A tutorial about securing fast (and furious) Continuous Integration and Continuous Delivery by Dockerize Jenkins Pipeline

This repository is a tutorial it tries to exemplify how to include security controls before/after each step of CI/CD pipline.

The ticketmagpie is used as an example with a configured "Security Gate" to perform security controls (SAST) before pushing code to the production environnement.

Original/Simplified DevOps pipeline (without security controls) : https://github.com/hakdogan/jenkins-pipeline

First step, running up the services

Docker compose can be used to run services working together. Each compent of the pipeline was configured in a yaml file as below.

docker-compose.yml

version: '3.2'

networks:
  workshop_lab:
    driver: bridge

services:

  sonarqube:
    image: sonarqube
    ports:
      - 9000:9000
      - 9092:9092
    container_name: sonarqube
    networks:
      - workshop_lab

  jenkins:
    build:
      context: jenkins/
    privileged: true
    user: root
    ports:
      - 8080:8080
      - 50000:50000
    container_name: jenkins
    volumes:
      - /home/jenkins/:/var/jenkins_home #Remember that, the tmp directory is designed to be wiped on system reboot.
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - workshop_lab

  arachni:
    image: ahannigan/docker-arachni
    build: .
    ports:
      - "9292:9292"
      - "7331:7331"
    command: bin/arachni_rest_server --address 0.0.0.0
    container_name: arachni
    networks:
      - workshop_lab

  threadfix:
    image: jmbmxer/threadfix
    ports:
      - 8443:8443
    container_name: threadfix
    entrypoint: ./threadfix.sh start
    networks:
      - workshop_lab

  testvuln:
    image: dhatanian/ticketmagpie
    ports:
      - 8081:8080
    container_name: testvuln
    environment:
      - SPRING_PROFILES_ACTIVE=hsqldb
    networks:
      - workshop_lab

If we run the following command in the same directory as the docker-compose.yml file, containers will up and run.

docker-compose -f docker-compose.yml up --build

Jenkins configuration

We have configured Jenkins in the docker compose file to run on port 8080 therefore if we visit http://localhost:8080 we will be greeted with a screen like this.

We need the admin password to proceed to installation. It’s stored in the /var/jenkins_home/secrets/initialAdminPassword directory and also It’s written as output on the console when Jenkins starts.

jenkins      | *************************************************************
jenkins      |
jenkins      | Jenkins initial setup is required. An admin user has been created and a password generated.
jenkins      | Please use the following password to proceed to installation:
jenkins      |
jenkins      | 45638c79cecd4f43962da2933980197e
jenkins      |
jenkins      | This may also be found at: /var/jenkins_home/secrets/initialAdminPassword
jenkins      |
jenkins      | *************************************************************

To access the password from the container.

docker exec -it jenkins sh
/ $ cat /var/jenkins_home/secrets/initialAdminPassword

After entering the password, we will download recommended plugins and define an admin user.

After clicking Save and Finish and Start using Jenkins buttons, we should be seeing the Jenkins homepage. One of the seven goals listed above is that we must have the ability to build an image in the Jenkins being dockerized. Take a look at the volume definitions of the Jenkins service in the compose file.

- /var/run/docker.sock:/var/run/docker.sock

Sonarqube configuration

For Sonarqube we have made the following definitions in the pom.xml file of the project.

<sonar.host.url>http://sonarqube:9000</sonar.host.url>
...
<dependencies>
...
    <dependency>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>2.7.1</version>
        <type>maven-plugin</type>
    </dependency>
...
</dependencies>

In the docker compose file, we gave the name of the Sonarqube service which is sonarqube, this is why in the pom.xml file, the sonar URL was defined as http://sonarqube:9000.

Arachni configuration

Step-by-step instructions will be presented during the workshop.

Find-sec-bugs configuration

Step-by-step instructions will be presented during the workshop.

Vulnerablity manThreadfix configuration

Step-by-step instructions will be presented during the workshop.

Docker usage

List running images :

docker container ls

Run docker interactive mode :

docker exec -it b8835ab2bf71 /bin/bash