JENKINS Setup

This setup of jenkins uses docker.

1. Run the docker image

Create a folder for data and run docker

docker run --rm -d --name jenkins -e TZ=Singapore -p 8081:8080 -p 50000:50000 -v /home/siftuser/jenkins/data/jenkins_home:/var/jenkins_home -u jenkins --env JAVA_OPTS=-Dhudson.footerURL=http://www.sbbabu.com jenkins:2.7.4

2. Get the password for jenkins using the below command

docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPassword

3. Navigate to the browser and access the url with port 8081. Enter the password.

4. Install the suggested plugins.

5. If you are using Bitbucket as the CMS Install Bitbucket and BitBucket notifier plugins, Ansible

6. Configure Jenkins

Manage Jenkins > Configure system

a. update jenkins location, system admin email id

b. Update Email notification details

c. Update docker registry details. (add credential while adding registry details)

7. Login in jenkins container and install mvn apt install maven

8. Create a Outh credential and Webhook in Bitbucket

Webhook is created to trigger builds when there are changes to the repository

Under repository > setting > Webhook

Oath - used to notify the build and status of the build back to bitbucket

Under the Project > settings > Oauth

9. Create a new Pipeline

a. Click 'New Item' and select 'pipeline'

b. Build Trigger - check 'Build when a change is pushed to Bitbucket'

c. Create a bitbucket credential

From the credentials menu add credential with bitbucket username and password.

d. Pipeline - Add pipeline script

SECURITY

Security Testing –

http://find-sec-bugs.github.io - Scan source code of java application. Can integrate with you Jenkins and also with IDE.

www.owasp.org - Free security tool. Hack your website – spider your site and can be used in manual security testing. Jenkins plugin available or with docker

http://sqlmap.org - Sqlmap is an open source penetration test tool that automates the process of detecting and exploiting SQL injection flaws.

www.openvas.org. - Open source vulnerability scanner and manager. (quails and nesis)

OWASP Glue Tool Project – To make security automation easier. Glue is docker container that you can put all of your tools into, out of the box it supports find set bugs, contrast, fortify and it takes all of the results and allows you to export them into json, plugin in JIRA etc. You can configure this as part of the devops release pipeline.

https://gitbub.com/OWASP/glue/blog/master/TOOLS.md

recon-ng -

https://github.com/devsecops/awesome-devsecops - Good list of devsecops tools. Trainings, presentations, tools and dashboards.

Links -

Difference between scripted and decorative pipelines

https://www.blazemeter.com/blog/how-to-use-the-jenkins-scripted-pipeline