Jenkins with SAST

Photo Credit of Jenkins – created by Sarah Moreau – sarahmoreau1995@gmail.com

In this tutorial I’m going to run tfsec on a Jenkins Pipeline continuing where we left off last time in Jenkins on Azure. Today I’ve redeployed Jenkins via a container packaged by bitnami as a different approach and set up a fresh CI/CD Server.

Static Application Security Testing (SAST) is a critical component of any secure software development lifecycle. When it comes to Infrastructure as Code (IaC), SAST tests can help identify security vulnerabilities and misconfigurations early in the development process, before they can be exploited in production. By analyzing the code for potential security issues, SAST tests can help ensure that IaC templates and scripts are secure and compliant with industry standards and best practices. This can ultimately save time and resources by preventing security incidents and reducing the need for costly remediation efforts.

For steps to reproduce this in your environment you can provision a VM and install Jenkins Manually in the my previous blog I cover the installation process or you can use the Bitnami Packaged Jenkins Image approach that launches on a VM.

Pre-requisites Needed

  • VM (B1 Machine in Azure)
  • Jenkins (Packaged by bitnami)
  • Github Repo (or SCM) you choose
  • TFSec – installed on machine or you can pull the docker image in the pipeline

Okay so starting off we’ll navigate to our Jenkins UI if your running this remember depending on your NSG rules this will be likely port 80 I’m using port 443.

We then will navigate to Manage Jenkins this will lead you to the screen below with settings for your server settings.

You want to navigate to the Manage Plugins to install some plugins that we will need for our connection to work.

So as we can see the search bar we’ve typed Github and can add the tool to our Jenkins server for installation

Once we click install this will go through the plugin installation phase, I always restart to get full functionality you can choose otherwise if you’d like.

Now we have to set up our credentials for our repository in terms of adding we will go to create +New Item as shown below and start that process of adding our values/repo.

Click Next then we will have a screen like this that appears we are looking for Source Code Management this will house our Git repo.

I’ve added credentials and hidden this view however, for Webhooks we will then navigate to Github hook trigger for GITScm polling

Select Apply for this area and now we can configure the webhook in Github, navigate to your repository page and select Settings.

Then you’ll select Add webhook to start the integration process of the webhook

Now key area we want to add our Jenkins Server URL with Port and add /github-webhook/

Now go back to Jenkins if you run into issue use the repository browser

I’m posting the Jenkins file to show what I’ve ran to get this output

pipeline {
    agent any

    stages {
        stage('Checkout') {
            steps {
                checkout([$class: 'GitSCM', branches: [[name: '*/main']], userRemoteConfigs: [[url: 'https://github.com/sn0rlaxlife/aks-fleet-manager.git']]])
            }
        }

        stage('Run tfsec') {        
            steps {
                sh 'tfsec . --no-color'
            }
        }
    }

    post {
        always {
            // Archive the HTML report
            archiveArtifacts artifacts: 'tfsec_output.html', fingerprint: true
        }
    }
}

Mind you this build took some time and I did run into some issues – step one I’m not usually writing in Groovy we are spoiled on Azure DevOps because the plugins are already wrapped so you can plug and play this is a little more bootstrapping. If you see in the image below one area I didn’t have included in the Jenkins file was the label so this issue was able to be tracked in the output as shown below.

However the issues I ran into were following this one.

So after fixing this one more time we finally get our output the build fails and we see why the issues are persistent in our current terraform file

Our summary is then shown below with more metrics on what has passed and failed.

Remember where we’ve listed the HTML output? As an artifact we can see the details on the build and navigating to See Fingerprints

The TF Sec shows the id of the finding, the location, and description of the findings pretty neat.

Summary

SAST is a powerful way for your organization to proactively identify ways to secure your code prior to moving from one stage to another, this should be in your toolset if you are likely using IaC or language syntax for any iteration of programming. This is one tool that is open-source but other organizations also notable in this space include Snyk, Checkov and others just to name a few. As IaC popularity has grown exponentially throughout the last five years as more organizations are deploying landing zones this is another way to utilize a open-source tool like Jenkins as well to have checks in place on a build.