Static Analysis SAST with Jenkins Pipeline

DevSecOps – Static Analysis SAST with Jenkins Pipeline.

6 Comments / App Development, DevOps, DevSecOps, Release and Operation / By

As part of the DevSecOps implementation in the CICD pipeline, Scanning the Source code and performing Static Analysis SAST is important. SAST is basically Whitebox testing which will be performed on source code. This will help in finding very important vulnerabilities in the source code. Specifically, vulnerabilities defined by OWASP Top 10 should be mitigated. Hence, we have the mechanism for scanning and identifying the same in the early process of the CICD. Let’s discuss how to perform Static Analysis SAST with Jenkins Pipeline.

So Far!

In our previous article, we have discussed some introduction on Automated Security Testing and Tutorial for implementing security Testing in IDE at developers end.

How To Implement Security Testing In IDE.
Secure SDLC (S-SDLC) – DevSecOps Road Map – Part -1

In this tutorial, I am using a simple python flask application to perform Static Analysis SAST process.

SAST Approach

Before that, we will see what are the best tools and features that will help us scanning the Source code. Apart from the Unit testing, we are performing the following Security testing and Analysis as part of the SAST process.

Python Bandit – Common Security Scanning with

Python Bandit is a famous tool for scanning the Common Security Issues in the Source code like Security misconfigurations, Sensitive Data Exposure, and more. You can install the Python Bandit with python-pip install $ pip install bandit and simply call $ bandit -r ~/your_repos/project.

But in this article, instead of installing this, we will use the docker image secfigo/bandit to create a python bandit runtime container then scan our project then destroy the container.

Python Safety – Dependency Check Analysis with

Every single development platform will have third-party modules, packages, and add-ons. This needs to be scanned and analyzed before we start using it in production. Hence, we have Python Safety. You can install this using $ pip install safety and you can simply run by $ safety check.

But instead of installing permanently, we are going to use the docker image pyupio/safety to create python safety runtime container then scan our project then destroy the container.

Python Taint – Other Static Analysis with

Apart from the common Security issues mentioned in the Bandit, we have command injection, SSRF, SQL injection, XSS, directory traversal, and much more to be identified. That can be scanned and analyzed by Python Taint (It is No Longer Maintained. Use Pysa/Pyre if you want to). You can install this by using $ pip install python-taint and run it as $ py path/to/your_project.

But instead of installing permanently, we are going to use the docker image vickyrajagopal/python-taint-docker to create python safety runtime container then scan our project then destroy the container.

Jenkins Pipeline preparation

Now, let’s create a Pipeline which will perform Static Analysis or SAST along with usual CICD.

pipeline {
	agent any
	stages {
		stage ("Git checkout"){
			steps {
				git branch: "master",
					url: "https://github.com/PrabhuVignesh/movie-crud-flask.git"
				sh "ls"
			}
		}
		stage ("Python Flask Prepare"){
			steps {
				sh "pip3 install -r requirements.txt"
			}

		}
		stage ("Unit Test"){
			steps{
				sh "python3 test_basic.py"
			}
		}
		stage ("Python Bandit Security Scan"){
			steps{
				sh "docker run --rm --volume \$(pwd) secfigo/bandit:latest"
			}
		}
		stage ("Dependency Check with Python Safety"){
			steps{
				sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check"
				sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check --json > report.json"
			}
		}
		stage ("Static Analysis with python-taint"){
			steps{
				sh "docker run --rm --volume \$(pwd) vickyrajagopal/python-taint-docker pyt ."
			}
		}					
	}
}

Let’s see the step by step explanation of the above Jenkinsfile created for Pipeline job.

  • We are running the pipeline in ‘any agent’
  • As the first stage “Git Checkout”, we are checking out the git repo of our python project.
  • Then, we will prepare for the running the python application unit test and other things using pip install.
  • After this, we are performing “Unit Test”. Here we are using pytest module. So, we simply run the available test files python3 test_basic.py.
  • Next, Python Bandit Security Scan using the Docker containers
  • Then, Dependency-Check with Python Safety using the docker container as discussed already.
  • Finally, Static Analysis with python-taint with docker container.

Now let put that into the Jenkins Job configuration.

Jenkins Job Preparation

Let’s first discuss the steps to configure the Job.

  • STEP 1: Create a Pipeline Job in Jenkins.
  • STEP 2: In the Pipeline Section, Select ‘Definition’ as ‘pipeline script from SCM’.
  • STEP 3: In the SCM select ‘Git’.
  • Step 4: In the Repositories, Put Repository URL ‘https://github.com/PrabhuVignesh/movie-db-pipeline.git’ and Select your branch ‘master’.
Jenkins pipeline job
Jenkins pipeline job

That’s all, save it and build it. You will see the following output in the console.

Pipeline Job Console Output
Pipeline Job Console Output

This will be executed as mentioned in the step by step pipeline process.

To see it more visually and with more control on Pipeline project, Install Blue ocean Jenkins plugin which will look like below image

Jenkins Blue Ocean View
Blue Ocean View

Conclusion

In this article, we have discussed how to perform Static Analysis SAST with Jenkins Pipeline. The tools we used to scan the source code in this article is more specifically for python, every platform has its own tools and software that will help you perform Static Analysis SAST for the platform of your choice. In our upcoming article, we will discuss more Source Composition Analysis and Dynamic Analysis DAST and Automating the same in our CICD process. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOpsAgileDevSecOps and App Development.

6 thoughts on “DevSecOps – Static Analysis SAST with Jenkins Pipeline.”

  1. Dhananjay Bhakte

    Hi Prabhu,

    Very informative article Thank you for uploading.

    Could please suggest how to gather logs of stages on single dashboard so that we can analyze logs easily.

    Thanks
    Dhananjay Bhakte

    Reply
    1. Prabhu Vignesh Kumar Rajagopal
      Prabhu Vignesh Kumar Rajagopal

      Glad you found this is informative.
      There are many ways to gather or connect to the dashboard. One example,

      In the “Dependency Check with Python Safety” stage, the tool “Python Safety” creating report and exporting as JSON docker run --rm --volume \$(pwd) pyupio/safety:latest safety check --json > report.json. Which you can publish it to any repository or send it to any Datasource so that you can use the datasource into any Dashboard tool like, grafana, Kibana, tableau, hygieia and more.

      For Datasource, If you are using Database, Use the Database connector plugin in Jenkins to push the exported data. or if you are using simple csv/text files, just FTP or SCP or whatever the traditional way

      Reply
  2. Raphael Hagi

    Great article! Can you help with one question? I’m just wondering if there is some way to inject steps on every pipeline, like SAST, just to have sure that all my applications are been scanned. I already done it using Azure Devops, using “Pipeline Decorators”, and currently I’m looking for a way do to it using Jenkins. Thank you.

    Reply
  3. Austin Eyler

    Looks like Python Taint is no longer maintained – not seeing any commits since the beginning of 2020. Facebook’s Pysa/Pyre may be a good alternative.

    Reply

Leave a Reply