-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathJenkinsfile
170 lines (147 loc) · 5.24 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
properties ([
parameters ([
string(name: 'appRepoURL', value: "", description: "Application's git repository"),
string(name: 'dockerImage', value: "", description: "docker Image with tag"),
string(name: 'targetURL', value: "", description: "Web application's URL"),
choice(name: 'appType', choices: ['Java', 'Node', 'Angular'], description: 'Type of application'),
string(name: 'hostMachineName', value: "", description: "Hostname of the machine"),
string(name: 'hostMachineIP', value: "", description: "Public IP of the host machine")
// password(name: 'hostMachinePassword', value: "", description: "Password of the target machine")
])
])
def repoName="";
def app_type="";
def workspace="";
node {
stage ('Checkout SCM')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
checkout scm
workspace = pwd ()
}
}
stage ('pre-build setup')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
sh """
docker-compose -f Sonarqube/sonar.yml up -d
docker-compose -f Anchore-Engine/docker-compose.yaml up -d
"""
}
}
stage ('Check secrets')
{
catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
sh """
rm trufflehog || true
docker run gesellix/trufflehog --json --regex ${appRepoURL} > trufflehog
cat trufflehog
"""
def truffle = readFile "trufflehog"
if (truffle.length() == 0){
echo "Good to go"
}
else {
echo "Warning! Secrets are committed into your git repository."
throw new Exception("Secrets might be committed into your git repo")
}
}
}
stage ('Source Composition Analysis')
{
catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
sh "git clone ${appRepoURL} || true"
repoName = sh(returnStdout: true, script: """echo \$(basename ${appRepoURL.trim()})""").trim()
repoName=sh(returnStdout: true, script: """echo ${repoName} | sed 's/.git//g'""").trim()
if (appType.equalsIgnoreCase("Java")) {
app_type = "pom.xml"
}
else {
app_type = "package.json"
dir ("${repoName}") {
sh "npm install"
}
}
snykSecurity failOnIssues: false, projectName: '$BUILD_NUMBER', severity: 'high', snykInstallation: 'SnykSec', snykTokenId: 'snyk-token', targetFile: "${repoName}/${app_type}"
def snykFile = readFile "snyk_report.html"
if (snykFile.exists()) {
throw new Exception("Vulnerable dependencies found!")
}
else {
echo "Please enter the app repo URL"
currentBuild.Result = "FAILURE"
}
}
}
stage ('SAST')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
if (appType.equalsIgnoreCase("Java")) {
withSonarQubeEnv('sonarqube') {
dir("${repoName}"){
sh "mvn clean package sonar:sonar"
}
}
timeout(time: 1, unit: 'HOURS') {
def qg = waitForQualityGate()
if (qg.status != 'OK') {
error "Pipeline aborted due to quality gate failure: ${qg.status}"
}
}
}
}
}
stage ('Container Image Scan')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
sh "rm anchore_images || true"
sh """ echo "$dockerImage" > anchore_images"""
anchore 'anchore_images'
}
}
stage ('DAST')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
sh """
rm -rf Archerysec-ZeD/zap_result/owasp_report || true
docker run -v `pwd`/Archerysec-ZeD/:/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \
-t ${targetURL} -J owasp_report
"""
}
}
stage ('Inspec')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
/*to install inspec as a package
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec*/
sh """
rm inspec_results || true
inspec exec Inspec/hardening-test -b ssh --host=${hostMachineIP} --user=${hostMachineName} -i ~/.ssh/id_rsa --reporter json:./inspec_results
cat inspec_results | jq
"""
}
}
stage ('Clean up')
{
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
sh """
rm -r ${repoName} || true
mkdir -p reports/trufflehog
mkdir -p reports/snyk
mkdir -p reports/Anchore-Engine
mkdir -p reports/OWASP
mkdir -p reports/Inspec
mv trufflehog reports/trufflehog || true
mv *.json *.html reports/snyk || true
cp -r /var/lib/jenkins/jobs/${JOB_NAME}/builds/${BUILD_NUMBER}/archive/Anchore*/*.json ./reports/Anchore-Engine || true
mv inspec_results reports/Inspec || true
"""
//cp Archerysec-ZeD/owasp_report reports/OWASP/ || ture
sh """
docker system prune -f
docker-compose -f Sonarqube/sonar.yml down
docker-compose -f Anchore-Engine/docker-compose.yaml down -v
"""
}
}
}