Product Updates

Add security configuration analysis to your Pipelines using Jenkins Scripts

The goal of this article is to serve as a tutorial on the creation of Jenkins Scripts to add security configuration analysis using CoGuard-CLI to your Jenkins Pipeline.

Albert Heinle
Written by
Albert Heinle

For a general overview of what pipelines are and what they are good for, please refer to our previous article on BitBucket pipelines that had a small section on that.

Our environment includes:

What is Jenkins Pipeline?

Jenkins provides 2 separate methods to create and schedule Jobs. 

  • Freestyle
  • Pipeline

Prior to version 2.x of Jenkins, Freestyle Jobs allowed Job configurations to be configured through the web interface. The created Job configurations were versioned. It allowed developers to move build automations to Source Control Management and scripting language. Freestyle jobs provided flexibility but resulted in complex deployments with build instructions versioned but built in Jenkins UI and were prone to errors and management complexity. 

With Jenkins 2.x, the Jenkins team introduced a functionality simply called “Pipeline”.  Jenkins Pipeline is a modern automation solution where Jobs are scripted in Groovy and stored in a Jenkinsfile. This provides an extremely powerful and flexible approach to multi-branch build pipelines to configuration as code.

What are Jenkins Scripts? 

Jenkins Scripts are a DSL written in Groovy. Jenkins Scripts provide a simplified, declarative syntax on top of the Pipeline subsystem. This allows us to describe a build pipeline in code, maximizing infrastructure as code paradigm while using predefined structured concepts in Jenkins. Groovy is a unique choice of modern language that is easy for Java developers to learn, Java developers being the largest user base of Jenkins users. And Groovy is flexible enough to have a shallow learning curve for experienced developers, and provides a rich feature set, the ability to add Jenkinsfiles to source control, and the opportunity to validate Pipeline syntax before runtime. 

Adding configuration file scanning to Jenkins Pipeline

Jenkins is designed to have a coordinator instance which sends the specific job instructions to a set of agents. Each agent may or may not have certain software installed or not. Jenkins allows for a container to be run as an agent as well.

Assumptions

  • Docker, Python and PIP3 are installed. 
  • Agents for Docker, Python and PIP3 are labeled with the simple labels “docker”, “python3” and “pip3”. 
  • CoGuard login details are stored in the Jenkins Credentials

Installing Python, PIP3 and Docker

Details on how to install python3, pip3, and docker

Adding CoGuard to Jenkins Credentials

Follow the instruction to add new global credentials to your Jenkins instance:

  1. We expect you to Add Credentials
  2. In the Kind field add “username” 
  3. In the Kind field add “password”
  4. In the ID field label “coguard”

Example: Jenkins Script adding CoGuard configuration scanning

CoGuard CLI accepts a number of command line parameters. We apps these parameters though an environmental variable using Jenkins Script. To limit the CoGuard Vulnerabilities to a Severity of Level 3 and above, we specify an environment variable MINIMUM_FAIL_LEVEL. Full details on the CoGuard Vulnerability levels.

The script can then look like the following:

 pipeline {
    agent {
        label(‘python3 && docker && pip3’)
    }

    environment {
        COGUARD_USER_NAME = credentials('jenkins-coguard-username')
        COGUARD_PASSWORD = credentials('jenkins-coguard-password')
    }

    stages {
        stage(‘Build’) {
           // YOUR BUILD INSTRUCTIONS TO GET THE DOCKER IMAGE
           // THE ASSUMPTION IS THAT THIS PART CREATES A DOCKER IMAGE
           // CALLED your-docker-image IN YOUR REPOSITORY WITH THE BUILD_ID AS TAG
        }
        stage('Test') {
            steps {
                script {
                    sh “pip3 install coguard-cli”
                    sh “coguard --minimum-fail-level=${MINIMUM_FAIL_LEVEL:-3} docker-image your-docker-image:$BUILD_ID”
                }
            }
        }
    }
}

This is a simple example. The outputs from CoGuard can be integrated into the JIRA, Slack, email upon failure, etc.

Additional details about using CoGuard in your CI/CD pipeline or in your local environment can be found here.

more resources

Similar Posts

View all resources
DevOps Tips
Do you really want to deploy that dirty AWS default Kafka (MSK) configuration?

Kafka is s a well-engineered scalable messaging system, but along with it comes a large number of different configurations and one in particular that you need to look out for.

DevOps Tips
Securing Multi-Cloud Environments: Monitoring, Logging, and Best Practices

Explore the advantages of multi-cloud architecture for flexibility and risk management. Implement secure back-end VPN connections, monitor efficiently with the ELK stack, and enforce robust authentication. Enhance logging configurations effortlessly with CoGuard.

Dangerous Defaults
Dangerous Defaults # 1 - AWS VPC and VPNs with No Backups Enabled

We evaluate the configuration for setting up AWS GPU VPC and VPNs using CoGuard, Snyk and KICS #aws #cloudformation #iac #config #backups #configuration

Explore a test environment

Try here Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.

Book a Call
© 2021-2024 All rights reserved Heinle Solutions Inc.