-
Notifications
You must be signed in to change notification settings - Fork 11
Running Fixinator on Jenkins
There are many ways to configure Jenkins to run Fixinator to scan your ColdFusion / CFML code for security vulnerabilities. In this guide we will use a Jenkins Pipeline with a Jenkinsfile
in the SCM.
🎥 Watch Running Fixinator on Jenkins on YouTube
This step is not necessary if you are running the Fixinator Enterprise Edition to run the scan locally
Jenkins allows us to store the fixinator API key in a secure manner using its credential store. This prevents they key from being accidentally output in the build logs, and generally protects it as a secret.
- In the main Jenkins menu click on Credentials
- Next click on the Jenkins (global) scope
- Click Add Credentials from the left menu
- Under Kind select Secret text
- Under Secret paste in your Fixinator API Key
- Under ID enter
FIXINATOR_API_KEY
- Enter a description and click OK
In the next step we will configure Jenkins to look for a file called Jenkinsfile
in the root of your source code repository. This Jenkinsfile is designed to run on a linux / unix based executor, if you are running on a windows based executor you will need to change the sh
lines to bat
lines.
Create a file called Jenkinsfile
in the root of your source code repository with the following:
pipeline {
agent any
environment {
FIXINATOR_API_KEY = credentials('FIXINATOR_API_KEY')
CI = 1
}
stages {
stage('Fixinator') {
steps {
sh 'if [ ! -f /tmp/box ]; then curl -L -o /tmp/box.zip https://www.ortussolutions.com/parent/download/commandbox/type/bin; fi'
sh 'if [ ! -f /tmp/box ]; then unzip /tmp/box.zip -d /tmp/; fi'
sh 'chmod a+x /tmp/box'
sh '/tmp/box install fixinator'
sh '/tmp/box fixinator path=. confidence=high resultFormat=junit resultFile=./fixinator-report.xml'
}
}
}
post {
always {
junit '**/fixinator-report.xml'
}
}
}
If you already have an existing pipeline you can use the following to merge into your existing pipeline, otherwise you can follow these steps to create a new pipeline.
- From the main Jenkins menu select New Item
- Enter a Name, and select Pipeline as the type
- Click on the Pipeline tab
- Under Definition select Pipeline script from SCM
- Enter your Git or Subversion repository details
- Under Script file make sure it says Jenkinsfile
- Click Save
You should now have a working pipeline that executes Fixinator on your source code. Click the Build Now button to test it out.
At this point you probably don't want to have to click Build Now every time you want your pipeline to run, you can set it up to run every time time code is committed, or on a scheduled basis.
If you want your scan to take place fully on your own servers without using the Fixinator Cloud based scanning API, then you need to use the Enterprise Edition of Fixinator. It can run fully isolated without transmitting anything over the internet. Here is a sample Jenkinsfile
for the Enterprise Edition:
pipeline {
agent any
environment {
FIXINATOR_API_KEY = enterprise
CI = 1
FIXINATOR_API_URL = http://127.0.0.1:48443/scan/
}
stages {
stage('Fixinator') {
steps {
sh 'if [ ! -f /tmp/box ]; then curl -L -o /tmp/box.zip https://www.ortussolutions.com/parent/download/commandbox/type/bin; fi'
sh 'if [ ! -f /tmp/box ]; then unzip /tmp/box.zip -d /tmp/; fi'
sh 'chmod a+x /tmp/box'
sh 'if [ ! -f /tmp/fixinator-enterprise.zip ]; then curl -L -o /tmp/fixinator-enterprise.zip https://your-server.example.com/fixinator-enterprise.zip; fi'
sh 'if [ ! -f /tmp/fixinator-enterprise/]; mkdir /tmp/fixinator-enterprise/ ;fi'
sh 'if [ ! -f /tmp/fixinator-enterprise/version.txt ]; then unzip /tmp/fixinator-enterprise.zip -d /tmp/fixinator-enterprise/; fi
sh 'cd /tmp/fixinator-enterprise/app/'
sh '/tmp/box server start port=48443'
sh 'cd $WORKSPACE'
sh '/tmp/box install fixinator'
sh '/tmp/box fixinator path=. confidence=high resultFormat=junit resultFile=./fixinator-report.xml'
sh 'cd /tmp/fixinator-enterprise/app/'
sh '/tmp/box server stop'
}
}
}
post {
always {
junit '**/fixinator-report.xml'
}
}
}
Note that in this example it is reaching out to a local HTTPS server https://your-server.example.com/fixinator-enterprise.zip
to fetch the enterprise edition. It is still calling out to the internet to download commandbox, and to install the latest fixinator command from ForgeBox (box install fixinator
). It is possible avoid that if you are on an air gapped network, by placing those assets on a server within your network as well. You can contact Foundeo Inc. for assistance on how to set that up.