- Start The Container Development Kit
- Create a new project called
zap-demo- Via cli:
$ oc new-project zap-demo
Now using project "zap-demo" on server "https://192.168.42.159:8443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git
to build a new example application in Ruby.
- Deploy the image to OpenShift:
oc new-build https://github.com/rht-labs/owasp-zap-openshift.git
$ oc new-build https://github.com/rht-labs/owasp-zap-openshift.git
--> Found Docker image 36540f3 (4 weeks old) from Docker Hub for "centos:centos7"
* An image stream will be created as "centos:centos7" that will track the source image
* A Docker build using source code from https://github.com/rht-labs/owasp-zap-openshift.git will be created
* The resulting image will be pushed to image stream "owasp-zap-openshift:latest"
* Every time "centos:centos7" changes a new build will be triggered
--> Creating resources with label role=jenkins-slave ...
imagestream "centos" created
imagestream "owasp-zap-openshift" created
buildconfig "owasp-zap-openshift" created
--> Success
Build configuration "owasp-zap-openshift" created and build triggered.
Run 'oc logs -f bc/owasp-zap-openshift' to stream the build progress.
- Switch to the OpenShift web console and show the build executing
- Can capture the image URL here or in the step below
- Can capture the image URL here or in the step below
- Once the build is complete, navigate to "Builds->Images" and copy the registry URL for the new container
- Should look like: 172.30.1.1:5000/zap-demo/owasp-zap-openshift
- Should look like: 172.30.1.1:5000/zap-demo/owasp-zap-openshift
- Deploy Jenkins
- Via cli:
oc process openshift//jenkins-ephemeral | oc create -f - - Show Jenkins being spun up in web console
- Via cli:
$ oc process openshift//jenkins-ephemeral | oc create -f -
route "jenkins" created
persistentvolumeclaim "jenkins" created
deploymentconfig "jenkins" created
serviceaccount "jenkins" created
rolebinding "jenkins_edit" created
service "jenkins-jnlp" created
service "jenkins" created- Log in to the Jenkins instance
- Click on "Jenkins->Manage Jenkins->Manage Plugins"
- Select the "Available" tab
- Filter for "HTML Publisher"
- Tick the "HTML Publisher" plugin and click "Download now and install after restart"
- Tick the box "Restart Jenkins when installation is complete and no jobs are running"
- While Jenkins restarts, explain that the HTML Publisher plugin allows us to add reports to the build history and explain that we will show this in more detail later
- Log back in to Jenkins
- Click on "Jenkins -> Manage Jenkins -> Configure System"
- Scroll down to the Kubernetes Cloud configuration
- Highlight that we are using OpenShift and that the
zap-demonamespace has already been populated.
- Click on "Add Pod Template" and select "Kubernetes Pod Template"
- NOTE: If using production OpenShift cluster, the Pod and container will likely already be populated.
- Fill in the "Name" and "Labels" as
zap-demo
- Click on "Add" under "Containers"
Name: jnlp
Docker image: 172.30.1.1:5000/zap-demo/owasp-zap-openshift << The Docker image registry may be different on different OpenShift installations
Working directory: /tmp << Explain that this MOUNTS a working directory, it does not set the working directory
Command to run slave agent: <blank>
Arguments to pass to the command: ${computer.jnlpmac} ${computer.name}
Allocate pseudo-TTY: Unchecked
- Max number of instances: 1
- Time in minutes to retain slave when idle: 10
- Leave all other settings with default values
- Click "Save"
- Click "New Item" on the Jenkins main page
- Set the name to "Example", select "Pipeline" as the project type, then click "OK"
- Tick the box "Do not allow concurrent builds"
- Insert the pipeline script:
stage('Get a ZAP Pod') {
node('zap-demo') {
stage('Scan Web Application') {
sh 'mkdir /tmp/workdir'
dir('/tmp/workdir') {
def retVal = sh returnStatus: true, script: '/zap/zap-baseline.py -r baseline.html -t http://<some-web-site>'
publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk', reportFiles: 'baseline.html', reportName: 'ZAP Baseline Scan', reportTitles: 'ZAP Baseline Scan'])
echo "Return value is: ${retVal}"
}
}
}
}- Set the web address to be scanned and explain the Pipeline script
- Switch back to Jenkins and run the Example build, wait for the ZAP baseline scan to complete.
- While waiting, explain that we could also push in additional and more detailed specifications for the test by either copying in ZAP configurations or mounting Kubernetes ConfigMap file literals as provided by the security teams. These could be configured on a case-by-case basis part of the initial planning with the security team.
- The default baseline scan takes about 3 minutes to complete
- Once the scan is complete, show the saved ZAP report in the build sidebar.
-
Discuss methods to customize how the ZAP scans are run.
- Mounted ConfigMap files?
- Mounted volumes
- Download config via HTTP/CURL
- https://github.com/zaproxy/zaproxy/wiki/Docker
-
More detailed options for baseline scan: