Skip to content

Instantly share code, notes, and snippets.

@InfoSec812

InfoSec812/Jenkinsfile

Created January 21, 2019 15:48
Show Gist options
  • Save InfoSec812/6f9de85bfc4f70c6914db512bed90c43 to your computer and use it in GitHub Desktop.
Save InfoSec812/6f9de85bfc4f70c6914db512bed90c43 to your computer and use it in GitHub Desktop.
Download ZIP
Example Jenkinsfile showing how to use Zed Attack Proxy in conjunction with Selenium
Raw
Jenkinsfile
import groovy.json.JsonSlurper
pipeline {
options {
buildDiscarder(logRotator(numToKeepStr: '50'))
timeout(time: 20, unit: 'MINUTES') // If the build takes longer than 20 minutes, fail automatically
}
agent {
kubernetes {
label "zaproxy-maven-sidecars-${env.BUILD_ID}"
defaultContainer 'jenkins-slave-mvn'
yaml """
apiVersion: v1
kind: Pod
metadata:
labels:
pod-template: jenkins-slave-sidecars
spec:
volumes:
- name: reports-storage
emptyDir: {}
- name: mvn-cache
emptyDir: {}
- name: maven-settings
configMap:
name: maven-settings
containers:
- name: jenkins-slave-mvn
image: docker-registry.default.svc:5000/labs-ci-cd/jenkins-slave-mvn
volumeMounts:
- name: reports-storage
mountPath: /tmp/reports
- name: maven-settings
mountPath: /home/jenkins/.m2
- name: mvn-cache
mountPath: /home/jenkins/.m2/repository
tty: true
command:
- cat
env:
- name: MY_POD_IP ## Inject the Pod IP into the container as an environment variable
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: REGULAR_USERNAME
valueFrom:
secretKeyRef:
name: build-secrets
key: regular_username
- name: REGULAR_PASSWORD
valueFrom:
secretKeyRef:
name: build-secrets
key: regular_password
- name: REST_API_URL
valueFrom:
configMapKeyRef:
name: build-config
key: rest_api_url
- name: PARTNER_API_URL
valueFrom:
configMapKeyRef:
name: build-config
key: partner_api_url
- name: FRONTEND_URL
valueFrom:
configMapKeyRef:
name: build-config
key: frontend_url
- name: jenkins-slave-zap
image: docker-registry.default.svc:5000/labs-ci-cd/jenkins-slave-zap
volumeMounts:
- name: reports-storage
mountPath: /tmp/reports
tty: true
command:
- cat
env:
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
"""
}
}
stages {
stage('Start Zed Attack Proxy') {
steps {
container('jenkins-slave-zap') {
// Start ZAProxy running in the background
sh 'generate_container_user'
sh 'nohup zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.regex=true -config api.addrs.addr.name=.* &'
}
}
}
stage('Run Acceptance Tests') {
steps {
script {
// Initialize container so that the random UID is defined in /etc/passwd
sh '/usr/local/bin/generate_container_user'
def localIP = sh(returnStdout: true, script: 'echo ${MY_POD_IP}').trim()
// Wait to ensure that ZAProxy is up and available before starting tests
// If ZAProxy is not up in 50 seconds, fail the build
retry(10) {
sleep 5
sh 'curl -s http://localhost:8080/JSON/core/view/mode'
}
// Execute the maven command to run Selenium/Serenity tests using CI settings for
// Jenkins/OpenShift environment
def retVal = sh(returnStatus: true, script: "./run_tests.sh ${localIP}")
sh '/opt/rh/rh-maven33/root/usr/bin/mvn -DskipTests verify'
publishHTML(target: [
reportDir : 'target/site/serenity',
reportFiles : 'index.html',
reportName : 'AA Test Report',
keepAll : true,
alwaysLinkToLastBuild : true,
allowMissing : true
])
// Capture the ZAProxy HTML report - MUST use OTHER prefix
sh "curl -v -o /tmp/reports/zap-passive-report.html http://localhost:8080/OTHER/core/other/htmlreport"
// Capture the ZAProxy JSON report - MUST use OTHER prefix
def jsonReport = sh(returnStdout: true, script: 'curl http://localhost:8080/OTHER/core/other/jsonreport')
// Shut down ZAProxy Daemon
sh 'curl -v http://localhost:8080/OTHER/action/shutdown'
// Parse JSON report data and fail build if appropriate
def jsonData = new JsonSlurper().parseText(jsonReport)
def highCriticalRisks = jsonData.site.each { site ->
site.alerts.each { alert ->
def alertValue = alert.riskcode as Integer
if (alertValue >= 3) {
error 'High/Critical Risks Detected By Zed Attack Proxy'
}
}
}
if (retVal != 0) {
error 'Selenium Tests Failed'
}
}
}
}
}
post {
failure {
// Copy reports from shared volume to workspace so that Jenkins plugins can acces them
sh 'cp -a /tmp/reports ./'
sh 'ls reports/'
emailext attachmentsPattern: 'reports/*-report.*', body: "Please see attached report", subject: 'Failed ZAP Scan', to: '[email protected]; [email protected]; [email protected]; [email protected]'
publishHTML(target: [
reportDir : 'reports',
reportFiles : 'zap-passive-report.html',
reportName : 'ZAProxy Passive Report',
keepAll : true,
alwaysLinkToLastBuild : true,
allowMissing : true
])
}
success {
// Copy reports from shared volume to workspace so that Jenkins plugins can acces them
sh 'cp -a /tmp/reports ./'
sh 'ls reports/'
emailext attachmentsPattern: 'reports/*-report.*', body: "Please see attached report", subject: 'ZAP Scan Results', to: '[email protected]; [email protected]; [email protected]; [email protected]'
publishHTML(target: [
reportDir : 'reports',
reportFiles : 'zap-passive-report.html',
reportName : 'ZAProxy Passive Report',
keepAll : true,
alwaysLinkToLastBuild : true,
allowMissing : true
])
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment