How to configure Jenkins to integrate security into CI/CD
If you are a developer using Jenkins you most likely have functional tests in place. However, security tests are not that frequently seen integrated into Continuous Integration and Deployment (CI/CD) pipelines, leaving these applications potentially insecure.
For developers to test the security of their applications more easily, they need the right tools. So, in order to take another step towards helping developers secure their apps we launched our Security Scanner plugin for Jenkins. The plugin will automate the security testing process for developers.
With Probely’s plugin you can automatically start a security scan every time your Jenkins pipeline is executed. Suppose you already use Jenkins to do unit, functional or integration tests: now you can add another step in that pipeline that will automatically test the security of your application.
Jenkins allows you to have an arbitrary number of build and test scenarios, but a common pattern is as follows:
- build step: compiles the application or creates the Docker containers
- deploy step: sends the compiled code or the containers to a test server and execute them
- test step: execute tests on the running application
The Probely plugin is a build task, that runs after the application is built and deployed.
It is recommended that the security tests run after the integration/functional tests pass, to ensure that the application is working properly. A broken application may cause security tests to miss vulnerabilities because a particular feature is not working.
Installation and setup
To set this up, you will first need a Probely account. You can just sign up here, and from there add the target you want to check the security of. This will start a Free 14-day trial for you.
Installing the plugin is easy: go to Manage Plugins, select the Available tab and search for probely. Check the Install box and hit Install without restart. Done!
The plugin needs to communicate with Probely’s API, so you need to generate an API key for Jenkins to use. Obtain the key in your target settings, as shown in the following image:
Then add the API key to Jenkins credentials store, as a Secret text:
At this point, you are ready to add Probely scans as a step in your pipeline.
The plugin can be used in both Freestyle and Pipeline projects, and this post will provide an example for each one. You can learn more about these two project types and their differences here.
Freestyle project
Creating a freestyle project is the simplest way to have a repeatable process to build and test your application, especially for simple applications with just a few jobs.
If you already have a freestyle project you only need to configure the plugin. To do that go to the project listing page, click Configure in the drop-down menu next to the project name.
Once inside the project configuration screen, scroll down to the Build Actions section, click Add build action and choose Probely Security Scanner.
The plugin itself only requires the id of the target you want to scan and the Probely API credentials, that you saved before. The target id can be found in the Probely settings of the target.
In the Credentials option choose the one that matches the description you wrote when saving the API key in the Jenkins credential store. In this example, it is API Credentials for myproject on Probely.
If the connection to Probely’s API is working correctly, and the credentials are valid, you should see the message Credentials verified successfully.
Hit Save and it is done. Next time the build job for this project runs, Probely will test the security of the configured target and will send you an email with the scan results in the end.
Pipeline project
Pipeline projects are the most flexible and powerful way of creating CI/CD pipelines with Jenkins.
The projects need a configuration file, a Jenkinsfile. The one in our example uses the more modern declarative syntax, instead of the imperative one.
In this file, we just added a stage Scan with Probely with the indication of which target to scan, 9n16yy0TWWKv, and which credentials ID to use. These credentials were the ones you saved previously, in the Installation and setup section.
As with the Freestyle project, the security tests are executed after the functional tests, in this case after the Unit tests stage, to ensure the application is working properly.
Now you just need to update the Jenkinsfile from the Pipeline project you want to change. Go to the project configuration, then to the Pipeline section and update the configuration with the new one. If your Jenkinsfile is stored in a repository that was already configured here (Pipeline script from SCM) you only need to commit the updated file to the repository
Your pipeline has now a stage that scans your target for vulnerabilities.
Coming features
At the target settings page, you have some options regarding how Probely scans your target. You can choose different scanning profiles, add a login URL and credentials to scan behind login pages, add custom headers and even enable automatic synchronization with your Jira project, just to name a few.
Right now you must change these configurations at Probely, but we will progressively add them to the plugin. A good example is the possibility to choose the scan profile directly in the Jenkins plugin, for a more flexible build step construction.
We would love to hear about your Jenkins use-case, how you are using it to build and test your application, but more importantly, how you would like Probely to work with your existent use-case.
By the way, as all Jenkins plugins, the code of the plugin is available at GitHub.
