Let’s talk about the CI/CD tools — Jenkins. Jenkins stands out as one of the most popular tools empowering developers to maintain their workflow, ensuring testing and building processes for product evaluation. However, who can give the security advise during the development process, where we can find security guidance for development cycle, does there has some tools can help, therefore DevSecOps should be introduced. In today’s landscape, DevSecOps holds increasing significance as it embeds security controls within the CI process itself.
Jenkins Plugin — Snyk Walkthrough
I will walkthrough a bit about how integrate the code scanning tools in the CI process in Jenkins via Jenkins Plugin. And Snyk support various CI/CD tools such as AWS CodePipeline, Azure Pipelines, Bitbucker and more reference as CI/CD Integrations.
Jenkins offers lots of plugins that can be utilized and implemented to enhance functionality. To access these plugins, navigate to Manage Jenkins -> Plugins. Search for Snyk and proceed to install it.
Once Snyk is installed, it will be visible among the installed plugins.
The subsequent step involves establishing the connection between Snyk and Jenkins. This can be achieved by navigating to Manage Jenkins -> Tools and configuring the details within the Snyk tools section.
Within the Snyk section, we’ll proceed to set up the tools in Jenkins.
Next, create credentials specifically for Snyk within Jenkins.
Navigating Manage Jenkins -> Credentials -> System -> Global credentials (unrestriced). Click add credentials.
Select Snyk API Token as the credential type, and proceed to fill in the required details in the designated sections below.
- Scope, Assign the credentials to System and Global.
- Token, The API key get from Snyk.
- ID (Optional), An internal unique ID by which these credentials are identified from jobs and other configuration.
- Description (Optional), description to help tell similar credentials apart.
Jenkins Freestyle Project Walkthrough
Here we are, finished the initial setup with Snyk. The next step is to configure the Jenkins project to integrate Snyk into our CI process for code scanning. Head to New Item to create a new project.
We will mainly forces will be on the Freestyle project, which consists of various components. Developers will write code on popular platforms like Github, triggering Jenkins to take further actions, such as setting up the build environment. The Build Step includes Snyk for code analysis. Additionally, we can define post-build actions to save the file outside of the workspace.
Source Code Management (SCM) is the stage where we obtain the code. It essentially runs ‘git clone’ to replicate the code into the local workspace on the Jenkins server. Here we are using the code example of Snyk Apps Demo.
The build step involves Snyk. Choose the API key we set up earlier. By default, it will be converted to JSON format. There are a couple of options available for use as outlined below:
- Target file, Specify a GitHub manifest file and econsystem like --file=catalog-info.yaml
- Organization, Run a command for a specific organization like --org=orgA
- Project name, Override the Project name like --project-name=snyk-apps-demo
- Additional arguments, Additional runtime arguments that will be used to invoke the Snyk CLI reference as Snyk CLI.
Specify the path to archive the file. All files matching the *.ts file type will be archived, preserving multiple files that match this extension.
The archived file will be visible after every build.
Trigger the build manually by selecting Build Now. This action will initiate the build process.
After a successful build, the Snyk security report will appear in the list and will be available for use.
The Snyk security report provides detailed workarounds and remediation steps for each vulnerability identified.
After identifying vulnerabilities, additional actions can be integrated into the CI/CD pipeline. For instance, sending the code back to the development lead for review and subsequent adjustments to rectify the identified code issues.
