Jenkins Pipeline Example

  • Updated

Objective

Provide an example Jenkins Pipeline with the steps described in our documentation at - Define vulnerability security controls for pipelines in Jenkins 

Process

The following example uses the contrastAgent and contrastVerification steps. 

First, set up the connection from Jenkins to the Contrast UI following the steps at - Jenkins Connection .  For the purposes of the example the profile is named ContrastProfileName .  Replace this with the name you give your profile when setting up the connection.

The example application used is WebGoat - https://github.com/WebGoat/WebGoat

The Sheepdog tool - https://github.com/Contrast-Security-OSS/sheepdog is then used to generate application attack traffic :

pipeline {
  agent any stages {
    stage('Build Application') {
      steps {
        echo "Will just download WebGoat and SheepDog, but can build."
        sh '/usr/local/bin/wget -nc https://github.com/WebGoat/WebGoat/releases/download/7.1/webgoat-container-7.1-exec.jar'
        sh '/usr/local/bin/wget -nc https://github.com/Contrast-Security-OSS/sheepdog/raw/master/dist/sheepdog-1.0-SNAPSHOT.jar'
      }
    }
    stage('Contrast Download') {
      steps {
        sh "pwd"
        contrastAgent agentType: 'JAVA', outputDirectory: "${pwd()}", profile: 'ContrastProfileName'
      }
    }
    stage('Run Application') {
      steps {
        sh 'java -javaagent:contrast.jar -Dcontrast.application.name=JenkinsGoat -Dcontrast.application.version=${JOB_NAME}-${BUILD_NUMBER} -jar webgoat-container-7.1-exec.jar &'
        sh 'sleep 45'
      }
    }
    stage('Test Application') {
      steps {
        sh 'java -jar sheepdog-1.0-SNAPSHOT.jar -p 8080 -t 2 -s 30 -d 1500 250 -a 90'
        sh 'sleep 60'
      }
      stage('Contrast Verification') {
        steps {
          contrastVerification applicationName: 'JenkinsGoat', agentType: 'Java', queryBy: 3, profile: 'ContrastProfileName', count: 0, severity: "Medium"
        }
      }
    }
  }

The contrastVerification step will fail as the example WebGoat application contains medium severity vulnerabilities:

ERROR: Failed on the condition where count is 0, severity is Medium, applicationId is APP_ID, queryBy is 3.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request