Security in a CI/CD pipeline

Integrate OWASP ZAP into Jenkins CI/CD pipeline

Olawale Olaleye
CloudAdventure

--

Businesses would always aim to release new features faster and whilst development teams adopting Agile may have found ways around managing these demands, it is the SecOps teams that still struggle to keep up with the pace of these accelerated demands. This is due to the fact that in many cases, they are rarely carried along during the project initiation phase and many stakeholders are not patient enough to delay going live if the software fails security assessment.

A common challenge in many organizations is the lack of alignment between teams. Despite this, It is important for the Development and Tools or DevOps team to release secured software to the public. Security teams are now adopting DevSecOps practices to accelerate how they execute automated security scanning to detect possible vulnerabilities in software using the same CI/CD pipelines implemented to speed up software delivery. In this technical walkthrough, I’ll demonstrate how to integrate OWASP ZAP with Jenkins to automate vulnerability detection in applications.

CI/CD pipeline with Jenkins and OWASP ZAP
Demo: Automated Security Scanning in a CI/CD pipeline with Jenkins and OWASP ZAP

Definitions

OWASP ZAP is a Dynamic Application Security Testing tool. This tool can be used against any web application component to detect vulnerabilities.

Jenkins is an open-source automation server that enables developers around the world to reliably build, test, and deploy their software. This tool rank as number 1 among the top 20 most common CICD tools on the globe as of May 2020. If you’ve been wondering why it usually comes up in any DevOps Engineering interview, now you have your answer.

Let’s Get Started

Pre-requisites

  • Install Jenkins plugins: Custom Tool, HTML Publisher. Will be needed.

Steps in Summary

  1. Install ZAP Jenkins plugins
  2. Install ZAP locally. We will be doing this through Jenkins UI
  3. Configure ZAP Host and Port number
  4. Organize your Jenkins project into a folder and create a freestyle project.
  5. Configure build environment to install ZAP
  6. Perform a test. Use a sample URL
  7. Generate HTML report output

Follow the images below to replicate the steps in your environment.

Step 1: Install ZAP Jenkins plugins. Jenkins > Manage Jenkins > Manage Plugins

Search and install OWASP ZAP
Restart Jenkins after the plugin installation

Download latest ZAP from https://www.zaproxy.org/download/

Copy the URL of the latest ZAP https://github.com/zaproxy/zaproxy/releases/download/v2.9.0/ZAP_2.9.0_Linux.tar.gz

Step 2: Install ZAP locally with Custom Tool. Goto Jenkins > Manage Jenkins > Global Tool Config > Click Add Custom Tool

Step 3: Configure ZAP Host and Port number. Goto Jenkins > Manage Jenkins > Configure System > Scroll down to ZAP

ZAP port config

Step 4: Create a Job as a freestyle project. Back to Jenkins > Create New item > Select Freestyle project > Save > Click Build Now

Jenkins Project

Step 5: Configure build environment to install ZAP.

Goto the ZAP job you just created, e.g. in my case CICD_ZAP_Test1. Click Configure, select build environment, check install custom tools

Actual ZAP install locally

Select Build Tab, Click Add build step, Select Execute Zap

Under the Installation Method, choose the directory where ZAP will be installed. I allowed Jenkins to install in its default directory. Note: I am assuming you don’t have ZAP already installed.

default Jenkins directory for ZAP

Installation and configuration have been completed.

Let’s Test

In the build phase, you will need to provide an App name and URL of the asset you want to test. You will need to create a Persist session in ZAP.

include in Context: http://demo.domain.com.*

demo.domain.com is the Target Application and * indicates all paths in the app.

Exclude from Context (optional): ^(?:(?!http:\/\/demo.domain.com).*).$

Under Attack Mode section, specify starting point as http://demo.domain.com and select Spider Scan and Active Scan

Perform a test with sample URL

Configure the reporting.

Finalize the test run.

Select Report type

RESULTS

Happy automating security scans in your Jenkins CICD pipeline.

--

--

Olawale Olaleye
CloudAdventure

DevOps Pro | Cloud Solutions Architect | MultiCloud Specialist