Jenkins

This tutorial shows you how to integrate ShiftLeft CORE's NG SAST into your Jenkins workflow to provide automated code analysis.

To run NG SAST as part of your Jenkins workflow, you will need to:

  1. Provide your ShiftLeft account parameters to Jenkins
  2. Configure the integration with Jenkins using the method of your choice
  3. Verify your integration

Prerequisites

This tutorial assumes that you have:

Provide your ShiftLeft account parameters to Jenkins

To integrate NG SAST with Jenkins, you must define a secret containing your ShiftLeft access token that you can inject into your build. Jenkins will need your access token to

  1. Select your username in the top navigation bar.

  2. Select Credentials in the left-hand pane.

  3. Under Stores from parent, select (global) located under Domains.

  4. Click Global credentials (unrestricted).

  5. On the left-hand side, click +Add Credentials.

  6. Under Kind, select Secret text.

  7. Provide your ShiftLeft access token as the Secret and set its ID to SHIFTLEFT_ACCESS_TOKEN. When running in a production environment, we recommend using a CI token as the access token. You can create your CI token in the ShiftLeft Dashboard.

  8. Click Create to save and proceed.

Adding Jenkins environment variables for ShiftLeft authentication

Integrating with Jenkins

Once you have provided your ShiftLeft account parameters to Jenkins, you can proceed with the NG SAST integration in one of two ways:

  1. Configuring a final build step that runs NG SAST: edit the project's build configuration and add the sl analyze command as the last step of the build.

  2. Configuring a post-build task for each Jenkins project you want to be analyzed by NG SAST: install the Post Build Task plugin and add the sl analyze command as a Post Build Task.

We will be working with the HelloShiftLeft sample app for the following examples, but you are free to use your own app as well.

Option 1: Configure a final build step

The instructions for integration NG SAST with Jenkins as a final build step differ based on whether you are configuring a Freestyle project or a Pipeline.

Working with Freestyle projects

The following steps show you how to configure a Jenkins Freestyle project to build and submit HelloShiftLeft for analysis. (If you would like to submit your application for analysis instead of HelloShiftLeft, you can provide the appropriate links to your repository.)

  1. Log in to Jenkins with an administrative user account.

  2. Choose your Jenkins project. You can create a new Freestyle project, or you can reconfigure an existing Freestyle project.

  3. Click Configure on the left. Under General, check the GitHub project box and provide your Project url (e.g., https://github.com/ShiftLeftSecurity/HelloShiftLeft).

  4. Under Source Code Management, select Git. This opens up the Repositories area. Provide the URL you provided in step 3 as your Repository URL. If you need to provide the credentials to access a private repo, do so now as well.

  5. Under Build Triggers, select Poll SCM.

  6. Under Build Environment, select Use secret text(s) or file(s). When Bindings appears, click Add and select Secret Text. Finally, under Credentials, select Specific credentials and make sure that SHIFTLEFT_ACCESS_TOKEN is displayed.

  7. Under Build, click Add build step, and in the drop-down that appears, select Invoke top-level Maven targets since we are using Maven to build HelloShiftLeft. You will be asked to provide your Goals; enter clean package.

  8. Click Add build step again, and in the drop-down that appears, select Execute shell. Provide the following Command:

    #!/bin/bash
    /usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar

Click Save. At this point, you are ready to build and test your project.

Option 2: Configure a post-build task

You can configure a post-build task for each target project that submits your code to ShiftLeft for analysis.

To begin, install the Post Build Task plugin:

  1. Log in to the Jenkins Dashboard and go to Manage Jenkins > Manage Plugins. Select the Available tab on the Plugin Manager screen.
  2. In the Filter, enter "Post Build Task". Check the Install box next to the plugin in the results.
  3. At the bottom of the page, choose Install without restart.

You will be redirected to a progress page that shows installation status. When the plugin is installed, click Go back to the top page. You can check for installed plugins by going to Manage Jenkins > Manage Plugins, then clicking Installed.

Adding a post-build task

Once you've installed the Post Build Task plugin, you can add a post-build action to run NG SAST:

  1. Choose your Jenkins project. You can create a new Freestyle project, or you can reconfigure an existing Freestyle project. (If you would like to submit your application for analysis instead of HelloShiftLeft, you can provide the appropriate links to your repository.)

  2. Under General, provide a link to your GitHub project. If you're using HelloShiftLeft, this will be https://github.com/shiftLeftSecurity/helloshiftleft/.

  3. Under Source Code Management, select Git. This opens up the Repositories area. Provide the https://github.com/shiftLeftSecurity/helloshiftleft/ as your Repository URL.

  4. Under Build Triggers, select Poll SCM.

  5. Under Build Environment, select Use secret text(s) or file(s). When Bindings appears, click Add and select Secret Text. Finally, under Credentials, select Specific credentials and make sure that SHIFTLEFT_ACCESS_TOKEN is displayed.

  6. Under Build, click Add build step, and in the drop-down that appears, select Invoke top-level Maven targets since we are using Maven to build HelloShiftLeft. You will be asked to provide your Goals; enter clean package.

  7. Under Post-build actions, click Add post-build action, and in the drop-down menu that appears, select Post build task. In the configuration area that appears, provide the following as your Script:

    #!/bin/bash
    mvn clean package
    /usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar

Click Save. At this point, you are ready to build and test your project.

Verify the NG SAST-Jenkins integration

  1. Log in to Jenkins, and choose your Jenkins project.
  2. Using the left-hand navigation bar, click Build Now. You'll see the build progress in the Build History box located beneath the navigation bar.
  3. When the build is complete, select the build, and using the left-hand navigation bar, select Console Output.
  4. Check that you see the following output below that indicates that ShiftLeft was able to analyze your code successfully:
... Done. Submitted for analysis
Wait for 5-10 minutes and load the following URL in your browser:
https://app.shiftleft.io/findingsSummary/HelloShiftLeft?apps=HelloShiftLeft&isApp=1
POST BUILD TASK : SUCCESS
END OF POST BUILD TASK : 0
Finished: SUCCESS

You can click the provided URL in the output to go to the ShiftLeft Dashboard and view your results (if you aren't already logged in, you will be asked to do so).