Intro

Purpose of this repository to implement a simple example pipeline to demonstrate DevSecOps in practice.

Infrasructure made with Terraform and Amazon Web Services. The project will contains the following instances:

• Jenkins (with docker engine)
• Sonarqube
• ZAP
• Source Composition Analysis
• A sample application (Tomcat 'hello world' app)

Prerequisites

• Terraform (https://learn.hashicorp.com/tutorials/terraform/install-cli)
• Amazon Web Services account (https://aws.amazon.com/resources/create-account/)

You can skip these steps if you have already configured Terraform with your AWS account on your machine.

1. Setup Terraform on your machine: https://learn.hashicorp.com/tutorials/terraform/install-cli
2. Add you AWS account following: https://learn.hashicorp.com/tutorials/terraform/aws-build
3. Create AWS ssh key and add its name to the terraform/variables.tf "keyname" variable.

Warning

Starting infrastructure described in Terraform template will cost $0.05 per hour. SonarQube not able to run on t2.micro free tier eligible instance due to low resources. Every other components of the project is free tier eligible.

Setup

Terraform

1. After Terraform template applied, you can access created instances with the Terraform output information from the CLI:

SonarQube

1. You can access SonarQube server with the DNS provided by Terraform output with the addition of port 9000 e.g. http://sonar-dns:9000. The default login and password is admin:admin.
2. To generate a token, to go User > My Account > Security. Your existing tokens are listed here, each with a Revoke button.

   The form at the bottom of the page allows you to generate new tokens. Once you click the Generate button, you will see the token value. Copy it immediately; once you dismiss the notification you will not be able to retrieve it. This token will be used in Jenkins.

Jenkins

1. You can access Jenkins server server with the DNS provided by Terraform output with the addition of port 8080 e.g. http://jenkins-dns:8080
2. When you accessed the Web UI, follow the instructions and chose "Install suggested plugins" option.
3. At the home page of Jenkins go to "Manage Jenkins"-> "Manage Plugins". On the Available tab, search for "SSH Agent" and "SonarQube Scanner" plugins and install them without restart.
4. In the credential store, add new credentials ("Manage Jenkins" -> "Manage Credentials").

   

5. Add the ssh key into the credentials shown the picture below.

   

6. Add the SonarQube access token key (created in SonarQube section) into the credentials shown the picture below.

   

7. At the home page click on New item type your pipeline name e.g. "first-pipeline" and select Pipeline type for your item.
8. In the Pipeline section select "Pipeline from SCM" from the Definition drop-down list and add your repository address, where your Jenkinsfile located. Click on save.
9. At the "Manage Jenkins" -> "Configure System" scroll to the SonarQube servers section. Make sure, you checked "Environment variables". At the Server authentication token choose the previously added credentials.

   

TODO list:

1. Jenkins setup guide with plugins and credentials (SSH Agent, SonarQube).
2. Add SonarQube as Static Application Security Testing (SAST).
3. SonarQube setup guide.
4. SonarQube Quality Gate setups to break build if the code is vulnerable.
5. Terraform modification for complete infrastructure (SG, Subnets etc.).
6. Add Source Compositon Analysis (SCA) solution to the project.
7. Add ZAP to the project as Dynamic Application Security Testing (DAST).
8. Deployment to any container environment instead of a single Tomcat host.
9. Container security solution integration in the pipeline.