RIPS Integration into Jenkins CI with Pipeline Support30 May 2018 by Malena Ebert
Jenkins CI is one of the leading open source automation server and provides hundreds of plugins to support building, deploying and automating any project. It supports version control tools like Git, Subversion, Mercurial, Perforce, and can execute Apache Ant, Apache Maven and Gradle based projects as well as arbitrary shell scripts and Windows batch commands. RIPS supports the integration of security analysis into Jenkins since 2016 that helps to prevent that new security vulnerabilities are added to your build. Our new major release now also supports the new Pipeline feature and improves existing features.
The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named
Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improves the CI process immensely:
- Since the configuration is stored in version control, old builds can be recreated without additional work.
- Changes to the build process can be made per-branch and will not disrupt development.
- Configuration files can be easily copied and adopted for other projects.
The RIPS Jenkins plugin integrates seamlessly into this new workflow. You only need to insert a statement like shown in line nine into your build script. How to use and get the
credentialId is described later in this article.
There are a lot more optional parameters shown in the following listing. One of the most interesting ones is the threshold configuration shown in line ten to fifteen. Here you can trigger a build failure if your software has more issues than the declared number of the single severity levels.
threshold: [newIssues: 0, critical: 0]Build will fail on every new issue and every existing issue of critical severity.
threshold: [critical: 0, high: 10]Every new issue of severity critical or eleven and more issues of high severity will trigger a failure.
The configuration file can easily be generated with the Pipeline Syntax Snippet Generator. Please keep in mind that only non default values will be displayed in the generated command. You can find a description of all configuration parameters in our knowledge base.
New Configuration Mask
Further, we added a new configuration mask (Figure 1) that is more intuitive and straight forward. It will be used in Freestyle Projects and for the Pipeline Syntax Snippet Generator. The URLs, the timeout and the result settings are configurable globally in the Jenkins system settings and do not have to be repeated for each Jenkins project.
Secure Password Storage
Passwords will be managed by the Jenkins Credentials Plugin that is a dependency of our plugin. Credentials can be added to your Jenkins instance per user or system wide, with restrictions to a specific domain. Another benefit of this variant is, that you do not have to add cleartext passwords in your Jenkinsfiles. The username password combination is referenced by an unique identifier. You can lookup this identifier on the credentials menu manually or use the RIPS configuration mask and select the right credential by username.
In the code snippet below you can find an example output of our new plugin version. Line two shows the globbing to create the ZIP file which fetches the supported file extensions directly from the API. Thereby newly supported filetypes will be automatically included in the next scan.
The pipeline project look-and-feel shown in Figure 2 is adopted from the freestyle project. There is an additional stage view available if the required plugins were installed. It allows to quickly review and check all configured stages and can be used, for example, to only view the logs from the RIPS plugin.
An exceeded threshold is printed to the console log as shown before and additionally it is marked in our results widgets shown in the following figures.
In addition to the result widgets, the plugin also displays a configuration widget. It shows an overview of the most important configuration options used in the currently viewed scan. This allows developers to properly review old results even when the configuration changed along the way.
In this post we presented some of the improved features of our RIPS integration for Jenkins CI. Our ready-to-use Jenkins plugin enables many different ways for the seamless integration of automated security analysis into your build process. The plugin can be used with the LTS as well as the latest release of Jenkins. For more information about this plugin please use our knowledge base article. You can also find a quick migration guide in the changelog.