Jenkins
This tutorial shows you how to integrate Qwiet preZero into your Jenkins workflow for automated code analysis.
To run preZero as part of your Jenkins workflow, you will need to:
- Provide your Qwiet account parameters to Jenkins
- Configure the integration with Jenkins using the method of your choice
- Verify your integration
Prerequisites
This tutorial assumes that you have:
Provide your Qwiet account parameters to Jenkins
First, define a secret containing the Qwiet access token that you can inject into your build (Jenkins needs your access token to communicate successfully with Qwiet):
-
Select your username in the top navigation bar.
-
Select Credentials in the left-hand pane.
-
Under Stores from parent, select (global) located under Domains.
-
Click Global credentials (unrestricted).
-
On the left-hand side, click +Add Credentials.
-
Under Kind, select Secret text.
-
Provide your Qwiet access token as the Secret and set its ID to
SHIFTLEFT_ACCESS_TOKEN
. When running in a production environment, we recommend using a CI token as the access token. You can create your CI token in the Qwiet Dashboard. -
Click Create to save and proceed.
Integrating with Jenkins
Once you have provided your Qwiet account parameters to Jenkins, you can proceed with the preZero integration in one of two ways:
-
Configuring a final build step that runs preZero: edit the project's build configuration and add the
sl analyze
command as the last step of the build. -
Configuring a post-build task for each Jenkins project you want to be analyzed by preZero: install the Post Build Task plugin and add the
sl analyze
command as a Post Build Task.
We will be working with the HelloShiftLeft sample app for the following examples, but you are free to use your own app as well.
Option 1: Configure a final build step
The instructions for integration preZero with Jenkins as a final build step differ based on whether you are configuring a Freestyle project or a Pipeline.
- Freestyle Projects
- Pipelines
The following steps show you how to configure a Jenkins Freestyle project to build and submit HelloShiftLeft for analysis. (If you would like to submit your application for analysis instead of HelloShiftLeft, you can provide the appropriate links to your repository.)
-
Log in to Jenkins with an administrative user account.
-
Choose your Jenkins project. You can create a new Freestyle project, or you can reconfigure an existing Freestyle project.
-
Click Configure on the left. Under General, check the GitHub project box and provide your Project url (e.g.,
https://github.com/ShiftLeftSecurity/HelloShiftLeft)
. -
Under Source Code Management, select Git. This opens up the Repositories area. Provide the URL you provided in step 3 as your Repository URL. If you need to provide the credentials to access a private repo, do so now as well.
-
Under Build Triggers, select Poll SCM.
-
Under Build Environment, select Use secret text(s) or file(s). When Bindings appears, click Add and select Secret Text. Finally, under Credentials, select Specific credentials and make sure that SHIFTLEFT_ACCESS_TOKEN is displayed.
-
Under Build, click Add build step, and in the drop-down that appears, select Invoke top-level Maven targets since we are using Maven to build HelloShiftLeft. You will be asked to provide your Goals; enter
clean package
. -
Click Add build step again, and in the drop-down that appears, select Execute shell. Provide the following Command:
#!/bin/bash
/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar
Click Save. At this point, you are ready to build and test your project.
To have Jenkins run the sl analyze
shell command as a final build step in a Jenkins Pipeline project, you will need to add the following to your Jenkinsfile:
stage('SLAnalyze') {
dir("<path_to_your_project_package>") {
sh '/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar'
}
}
Option 2: Configure a post-build task
You can configure a post-build task for each target project that submits your code to Qwiet for analysis.
To begin, install the Post Build Task plugin:
- Log in to the Jenkins Dashboard and go to Manage Jenkins > Manage Plugins. Select the Available tab on the Plugin Manager screen.
- In the Filter, enter "Post Build Task". Check the Install box next to the plugin in the results.
- At the bottom of the page, choose Install without restart.
You will be redirected to a progress page that shows the installation status. After you've installed the plugin, click Go back to the top page. You can check for installed plugins by going to Manage Jenkins > Manage Plugins, then clicking Installed.
Adding a post-build task
Once you've installed the Post Build Task plugin, you can add a post-build action to run preZero:
-
Choose your Jenkins project. You can create a new Freestyle project, or you can reconfigure an existing Freestyle project. (If you would like to submit your application for analysis instead of HelloShiftLeft, you can provide the appropriate links to your repository.)
-
Under General, provide a link to your GitHub project. If you're using HelloShiftLeft, this will be
https://github.com/shiftLeftSecurity/helloshiftleft/
. -
Under Source Code Management, select Git. This opens up the Repositories area. Provide the
https://github.com/shiftLeftSecurity/helloshiftleft/
as your Repository URL. -
Under Build Triggers, select Poll SCM.
-
Under Build Environment, select Use secret text(s) or file(s). When Bindings appears, click Add and select Secret Text. Finally, under Credentials, select Specific credentials and make sure that SHIFTLEFT_ACCESS_TOKEN is displayed.
-
Under Build, click Add build step, and in the drop-down that appears, select Invoke top-level Maven targets since we are using Maven to build HelloShiftLeft. You will be asked to provide your Goals; enter
clean package
. -
Under Post-build actions, click Add post-build action, and in the drop-down menu that appears, select Post build task. In the configuration area that appears, provide the following as your Script:
#!/bin/bash
mvn clean package
/usr/local/bin/sl analyze --app HelloShiftLeft --java target/hello-shiftleft-0.0.1.jar
Click Save. At this point, you are ready to build and test your project.
Verify the preZero-Jenkins integration
- Log in to Jenkins, and choose your Jenkins project.
- Using the left-hand navigation bar, click Build Now. You'll see the build progress in the Build History box located beneath the navigation bar.
- When the build is complete, select the build, and using the left-hand navigation bar, select Console Output.
- Check that you see the following output below that indicates that Qwiet was able to analyze your code successfully:
... Done. Submitted for analysis
Wait for 5-10 minutes and load the following URL in your browser:
https://app.shiftleft.io/findingsSummary/HelloShiftLeft?apps=HelloShiftLeft&isApp=1
POST BUILD TASK : SUCCESS
END OF POST BUILD TASK : 0
Finished: SUCCESS
You can click the provided URL in the output to go to the Qwiet Dashboard and view your results (you will be asked to log in if you haven't already done so).