Blog

Automatic security testing pipeline with Jira, Jenkins and Zed Attack Proxy

SEP 20, 2016

In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira.

Eficode is a leading global provider of DevOps and AI-driven software development solutions. We help organizations implement AI in software development and build effective SDLC tooling through consulting, managed services, training, and license management. With over 600 experts across 10 countries, Eficode works with leading technology partners, including Atlassian, GitHub, GitLab, AWS, and Microsoft.​​​​‌‍​‍​‍‌‍‌​‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍​‍​‍​‍‍​‍​‍‌‍‌​‌‍​‌‌‌​‌‍‌‍​‌‍‌‌​​‍‍‌‍​‌‍‌‍‌​‍​‍​‍​​‍​‍‌‍‍​‌​‍‌‍‌‌‌‍‌‍​‍​‍​‍‍​‍​‍‌‍‍​‌‌​‌‌​‌​​‌​​‍‍​‍​‍‌‍‌‌‌‍‌‍‌‍‍‌‌‍​‌‍‌‍‌​‌‍‌‌​‍‍‌‍​‌‌‍‌​‌‍‌‌‍‍‌‌‍‍​‍‍‌‍‌​‌‍​‌‌‌​‌‍‌‍​‌‍‌‌​​‍‍‌‍​‌‍‌‍‌​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​‌‍‌​‍​‍‌‍‍‌‌‌​‌‍‌‌‌‍‌‌‌‌‌​‌‍‌‌​​‌‍‌‌‌​​‍‌​‌​‌​​​‍​‌‌​​‌‌​‌‌​‌​‌‌‌​‌​‌​​‍‌‌‌‍​​‍‌​‍​‌‌‌‌‌​‌‍‌‍‍‌​‍​‌‌​‌‌‌​‍‌‍​‍‌‍‌​‍‌‍‍‌‌‌​‌‍‌‌‌‍‌‌​​‍‌‌‍‌‌​​‌​‌‌‌‍‍‌‍‍​‌‌‌​‌​​‌‌​‌‌​​‍‌‍‍‌​‍‌‌​‌‌‌‌‍‌​‌‍‌‍​‌​‌‌‌‌‌​‍‌‌‍‌‌‍‍​‌‌​‍‌‍‌‌‌‍‌​‌‍‍‌‌‌​​‍​‌‍‌‍‌‍‍‌‌‍‌‌‌‍​‌‍‌​‌‌​​‌‍​‌‌‌​‌‍‍​​‌‌‍​‌‍‌‍‍‌‌​‌‍‌‌‌‍‍‌‌​​‍‍‌‍‌‌‌‍‍​‍‍‌‍​‍‌‍​‌‍‌‍​‌‍‍‌​​‍‍​​‌​‍‍‌‌​‌‍‍‌‌‌​‌‍​‌‍‌‌‌‌‌‍​‌‌‍‍‌‍‌​‌‌‌‍‍‌‌‍‍‌‌​‌​‍‌‍‌‍‌​‌‌‌‌‍​‌‌​‌‍‍‌‌‍‌‍‍​‍‍‌‍‍‌‌‍‍‌‌​‌​‍‌‍‌‍‌​‌‌‌‌‍​‌‌​‌‍‍‌‌‍‌‍‍​‍​‍‌‌

In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira. This way we can use Jira as a security defect tracker, without having to manually input information on security detections.

Here is the tutorial also in real words:

The tutorial uses Vagrant and Virtualbox and assumes the host machine is running Linux. You should be able to do this with an OSX too.

# Installing the prerequisites

sudo apt-get install virtualbox vagrant virtualbox-dkms git vim ansible

# Clone git repository with virtual machine definitions heregit clone https://github.com/Eficode/jira-jenki...

# Starting the virtual environments (both Jira and Jenkins)vagrant up

# To stop both of the systems (add name jira or jenkins to target only one)

vagrant halt

# Force-running provisioning again, in case of failurevagrant up --provision jenkins

# Default IP addresses, changeable in VagrantfileJira: http://localhost:8081Jira IP: http://192.168.5.100:8080Jenkins: http://localhost:9090

# Open connection to Jenkins machine (to get the password)vagrant ssh jenkinssudo cat /var/lib/jenkins/secrets/initialAdminPassword

# ZAP installation package path for custom tools pluginhttps://github.com/zaproxy/zaproxy/re...

# Zap directory name for custom tools pluginZAP_2.4.3

# Demo application git repository (for Jenkins version control step)https://github.com/Eficode/security_t...

# First build step./start.sh

# Before the following build step, add ZAProxy plugin here.# Then run the two following steps

kill `cat server.pid`

rm server.pid

# To add Jira credential file to Zap workspacevagrant ssh jenkins

# Change to Jenkins user to add Jenkins plugins and credential filessudo su - jenkins

# add Jira Issue Creator plugin to Zap

cd ~/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/Zap/ZAP_2.4.3/plugins

https://github.com/0xkasun/security-t...

# Put cred.properties in Zap workspace (in ~./ZAP)wget https://raw.githubusercontent.com/Eficode/jira-jenkins/master/cred.properties

  • DevOps

Subscribe to our newsletter