diff --git a/Jenkinsfile b/Jenkinsfile index f45ebce..c2f52f1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,15 +3,16 @@ pipeline { - agent { - docker { - image 'securityuniversal/jenkins-pipeline-agent:latest' - args '--group-add 999' - } - } + agent none stages { stage('Initialize Config') { + agent { + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-pipeline-agent' + } + } steps { script { def config = jslReadYamlConfig() @@ -28,6 +29,12 @@ pipeline { } stage('Prep Job') { + agent { + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-pipeline-agent' + } + } when { expression { def config = jslReadYamlConfig('prepJob') @@ -50,8 +57,9 @@ pipeline { stage('Unit Testing') { agent { - docker { - image 'securityuniversal/jenkins-python-agent:latest' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-python-agent' } } when { @@ -66,16 +74,19 @@ pipeline { } } steps { - jslStageWrapper('Unit Testing') { - jslPythonUnitTesting() + container('jenkins-python-agent') { + jslStageWrapper('Unit Testing') { + jslPythonUnitTesting() + } } } } stage('Secret Scanning') { agent { - docker { - image 'securityuniversal/jenkins-sectesting-agent:latest' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-secret-agent' } } when { @@ -90,16 +101,19 @@ pipeline { } } steps { - jslStageWrapper('Secret Scanning') { - jslSecretScanning() + container('jenkins-secret-agent') { + jslStageWrapper('Secret Scanning') { + jslSecretScanning() + } } } } stage('Software Composition Analysis') { agent { - docker { - image 'securityuniversal/jenkins-sectesting-agent:latest' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-sca-agent' } } when { @@ -114,11 +128,13 @@ pipeline { } } steps { - jslStageWrapper('Software Composition Analysis') { - script { - def stageConfig = jslReadYamlConfig('sca') - def codeLanguages = stageConfig?.codeLanguages.join(',') - jslSecuritySCA(codeLanguages) + container('jenkins-sca-agent') { + jslStageWrapper('Software Composition Analysis') { + script { + def stageConfig = jslReadYamlConfig('sca') + def codeLanguages = stageConfig?.codeLanguages.join(',') + jslSecuritySCA(codeLanguages) + } } } } @@ -126,8 +142,9 @@ pipeline { stage('Static Application Security Testing') { agent { - docker { - image 'securityuniversal/jenkins-sectesting-agent:latest' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-sast-agent' } } when { @@ -142,11 +159,13 @@ pipeline { } } steps { - jslStageWrapper('Static Application Security Testing') { - script { - def stageConfig = jslReadYamlConfig('sast') - def codeLanguages = stageConfig?.codeLanguages - jslStaticApplicationSecurityTesting(codeLanguages) + container('jenkins-sast-agent') { + jslStageWrapper('Static Application Security Testing') { + script { + def stageConfig = jslReadYamlConfig('sast') + def codeLanguages = stageConfig?.codeLanguages + jslStaticApplicationSecurityTesting(codeLanguages) + } } } } @@ -154,9 +173,9 @@ pipeline { stage('Infrastructure-as-Code Security Testing') { agent { - docker { - image 'securityuniversal/jenkins-sectesting-agent:latest' - args '--group-add 999' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-iac-agent' } } when { @@ -171,18 +190,17 @@ pipeline { } } steps { - jslStageWrapper('Infrastructure-as-Code Security Testing') { - jslInfrastructureAsCodeAnalysis() + container('jenkins-iac-agent') { + jslStageWrapper('Infrastructure-as-Code Security Testing') { + jslInfrastructureAsCodeAnalysis() + } } } } stage('Build Docker Service') { agent { - docker { - image 'securityuniversal/jenkins-iac-agent:latest' - args '--group-add 999' - } + label 'DockerVM' } when { expression { @@ -208,9 +226,9 @@ pipeline { stage('Docker Container Scanning') { agent { - docker { - image 'securityuniversal/jenkins-sectesting-agent:latest' - args '--group-add 999' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-dockersec-agent' } } when { @@ -225,12 +243,14 @@ pipeline { } } steps { - jslStageWrapper('Docker Container Scanning') { - script { - def stageConfig = jslReadYamlConfig('containerScan') - def containerName = stageConfig?.containerName - def containerTag = stageConfig?.containerTag - jslContainerSecurityScanning(containerName, containerTag) + container('jenkins-dockersec-agent') { + jslStageWrapper('Docker Container Scanning') { + script { + def stageConfig = jslReadYamlConfig('containerScan') + def containerName = stageConfig?.containerName + def containerTag = stageConfig?.containerTag + jslContainerSecurityScanning(containerName, containerTag) + } } } } @@ -238,8 +258,9 @@ pipeline { stage('Release to Test') { agent { - docker { - image 'securityuniversal/jenkins-deploy-agent:latest' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-deploy-agent' } } when { @@ -254,18 +275,26 @@ pipeline { } } steps { - jslStageWrapper('Release to Test') { - script { - def stageConfig = jslReadYamlConfig('releaseToTest') - def serviceName = stageConfig?.serviceName - def containerTag = stageConfig?.containerTag - jslRunDockerCompose(serviceName, containerTag) + container('jenkins-deploy-agent') { + jslStageWrapper('Release to Test') { + script { + def stageConfig = jslReadYamlConfig('releaseToTest') + def serviceName = stageConfig?.serviceName + def containerTag = stageConfig?.containerTag + jslRunDockerCompose(serviceName, containerTag) + } } } } } stage('Test Release') { + agent { + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-dast-agent' + } + } when { expression { def config = jslReadYamlConfig('testRelease') @@ -278,14 +307,16 @@ pipeline { } } steps { - jslStageWrapper('Test Release') { - script { - def stageConfig = jslReadYamlConfig('testRelease') - def targetUrl = stageConfig?.targetUrl - def dastTestType = stageConfig?.dastTestType - def apiTargetUrl = stageConfig?.apiTargetUrl - jslDastOWASP(dastTestType, targetUrl) - jslDastAPIOWASP(apiTargetUrl, targetUrl) + container('jenkins-dast-agent') { + jslStageWrapper('Test Release') { + script { + def stageConfig = jslReadYamlConfig('testRelease') + def targetUrl = stageConfig?.targetUrl + def dastTestType = stageConfig?.dastTestType + def apiTargetUrl = stageConfig?.apiTargetUrl + jslDastOWASP(dastTestType, targetUrl) + jslDastAPIOWASP(apiTargetUrl, targetUrl) + } } } } @@ -294,9 +325,9 @@ pipeline { ////////// Quality Gate ////////// stage("Quality Gate - Security") { agent { - docker { - image 'securityuniversal/jenkins-sectesting-agent:latest' - args '--group-add 999' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-pipeline-agent' } } when { @@ -311,8 +342,10 @@ pipeline { } } steps { - jslStageWrapper('Quality Gate - Security') { - jslSecurityQualityGate() + container('jenkins-pipeline-agent') { + jslStageWrapper('Quality Gate - Security') { + jslSecurityQualityGate() + } } } } @@ -320,9 +353,9 @@ pipeline { ////////// Deploy to Production ////////// stage('Deploy') { agent { - docker { - image 'securityuniversal/jenkins-deploy-agent:latest' - args '--group-add 999' + kubernetes { + cloud 'kubernetes-cloud' + label 'jenkins-deploy-agent' } } when { @@ -337,19 +370,21 @@ pipeline { } } steps { - jslStageWrapper('Deploy') { - script { - def stageConfig = jslReadYamlConfig('deploy') + container('jenkins-deploy-agent') { + jslStageWrapper('Deploy') { + script { + def stageConfig = jslReadYamlConfig('deploy') - jslKubernetesDeploy([ - 'serviceName': env.appName, - 'tlsCredId': stageConfig?.tlsCredId, - 'secretsCredentials': stageConfig?.secretsCredentials, - 'secretsSetStrings': stageConfig?.secretsSetStrings, - 'serviceCredentials': stageConfig?.serviceCredentials, - 'serviceSetStrings': stageConfig?.serviceSetStrings - ]) + jslKubernetesDeploy([ + 'serviceName': env.appName, + 'tlsCredId': stageConfig?.tlsCredId, + 'secretsCredentials': stageConfig?.secretsCredentials, + 'secretsSetStrings': stageConfig?.secretsSetStrings, + 'serviceCredentials': stageConfig?.serviceCredentials, + 'serviceSetStrings': stageConfig?.serviceSetStrings + ]) + } } } } @@ -357,8 +392,10 @@ pipeline { } post { always { - script { - jslPipelineReporter() + node('jenkins-pipeline-agent') { + script { + jslPipelineReporter() + } } } } diff --git a/src/vr/api/vulns/jenkins_webhook.py b/src/vr/api/vulns/jenkins_webhook.py index 149b9cb..2ad6907 100644 --- a/src/vr/api/vulns/jenkins_webhook.py +++ b/src/vr/api/vulns/jenkins_webhook.py @@ -226,7 +226,7 @@ def add_application_sla_policy(app_id): # Add the handler to the logger logger.addHandler(stream_handler) -def add_new_scan(git_url, branch_name, report_id): +def add_new_scan(app_name, git_url, branch_name, report_id): try: stage_str = _determine_stages_for_app(git_url, branch_name) @@ -240,7 +240,8 @@ def add_new_scan(git_url, branch_name, report_id): 'TESTS': stage_str, 'GIT_BRANCH': branch_name, 'REPORT_ID': report_id, - 'PIPELINE_TYPE': "PARALLEL_SCAN" + 'PIPELINE_TYPE': "PARALLEL_SCAN", + 'APP_NAME': app_name } url = f"{app.config['JENKINS_HOST']}/job/{app.config['JENKINS_PROJECT']}/buildWithParameters" resp = requests.post(url, headers=headers, data=data, auth=HTTPBasicAuth(app.config['JENKINS_USER'], app.config['JENKINS_KEY'])) @@ -276,7 +277,7 @@ def parallel_security_scan(): report_id = _add_vulnerability_scan(app_id, branch_name) # Start processing in a new thread - processing_thread = Thread(target=add_new_scan, args=(git_url, branch_name, report_id)) + processing_thread = Thread(target=add_new_scan, args=(app_name, git_url, branch_name, report_id)) processing_thread.start() return jsonify({"report_id": report_id, "status": "processing started"}), 200