As part of the DevSecOps implementation in the CICD pipeline, Scanning the Source code and performing Static Analysis SAST is important. SAST is basically Whitebox testing which will be performed on source code. This will help in finding very important vulnerabilities in the source code. Specifically, vulnerabilities defined by OWASP Top 10 should be mitigated. Hence, we have the mechanism for scanning and identifying the same in the early process of the CICD. Let’s discuss how to perform Static Analysis SAST with Jenkins Pipeline.
Table of Contents
So Far!
In our previous article, we have discussed some introduction on Automated Security Testing and Tutorial for implementing security Testing in IDE at developers end.
In this tutorial, I am using a simple python flask application to perform Static Analysis SAST process.
SAST Approach
Before that, we will see what are the best tools and features that will help us scanning the Source code. Apart from the Unit testing, we are performing the following Security testing and Analysis as part of the SAST process.
Python Bandit – Common Security Scanning with
Python Bandit is a famous tool for scanning the Common Security Issues in the Source code like Security misconfigurations, Sensitive Data Exposure, and more. You can install the Python Bandit with python-pip install $ pip install bandit and simply call $ bandit -r ~/your_repos/project.
But in this article, instead of installing this, we will use the docker image secfigo/bandit to create a python bandit runtime container then scan our project then destroy the container.
Python Safety – Dependency Check Analysis with
Every single development platform will have third-party modules, packages, and add-ons. This needs to be scanned and analyzed before we start using it in production. Hence, we have Python Safety. You can install this using $ pip install safety and you can simply run by $ safety check.
But instead of installing permanently, we are going to use the docker image pyupio/safety to create python safety runtime container then scan our project then destroy the container.
Python Taint – Other Static Analysis with
Apart from the common Security issues mentioned in the Bandit, we have command injection, SSRF, SQL injection, XSS, directory traversal, and much more to be identified. That can be scanned and analyzed by Python Taint (It is No Longer Maintained. Use Pysa/Pyre if you want to). You can install this by using $ pip install python-taint and run it as $ py path/to/your_project.
But instead of installing permanently, we are going to use the docker image vickyrajagopal/python-taint-docker to create python safety runtime container then scan our project then destroy the container.
Jenkins Pipeline preparation
Now, let’s create a Pipeline which will perform Static Analysis or SAST along with usual CICD.
pipeline {
agent any
stages {
stage ("Git checkout"){
steps {
git branch: "master",
url: "https://github.com/PrabhuVignesh/movie-crud-flask.git"
sh "ls"
}
}
stage ("Python Flask Prepare"){
steps {
sh "pip3 install -r requirements.txt"
}
}
stage ("Unit Test"){
steps{
sh "python3 test_basic.py"
}
}
stage ("Python Bandit Security Scan"){
steps{
sh "docker run --rm --volume \$(pwd) secfigo/bandit:latest"
}
}
stage ("Dependency Check with Python Safety"){
steps{
sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check"
sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check --json > report.json"
}
}
stage ("Static Analysis with python-taint"){
steps{
sh "docker run --rm --volume \$(pwd) vickyrajagopal/python-taint-docker pyt ."
}
}
}
}Let’s see the step by step explanation of the above Jenkinsfile created for Pipeline job.
Now let put that into the Jenkins Job configuration.
Jenkins Job Preparation
Let’s first discuss the steps to configure the Job.
That’s all, save it and build it. You will see the following output in the console.
This will be executed as mentioned in the step by step pipeline process.
To see it more visually and with more control on Pipeline project, Install Blue ocean Jenkins plugin which will look like below image
Conclusion
In this article, we have discussed how to perform Static Analysis SAST with Jenkins Pipeline. The tools we used to scan the source code in this article is more specifically for python, every platform has its own tools and software that will help you perform Static Analysis SAST for the platform of your choice. In our upcoming article, we will discuss more Source Composition Analysis and Dynamic Analysis DAST and Automating the same in our CICD process. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.
Prabhu Vignesh Kumar is a seasoned software engineering leader with a strong passion for AI, particularly in simplifying engineering workflows and improving developer experience (DX) through AI-driven solutions. With over a decade of experience across companies like Elanco, IBM, KPMG and HCL, he is known for driving automation, optimizing IT workflows, and leading high-impact engineering initiatives.
