Introduction
A good sign of a secure application is when both dynamic and static assessment find bugs before anyone else can weaponize them against your application in production. However, it gets challenging when the count of application repositories is high and you don’t want to miss any major vulnerabilities, as most of the security issues can be found in a quality code review. Now, assume a scenario where you have 100+ repositories and you want to ensure code quality, find bugs & vulnerabilities, code smells, etc. (i.e., perform SAST) of your code, before it goes public.
Enter Jenkins and SonarQube
Using these, you can implement the concepts Continuous Inspection and Continuous Integration of the code in your pipeline. For this scenario, I’ll be taking an example of GitHub-Jenkins-SonarQube Integration.
How it works?
According to Jenkins wiki, you can administer Jenkins with the help of its configuration file (config.xml) that resides at $WORKSPACE.
You can take a CSV file containing list of repositories, branch which you want to use, and Job name. I took repositories from https://github.com/travis-ci-examples for illustration purposes.
This CSV file can then be parsed by Python’s native csv library. Next, the values can be passed to Jenkins’ configuration xml file with the help of ElementTree library. This can be then passed for creation of jobs with the help of python-jenkins for triggering a “Create Job”.
Integrating SonarQube & Jenkins
This has been explained by a lot of folks over the internet. I built my test environment on Ubuntu 18.04, however the integration is platform-independant. In short, the process is:
- Install Jenkins in your Ubuntu using
apt-get - Install SonarQube (I used Docker for installing SonarQube)
- Integrate both using SonarScanner. I followed this link for integration of SonarQube & Jenkins.
Automating Build Jobs + Analysis
This is where things get interesting. Once both Jenkins and SonarQube are integrated, you can then create a script to automate onboarding your job with the help of your configuration file, along with building those jobs. I created a python script with the help of above mentioned libraries.
This script then creates a job for each repository that is present in the CSV file.
As you see in the job details, you would see that fields such as Repository URL, Branches to build is populated as well
As the jobs were also triggered, this would cause analysis of the repositories. The same can be observed in your SonarQube server as well:
Here’s a video showcasing the automation:
Edit: I’ve pushed the underlying code on GitHub.
Conclusion
Jenkins is a powerful automation/integration tool which you can use to integrate and orchestrate a lot of security tools, thus easing your workload and allowing to devote your time on more important things.
