Skip to content

rmkanda/secure-pipeline-java-demo

Repository files navigation

Secure Pipelines Demo

Sample spring application with Jenkins pipeline script to demonstrate secure pipelines

Pre Requesites

Setup Setps

Minikube setup

  • Setup minikube
    minikube start --nodes=1 --cpus=4 --memory 8192 --disk-size=35g --embed-certs=true --driver=hyperkit
    minikube addons enable ingress

Jenkins setup

  • Stup Jenkins server

    helm repo add jenkins https://charts.jenkins.io
    helm repo update
    helm install jenkins jenkins/jenkins
  • Wait for the jenkins pod to start

  • Get admin user password of Jenkins

      kubectl exec --namespace default -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo

    Note: Make a note of the password

  • [Optional] Forward Jenkins server port to access from local machine

    kubectl port-forward svc/jenkins 8080:8080
    open http://localhost:8080
  • Add additonal plugins to Jeninks server (Manage Jenkins -> Manage plugins)

    • BlueOcean
    • Configuration as Code
    • OWASP Dependency-Track

Dependency Track setup

Link Jenkins and Dependency Track

  • Login to Dependency track -> Administration -> Access Management -> Teams -> Click on Automation -> Copy the API Keys -> Also add the Permissions - PROJECT_CREATION_UPLOAD, POLICY_VIOLATION_ANALYSIS, VULNERABILITY_ANALYSIS

  • Login to Jenkins -> Manage Jenkins -> Configure System -> Scroll to bottom -> Configure the Dependency-Track URL and API key -> Also enable Auto Create Projects -> Test Connection -> Save

Hint: URL (if you have followed the exact steps) http://dependency-track-apiserver.deptrack.svc.cluster.local (Format: severiceName.namespace.svc.cluster.local)

New Jenkins Pipeline

Create a new Jenkins pipeline with this repo and trigger build

  • Login to Jenkins -> New Item -> Enter name and choose Pipeline -> Choose GitHub project and set project URL
  • Under pipeline section, Choose Pipeline script from SCM
  • Choose git as SCM and provide repo details
  • Save

Pipeline

Refer the below screenshot for the stages in the pipeline

Pipeline View

Pipeline View

Stage View

Stage View

Dependency Track

Dependency Track View

Tools

Stage Tool
Secrets Scanner truffleHog
Dependency Checker OWASP Dependency checker
SAST OWASP Find Security Bugs
OSS License Checker LicenseFinder
SCA Dependency Track
Image Scanner Trivy
Image Hardening Dockle
K8s Hardening KubeSec
IaC Hardening checkov
DAST OWASP Baseline Scan

TODO

Image Malware scanning - ClamAV