Objective
Provide an example Jenkins Pipeline with the steps described in our documentation at - Define vulnerability security controls for pipelines in Jenkins
Process
The following example uses the contrastAgent
and contrastVerification
steps.
First, set up the connection from Jenkins to the Contrast UI following the steps at - Jenkins Connection . For the purposes of the example the profile is named ContrastProfileName
. Replace this with the name you give your profile when setting up the connection.
The example application used is WebGoat - https://github.com/WebGoat/WebGoat .
The Sheepdog tool - https://github.com/Contrast-Security-OSS/sheepdog is then used to generate application attack traffic :
pipeline { agent any stages { stage('Build Application') { steps { echo "Will just download WebGoat and SheepDog, but can build." sh '/usr/local/bin/wget -nc https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-container-7.1-exec.jar' sh '/usr/local/bin/wget -nc https://github.com/Contrast-Security-OSS/sheepdog/raw/master/dist/sheepdog-1.0-SNAPSHOT.jar' } } stage('Contrast Download') { steps { sh "pwd" contrastAgent agentType: 'JAVA', outputDirectory: "${pwd()}", profile: 'ContrastProfileName' } } stage('Run Application') { steps { sh 'java -javaagent:contrast.jar -Dcontrast.application.name=JenkinsGoat -Dcontrast.application.version=${JOB_NAME}-${BUILD_NUMBER} -jar webgoat-container-7.1-exec.jar &' sh 'sleep 45' } } stage('Test Application') { steps { sh 'java -jar sheepdog-1.0-SNAPSHOT.jar -p 8080 -t 2 -s 30 -d 1500 250 -a 90' sh 'sleep 60' } stage('Contrast Verification') { steps { contrastVerification applicationName: 'JenkinsGoat', agentType: 'Java', queryBy: 3, profile: 'ContrastProfileName', count: 0, severity: "Medium" } } } }
The contrastVerification
step will fail as the example WebGoat application contains medium severity vulnerabilities:
ERROR: Failed on the condition where count is 0, severity is Medium, applicationId is APP_ID, queryBy is 3.