Password field.
  • Give your ID field something meaningful as a variable name to reference in the Jenkinsfile later. ( ie. artifactory.access.token)

Configure Jenkins Master with Global GitHub Settings

  • Visit your Jenkins master's global configuration page at https://yourjenkins/configure
  • Find the GitHub section
  • Choose Add GitHub Server
  • Name your GitHub or GitHub Enterprise Server
  • Set your API URL.
  • Select Add Credentials > Type: Secret Text > Enter your GitHub Personal API Access Token in the Secret field
  • Set your ID to github.secret
  • Select the checkbox for Manage Hooks
  • Click TEST CONNECTION

Configure Jenkins Master with Global Aritfactory Settings

NOTE: This isn't necessary if you don't have Artifactory and can be toggled by a variable in the Jenkinsfile itself for use.

  • Visit your Jenkins master's global configuration page at https://yourjenkins/configure
  • Find the Artifactory section
  • Configure Artifactory server
  • Click ADD ARTIFACTORY SERVER
  • Use the Credential Plugin: true (checkbox checked)
  • Server ID: yourartifactory
  • URL: https://yourartifactory/artifactory
  • Default Deployer Credentials: Add a Jenkins UserName Password Credential if you haven't done so already or else select the Artifactory Credentials from the previous section.
  • Click TEST CONNECTION

Scan Single GitHub Repository

NOTE: For most adopters this will be the common scenario used and the recommended approach to drive a review of the repository's code vulnerability reports prior to a Pull Request merger.

  • In your Jenkins master define a multi-branch pipeline in SCM

  • Add Jenkinsfile_SingleGitHubRepo_Scan to your repository that you configured in your pipeline on your Jenkins master in the previous step.

  • Complete the Environment Variable Properties in the Jenkinsfile we provided

  • Add Jenkins GitHub Pull Request Webhook at your Repository Settings tab (https://github.com/<your organization>/<your repository>/settings/hooks).

  • Select Add webhook.

    • Payload url: https://myjenkins/github-webhook/
    • Content type: application/x-www-form-urlencoded
    • Let me select individual events: Push, Pull Request
    • Select Active
    • Select Update webhook
  • On your GitHub Repository enforce Pull Request Reviews and enforce Status Checks

  • After the first build has run you can come back on the repository settings and select the status ci/asoc-sast/build-status as a gate to your Pull Request.

  • Now you are ready to code while IBM Application Security on Cloud checks your Pull Requests!

Scan all repositories in a GitHub Organization

NOTE: The value of this type of scan is to help a team baseline the Security status of their current code base. We do not recommend using this type of scan routinely as this is to help a Security team or Focal get an understanding of an entire code base quickly. Ideally you will move to the Scan Single GitHub Repository approach above immediately for all repositories.

If you are NOT using a Legacy Docker Swarm cluster or Kubernetes for scalable executors on demand we highly advise you don't attempt this as it will add a long queue wait to the Jenkins master which if not properly tuned may over power your JVM settings on the master node. 😄

  • In your Jenkins master define a pipeline in SCM
  • Add Jenkinsfile_GitHub_Org_Scan to the repository that you configured in your pipeline on your Jenkins master in the previous step.
  • Complete the Environment Variable Properties in the Jenkinsfile we provided