-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathJenkinsfile
178 lines (153 loc) · 7.69 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
pipeline{
agent any // Allocate any available Jenkins agent for this pipeline.
environment{
// Define environment variables used throughout the pipeline.
SONAR_HOME= tool "sonar" // Path to the SonarQube scanner tool.
DOCKER_CREDENTIALS_ID = 'dckr_pat_pE9yCHQokBQLDlvI1s_Z_fzOf8Q' // Docker credentials ID for authentication.
//TARGET_URL = 'https://medium.com/edureka/nagios-tutorial-e63e2a744cc8'
ZAP_PATH = '/var/lib/jenkins/ZAP_2.15.0/zap.sh' // Path to OWASP ZAP tool.
ZAP_API_KEY = '33ufgoa3ig6r9sr2mmtcch3mk4' // API key for ZAP.
ZAP_PORT = '8081' // Port for ZAP to run.
}
stages{
stage("Clone Code from GitHub"){
steps{
git url:"https://github.com/abhi0930/Devsecops.git", branch: "main"
}
}
stage ('trufflehog3') {
steps {
sh 'trufflehog3 . -f json -o truffelhog_output.json || true' // Use Trufflehog to scan the codebase for secrets like API keys or passwords.
archiveArtifacts artifacts: 'truffelhog_output.json', fingerprint: true // Archive the scan output for future reference.
}
}
stage("SonarQube Quality Analysis"){
steps{
// Run SonarQube analysis to check code quality and security vulnerabilities.
withSonarQubeEnv("sonar"){
sh "$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=cdac-project -Dsonar.projectKey=cdac-project"
}
}
}
stage("OWASP Dependency Check"){
steps{
dependencyCheck additionalArguments: '--scan ./', odcInstallation:'dc' // Scan project dependencies for known vulnerabilities.
dependencyCheckPublisher pattern: '**/dependency-check-report.xml' // Publish the report generated by the Dependency Check tool.
}
}
stage("Sonar Quality Gate Scan"){
steps{
// Wait for the quality gate result from SonarQube, with a timeout of 5 minutes.
timeout(time: 5, unit: "MINUTES"){
waitForQualityGate abortPipeline: false
}
}
}
stage('Snyk') {
steps {
script{
dir('frontend'){
// Run Snyk to analyze vulnerabilities in the frontend project.
snykSecurity(
snykInstallation: 'snyk',
snykTokenId: 'e6979a44-0e50-40fb-8b0b-de1f860ef7e8',
failOnIssues: false,
)
}
}
}
}
stage("Deploy using Docker Compose"){
steps{
// Deploy the application using the `docker-compose` tool.
sh "docker-compose up -d"
}
}
stage('Push Docker Image') {
steps {
script {
// Authenticate with Docker Hub and push backend and frontend images.
withDockerRegistry(credentialsId: '6f4e297d-9998-4d23-9ea4-3fc8e9433e9e', toolName: 'docker') {
sh "docker tag devsecops_backend:latest ditiss2024/devsecops_backend:latest"
sh "docker push ditiss2024/devsecops_backend:latest"
//sh 'docker build -t ditiss2024/image$i:latest .'
sh "docker tag devsecops_frontend:latest ditiss2024/devsecops_frontend:latest"
sh "docker push ditiss2024/devsecops_frontend:latest"
}
}
}
}
stage("Trivy"){
steps{
sh "trivy fs --format table -o trivy-fs-report.html ." // Use Trivy to scan the file system for vulnerabilities.
archiveArtifacts allowEmptyArchive: true, artifacts: 'trivy-fs-report.html', fingerprint: true, followSymlinks: false, onlyIfSuccessful: true // Archive the Trivy scan report.
}
}
stage('Container Security') {
steps {
script {
// List of Docker images to be scanned.
def images = [
["name": "ditiss2024/devops_backend", "path": "1"],
["name": "ditiss2024/deveops_frontend", "path": "2"]
]
for (img in images) {
try {
// Run the Grype scan and redirect output to grype.txt
sh "grype ${img.name} > ${img.path}_grype.txt"
// Archive the grype output regardless of success
archiveArtifacts allowEmptyArchive: true, artifacts: "${img.path}_grype.txt", fingerprint: true, followSymlinks: false
// Read the vulnerabilities from the output file
def vulnerabilities = readFile("${img.path}_grype.txt")
echo "Grype Scan Output:\n${vulnerabilities}"
// Check if vulnerabilities were found and fail the build if necessary
if (vulnerabilities.contains('vulnerable')) {
error("Vulnerabilities found in ${img.name}!")
}
} catch (Exception e) {
// Catch the exception and echo the error message
echo "Grype scan failed: ${e.message}"
// Archive the output even if the Grype command fails
archiveArtifacts allowEmptyArchive: true, artifacts: "${img.path}_grype.txt", fingerprint: true, followSymlinks: false
// Mark the build as unstable
currentBuild.result = 'UNSTABLE'
} finally {
// Cleanup the output file after processing
sh "rm -rf ${img.path}_grype.txt"
}
}
}
}
}
/* stage('Kubernetes'){
steps {
sh 'echo "Deploying the application"'
}
}*/
stage('OWASPZAP') {
steps {
// Placeholder for future OWASP ZAP tasks.
sh 'echo "Deploying the application"'
/*steps {
script{
sh zap-cli start --start-options -daemon
sh zap-cli open-url ${TARGET_URL}
sh zap-cli spider ${TARGET_URL}
sh zap-cli -v report -f html -o report-zap-cli-jenkins.html
sh zap-cli shutdown
}
archiveArtifacts allowEmptyArchive: true, artifacts: 'report-zap-cli-jenkins.html', fingerprint: true, followSymlinks: false, onlyIfSuccessful: true
//sh ' rm -rf report-zap-cli-jenkins.html' */
}
}
}
post {
always {
script {
// Clean up resources and workspace after the pipeline execution.
sh 'docker-compose down' // Stop Docker containers.
}
cleanWs() // Clean the Jenkins workspace.
}
}
}