Overview
Jenkins is a continuous integration (CI) tool that automates the process of building, testing, deploying, and running applications.
With the Contrast-Jenkins integration you can add application security gates to your pipeline. These gates contain criteria that can fail the Jenkins job for a vulnerable application with a build result like "Failure" or "Unstable".
Table of Contents
-
-
Fail or mark unstable a Jenkins build if an application is too vulnerable (job-level configuration)
-
Create consistency of policy violation criteria across the Contrast organization (Contrast UI Jenkins Job Outcome Policy)
-
Create individualized policies per application team or group
-
Prevent deployment of an application from one environment to another (Dev to QA)
-
Create exceptions to vulnerability severity limits by individual vulnerability rule
-
Motivate remediation for vulnerabilities that were first found more than a week or a month ago
-
Create a vulnerability stop gap so no new vulnerabilities can be introduced
-
-
Before you start
-
All Contrast Security integrations require an organization admin in order to set up the connection
-
Have already setup a Jenkins pipeline
Set up the integration
-
From inside Jenkins visit Manage Jenkins and choose Manage Plugins
2. Add the Contrast Continuous Application Security plugin
3. Login to Jenkins and select Manage Jenkins and Configure System
4. Configure the connection info using the credentials in Contrast UI
For an unsuccessful test, check that the URL you received from Jira and the one you posted in Contrast are matching. Contact Contrast Support (support@contrastsecurity.com) if necessary.
Meet your use case
a. Fail or mark unstable a Jenkins build if an application is too vulnerable (job-level configuration)
i. Only modify Jenkins build outcome if the vulnerability is detected from the Contrast agent session that ran during the job
Scroll to the bottom of the job configuration. Select “Add post-build action”. Choose “Contrast Assess”.
Fill in your application and choose “APPVERSIONTAG”.
We’re selecting this one because we want to use this configuration option the agent accepts:
-Dcontrast.override.appversion=${APPVERSIONTAG}
In addition to the APPVERSIONTAG will want to set an environment variable.
ii. Only modify Jenkins build outcome if the vulnerability is detected after the Jenkins build began
After you’ve added the “Contrast Assess” post build action you will want to select the “startDate”(This is the build timestamp) option along with the “Override Vulnerability Security Controls at the Jenkins system level” option. These will ensure that we’re only making a decision after the build has begun.
b. Create consistency of policy violation criteria across all jobs in the same Jenkins instance (system-level configuration)
From the Jenkins home screen select manage Jenkins
From the menu select Configure System
Scroll down until you reach the Contrast Connections section. Make sure the box “Allow job level application vulnerability security controls to override those controls defined here at the system level” is not checked. Then, configure your security policy. Once complete hit “save”.
c. Create consistency of policy violation criteria across the Contrast organization (global-level configuration)
i. Create individualized policies per application team or group
Select the application name that you want to apply the policy to. In the example below we have SampleApp1 as one security policy and SampleApp2 as another.
ii. Prevent deployment of an application from one environment to another (Dev to QA)
iii. Consider an application as too vulnerable if there are more than 0 Critical and/or High severity vulnerabilities
Under the vulnerability rules section select Critical from the dropdown box. Add another rule and select High. Set both to the value of 0.
iv. Create exceptions to vulnerability severity limits by individual vulnerability rule
Select various Assess rules from the drop down under “Vulnerability Rules”.
For example: in the configuration shown below no Cross-Site Scripting or SQL Injection vulnerabilities are allowed.
v. Motivate remediation for vulnerabilities that were first found more than a week or a month ago
Control the time range Contrast considers by changing the “Vulnerability first seen”. In this example policy anything found between 7-30 days ago will need to be remediated otherwise the build will be marked as a failure.
vi. Create a vulnerability stop gap, so no new vulnerabilities can be introduced
Control the time range Contrast considers by changing the “Vulnerability first seen”. In this example policy anything found when the job starts will fail the build. Preventing any further vulnerabilities from being added.
d. Create policies that apply to non-Jenkins CI tools
First create a policy in the Contrast UI similar to the one laid out here
Next you’ll want to make a cURL command to either mark the build as UNSTABLE or FAILURE.
curl -X "POST" "https://<$ContrastUIAddrress>/Contrast/api/ng/<$OrgID/securityChecks" \
-H 'Authorization: redacted' \
-H 'api-key: redacted' \
-H 'Content-Type: application/json; charset=utf-8' \
-d $'{ "job_start_time": "1601929455000",
"security_check_filter": {
"app_version_tags": [ "32"
],
"query_by": "APP_VERSION_TAG"
},
"application_id": "ba085457-b5f5-48ea-b5e1-cc32d2d89db1",
"origin": "OTHER"
}'
-
job_start_time
- Epoch time in milliseconds -
security_check_filter
- Filters used to determine vulnerabilities found in a build -
app_version_tags
- App version tags to filter by -
query_by
- EitherAPP_VERSION_TAG
orSTART_DATE
-
APP_VERSION_TAG
- Sent to the Contrast UI by using contrast.override.appversion -
application id
- found in Contrast UI after the /application section -
origin
- Is the job from JENKINS or OTHER?
API response will be similar to the following. Notice the "outcome" : "UNSTABLE", job outcome which can be used to mark the build appropriately.
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"success" : true,
"messages" : [ "Security check has been run." ],
"security_check" : {
"id" : 394,
"application_name" : "GoatGate",
"application_id" : "ba085457-b5f5-48ea-b5e1-cc32d2d89db1",
"origin" : "OTHER", "result" : false,
"job_outcome_policy" : {
"name" : "API",
"outcome" : "UNSTABLE",
"enabled" : true,
"severities" : { },
"importances" : [ ],
"environments" : [ ],
"rules" : { },
"organization_id" : 225,
"policy_id" : 21,
"all_applications" : true,
"all_rules" : true,
"all_rules_threshold" : 0,
"app_criterion" : "ID",
"include_rules" : true,
"status_filter" : [ "REPORTED",
"SUSPICIOUS", "CONFIRMED" ],
"applications" : [ ],
"all_environments" : true,
"application_tags" : [ ],
"rule_severities" : [ ],
"keycode" : "JENKINS",
"start_date" : -2,
"end_date" : 0,
"include_all_start_dates" : false,
"custom_start_date" : false,
"custom_end_date" : false,
"is_job_start_time" : true,
"opt_into_query" : true
},
"agent_language" : "JAVA",
"job_start_time" : null
}
}