Jenkins

This tutorial shows you how you can integrate ShiftLeft CORE's NG SAST into your Jenkins workflow to provide automated code analysis.

To run NG SAST as part of your Jenkins workflow, you will need to:

  1. Provide your ShiftLeft account parameters to Jenkins
  2. Configure the integration with Jenkins using the method of your choice
  3. Verify your integration

Prerequisites

This tutorial assumes that you have:

Provide Your ShiftLeft Account Parameters to Jenkins

To integrate NG SAST with Jenkins, you will need to create an environment variable storing your ShiftLeft CI config token. Jenkins needs access to these parameters so that it can submit your code for analysis.

  1. Start Jenkins, and log in with an administrative user's account.

  2. Go to Manage Jenkins > Configure System > Global properties.

  3. Check the Environment variables box and create the following two variables:

VariableValue
SHIFTLEFT_ACCESS_TOKENYour Access Token

When running in a production environment, we recommend that you use a CI token as the access token. You can create your CI token in the ShiftLeft Dashboard.

Adding Jenkins environment variables for ShiftLeft authentication

Please note that the presence of any set environment variables will override those in a configuration file.

Click Save at the bottom of the page.

Integrating with Jenkins

Once you have provided your ShiftLeft account parameters to Jenkins, you can proceed with the NG SAST integration in one of two ways:

  1. Configuring a final build step that runs NG SAST: edit the project's build configuration and add the sl analyze command as the final step of the build

  2. Configuring a post-build task for each Jenkins project that you want to be analyzed by NG SAST: install the Post Build Task plugin and add the sl analyze command as a Post Build Task

For the following examples, we will be working with the HelloShiftLeft sample app, but you are free to use your own app as well.

Option 1: Configure a Final Build Step

The instructions for integration NG SAST with Jenkins as a final build step differ based on whether you are configuring a Freestyle project or a Pipeline.

Working with Freestyle Projects

The following steps show you how to configure a Jenkins Freestyle project to build and submit HelloShiftLeft for analysis. (If you would like to submit your own application for analysis in lieu of HelloShiftLeft, you can do so by providing the appropriate links to your repository instead.)

  1. Log in to Jenkins with an administrative user account.

  2. Choose your Jenkins project. You can create a new Freestyle project, or you can reconfigure an existing Freestyle project.

  3. Click Configure on the left. Under General, check the GitHub project box and provide your Project url (e.g., https://github.com/ShiftLeftSecurity/HelloShiftLeft).

  4. Under Source Code Management, select Git. This opens up the Repositories area. Provide the URL you provided in step 3 as your Repository URL. If you need to provide the credentials to access a private repo, do so now as well.

  5. Under Build Triggers, make sure you select Poll SCM.

  6. Under Build, click Add build step, and in the drop-down that appears, select Invoke top-level Maven targets since we are using Maven to build HelloShiftLeft. You will be asked to provide your Goals; enter clean package.

  7. Click Add build step again, and in the drop-down that appears, select Execute shell. Provide the following Command:

#!/bin/bash
/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar

Click Save. At this point, you are ready to build and test your project.

Option 2: Configure a Post-Build Task

You can configure a post-build task for each target project that submits your code to ShiftLeft for analysis.

To begin, install the Post Build Task plugin:

  1. Log in to the Jenkins Dashboard and go to Manage Jenkins > Manage Plugins. Select the Available tab on the Plugin Manager screen.
  2. In the Filter, enter "Post Build Task". Check the Install box next to the plugin in the results.
  3. At the bottom of the page, choose Install without restart.

You will be redirected to a progress page that tells you the installation status. When the plugin is installed, click Go back to the top page. You can check for installed plugins at any time by going to Manage Jenkins > Manage Plugins, then clicking Installed.

Adding a Post Build Task

Once you've installed the Post Build Task plugin, you can add a post-build action to run NG SAST:

  1. Choose your Jenkins project. You can create a new Freestyle project, or you can reconfigure an existing Freestyle project. (If you would like to submit your own application for analysis in lieu of HelloShiftLeft, you can do so by providing the appropriate links to your repository instead.)

  2. Under General, provide a link to your GitHub project. If you're using HelloShiftLeft, this will be https://github.com/shiftLeftSecurity/helloshiftleft/.

  3. Under Source Code Management, select Git. This opens up the Repositories area. Provide the https://github.com/shiftLeftSecurity/helloshiftleft/ as your Repository URL.

  4. Under Build Triggers, make sure you select Poll SCM.

  5. Under Build, click Add build step, and in the drop-down that appears, select Invoke top-level Maven targets since we are using Maven to build HelloShiftLeft. You will be asked to provide your Goals; enter clean package.

  6. Under Post-build actions click Add post-build action and in the drop-down menu that appears, select Post build task. In the configuration area that appears, provide the following as your Script:

#!/bin/bash
mvn clean package
/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar

Click Save. At this point, you are ready to build and test your project.

Verify the NG SAST-Jenkins Integration

  1. Log in to Jenkins, and choose your Jenkins project.
  2. Using the left-hand navigation bar, click Build Now. You'll see the build progress in the Build History box located beneath the navigation bar.
  3. When the build is complete, select the build and using the left-hand navigation bar, select Console Output.
  4. Check that you see the following output below that indicates that ShiftLeft was able to analyze your code successfully:
... Done. Submitted for analysis
Wait for 5-10 minutes and load the following URL in your browser:
https://www.shiftleft.io/findingsSummary/HelloShiftLeft?apps=HelloShiftLeft&isApp=1
POST BUILD TASK : SUCCESS
END OF POST BUILD TASK : 0
Finished: SUCCESS

You can click the provided URL in the output to go to the ShiftLeft Dashboard and view your results (if you aren't already logged in, you will be asked to do so).