JENKINS Setup
This setup of jenkins uses docker.
1. Run the docker image
Create a folder for data and run docker
docker run --rm -d --name jenkins -e TZ=Singapore -p 8081:8080 -p 50000:50000 -v /home/siftuser/jenkins/data/jenkins_home:/var/jenkins_home -u jenkins --env JAVA_OPTS=-Dhudson.footerURL=http://www.sbbabu.com jenkins:2.7.4
2. Get the password for jenkins using the below command
docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPassword
3. Navigate to the browser and access the url with port 8081. Enter the password.
4. Install the suggested plugins.
5. If you are using Bitbucket as the CMS Install Bitbucket and BitBucket notifier plugins, Ansible
6. Configure Jenkins
Manage Jenkins > Configure system
a. update jenkins location, system admin email id
b. Update Email notification details
c. Update docker registry details. (add credential while adding registry details)
7. Login in jenkins container and install mvn apt install maven
8. Create a Outh credential and Webhook in Bitbucket
Webhook is created to trigger builds when there are changes to the repository
Under repository > setting > Webhook
Oath - used to notify the build and status of the build back to bitbucket
Under the Project > settings > Oauth
9. Create a new Pipeline
a. Click 'New Item' and select 'pipeline'
b. Build Trigger - check 'Build when a change is pushed to Bitbucket'
c. Create a bitbucket credential
From the credentials menu add credential with bitbucket username and password.
d. Pipeline - Add pipeline script
SECURITY
Security Testing –
http://find-sec-bugs.github.io - Scan source code of java application. Can integrate with you Jenkins and also with IDE.
www.owasp.org - Free security tool. Hack your website – spider your site and can be used in manual security testing. Jenkins plugin available or with docker
http://sqlmap.org - Sqlmap is an open source penetration test tool that automates the process of detecting and exploiting SQL injection flaws.
www.openvas.org. - Open source vulnerability scanner and manager. (quails and nesis)
OWASP Glue Tool Project – To make security automation easier. Glue is docker container that you can put all of your tools into, out of the box it supports find set bugs, contrast, fortify and it takes all of the results and allows you to export them into json, plugin in JIRA etc. You can configure this as part of the devops release pipeline.
https://gitbub.com/OWASP/glue/blog/master/TOOLS.md
recon-ng -
https://github.com/devsecops/awesome-devsecops - Good list of devsecops tools. Trainings, presentations, tools and dashboards.
Links -
Difference between scripted and decorative pipelines
https://www.blazemeter.com/blog/how-to-use-the-jenkins-scripted-pipeline