As part of the DevSecOps implementation in the CICD pipeline, Scanning the Source code and performing Static Analysis SAST is important. SAST is basically Whitebox testing which will be performed on source code. This will help in finding very important vulnerabilities in the source code. Specifically, vulnerabilities defined by OWASP Top 10 should be mitigated. Hence, we have the mechanism for scanning and identifying the same in the early process of the CICD. Let’s discuss how to perform Static Analysis SAST with Jenkins Pipeline.
Table of Contents
So Far!
In our previous article, we have discussed some introduction on Automated Security Testing and Tutorial for implementing security Testing in IDE at developers end.
In this tutorial, I am using a simple python flask application to perform Static Analysis SAST process.
SAST Approach
Before that, we will see what are the best tools and features that will help us scanning the Source code. Apart from the Unit testing, we are performing the following Security testing and Analysis as part of the SAST process.
Python Bandit – Common Security Scanning with
Python Bandit is a famous tool for scanning the Common Security Issues in the Source code like Security misconfigurations, Sensitive Data Exposure, and more. You can install the Python Bandit with python-pip install $ pip install bandit
and simply call $ bandit -r ~/your_repos/project
.
But in this article, instead of installing this, we will use the docker image secfigo/bandit
to create a python bandit runtime container then scan our project then destroy the container.
Python Safety – Dependency Check Analysis with
Every single development platform will have third-party modules, packages, and add-ons. This needs to be scanned and analyzed before we start using it in production. Hence, we have Python Safety. You can install this using $ pip install safety
and you can simply run by $ safety check
.
But instead of installing permanently, we are going to use the docker image pyupio/safety
to create python safety runtime container then scan our project then destroy the container.
Python Taint – Other Static Analysis with
Apart from the common Security issues mentioned in the Bandit, we have command injection, SSRF, SQL injection, XSS, directory traversal, and much more to be identified. That can be scanned and analyzed by Python Taint (It is No Longer Maintained. Use Pysa/Pyre if you want to). You can install this by using $ pip install python-taint
and run it as $ py path/to/your_project
.
But instead of installing permanently, we are going to use the docker image vickyrajagopal/python-taint-docker
to create python safety runtime container then scan our project then destroy the container.
Jenkins Pipeline preparation
Now, let’s create a Pipeline which will perform Static Analysis or SAST along with usual CICD.
pipeline { agent any stages { stage ("Git checkout"){ steps { git branch: "master", url: "https://github.com/PrabhuVignesh/movie-crud-flask.git" sh "ls" } } stage ("Python Flask Prepare"){ steps { sh "pip3 install -r requirements.txt" } } stage ("Unit Test"){ steps{ sh "python3 test_basic.py" } } stage ("Python Bandit Security Scan"){ steps{ sh "docker run --rm --volume \$(pwd) secfigo/bandit:latest" } } stage ("Dependency Check with Python Safety"){ steps{ sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check" sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check --json > report.json" } } stage ("Static Analysis with python-taint"){ steps{ sh "docker run --rm --volume \$(pwd) vickyrajagopal/python-taint-docker pyt ." } } } }
Let’s see the step by step explanation of the above Jenkinsfile
created for Pipeline job.
Now let put that into the Jenkins Job configuration.
Jenkins Job Preparation
Let’s first discuss the steps to configure the Job.
That’s all, save it and build it. You will see the following output in the console.
This will be executed as mentioned in the step by step pipeline process.
To see it more visually and with more control on Pipeline project, Install Blue ocean Jenkins plugin which will look like below image
Conclusion
In this article, we have discussed how to perform Static Analysis SAST with Jenkins Pipeline. The tools we used to scan the source code in this article is more specifically for python, every platform has its own tools and software that will help you perform Static Analysis SAST for the platform of your choice. In our upcoming article, we will discuss more Source Composition Analysis and Dynamic Analysis DAST and Automating the same in our CICD process. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
Hi Prabhu,
Very informative article Thank you for uploading.
Could please suggest how to gather logs of stages on single dashboard so that we can analyze logs easily.
Thanks
Dhananjay Bhakte
Glad you found this is informative.
There are many ways to gather or connect to the dashboard. One example,
In the “Dependency Check with Python Safety” stage, the tool “Python Safety” creating report and exporting as JSON
docker run --rm --volume \$(pwd) pyupio/safety:latest safety check --json > report.json
. Which you can publish it to any repository or send it to any Datasource so that you can use the datasource into any Dashboard tool like, grafana, Kibana, tableau, hygieia and more.For Datasource, If you are using Database, Use the Database connector plugin in Jenkins to push the exported data. or if you are using simple csv/text files, just FTP or SCP or whatever the traditional way
Great article! Can you help with one question? I’m just wondering if there is some way to inject steps on every pipeline, like SAST, just to have sure that all my applications are been scanned. I already done it using Azure Devops, using “Pipeline Decorators”, and currently I’m looking for a way do to it using Jenkins. Thank you.
Hi Raphael, Take a look at the Shared library of Jenkins which is like the reusable library that is like Pipeline Decorators in Azure.
Refer here: https://devopscube.com/jenkins-shared-library-tutorial/
Looks like Python Taint is no longer maintained – not seeing any commits since the beginning of 2020. Facebook’s Pysa/Pyre may be a good alternative.
Thank you for the update. I will make sure this article is updated.