Blog

Automatic security testing pipeline with Jira, Jenkins and Zed Attack Proxy

SEP 20, 2016

In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira.

Eficode is the leading DevOps company in Europe, driving and building the future of software development across 10 countries, with 500+ experts in DevOps and sustainable software development. Our Eficode ROOT managed DevOps platform provides centralized access control and real-time visibility of project status, quality, and performance that integrates with 50+ of your preferred tools, including the Atlassian Stack and open-source systems like Jenkins and Kubernetes.

In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira. This way we can use Jira as a security defect tracker, without having to manually input information on security detections.

Here is the tutorial also in real words:

The tutorial uses Vagrant and Virtualbox and assumes the host machine is running Linux. You should be able to do this with an OSX too.

# Installing the prerequisites

sudo apt-get install virtualbox vagrant virtualbox-dkms git vim ansible

# Clone git repository with virtual machine definitions heregit clone https://github.com/Eficode/jira-jenki...

# Starting the virtual environments (both Jira and Jenkins)vagrant up

# To stop both of the systems (add name jira or jenkins to target only one)

vagrant halt

# Force-running provisioning again, in case of failurevagrant up --provision jenkins

# Default IP addresses, changeable in VagrantfileJira: http://localhost:8081Jira IP: http://192.168.5.100:8080Jenkins: http://localhost:9090

# Open connection to Jenkins machine (to get the password)vagrant ssh jenkinssudo cat /var/lib/jenkins/secrets/initialAdminPassword

# ZAP installation package path for custom tools pluginhttps://github.com/zaproxy/zaproxy/re...

# Zap directory name for custom tools pluginZAP_2.4.3

# Demo application git repository (for Jenkins version control step)https://github.com/Eficode/security_t...

# First build step./start.sh

# Before the following build step, add ZAProxy plugin here.# Then run the two following steps

kill `cat server.pid`

rm server.pid

# To add Jira credential file to Zap workspacevagrant ssh jenkins

# Change to Jenkins user to add Jenkins plugins and credential filessudo su - jenkins

# add Jira Issue Creator plugin to Zap

cd ~/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/Zap/ZAP_2.4.3/plugins

https://github.com/0xkasun/security-t...

# Put cred.properties in Zap workspace (in ~./ZAP)wget https://raw.githubusercontent.com/Eficode/jira-jenkins/master/cred.properties

  • DevOps

Subscribe to our newsletter