Skip to content

Latest commit

 

History

History
109 lines (101 loc) · 6.41 KB

Demo_Script.md

File metadata and controls

109 lines (101 loc) · 6.41 KB

Demo Script

  1. Start The Container Development Kit
  2. Create a new project called zap-demo
    1. Via cli:
$ oc new-project zap-demo
Now using project "zap-demo" on server "https://192.168.42.159:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.
  1. Deploy the image to OpenShift: oc new-build https://github.com/rht-labs/owasp-zap-openshift.git
$ oc new-build https://github.com/rht-labs/owasp-zap-openshift.git
--> Found Docker image 36540f3 (4 weeks old) from Docker Hub for "centos:centos7"

    * An image stream will be created as "centos:centos7" that will track the source image
    * A Docker build using source code from https://github.com/rht-labs/owasp-zap-openshift.git will be created
      * The resulting image will be pushed to image stream "owasp-zap-openshift:latest"
      * Every time "centos:centos7" changes a new build will be triggered

--> Creating resources with label role=jenkins-slave ...
    imagestream "centos" created
    imagestream "owasp-zap-openshift" created
    buildconfig "owasp-zap-openshift" created
--> Success
    Build configuration "owasp-zap-openshift" created and build triggered.
    Run 'oc logs -f bc/owasp-zap-openshift' to stream the build progress.
  1. Switch to the OpenShift web console and show the build executing
    1. Can capture the image URL here or in the step below ZAP Build Log
  2. Once the build is complete, navigate to "Builds->Images" and copy the registry URL for the new container
    1. Should look like: 172.30.1.1:5000/zap-demo/owasp-zap-openshift ZAP Image Stream
  3. Deploy Jenkins
    1. Via cli: oc process openshift//jenkins-ephemeral | oc create -f -
    2. Show Jenkins being spun up in web console Jenkins Deployed
$ oc process openshift//jenkins-ephemeral | oc create -f -
route "jenkins" created
persistentvolumeclaim "jenkins" created
deploymentconfig "jenkins" created
serviceaccount "jenkins" created
rolebinding "jenkins_edit" created
service "jenkins-jnlp" created
service "jenkins" created
  1. Log in to the Jenkins instance Jenkins Main Page Jenkins OpenShift Login
  2. Click on "Jenkins->Manage Jenkins->Manage Plugins" Jenkins Manage Plugins
  3. Select the "Available" tab Jenkins Available Plugins HTML Publisher
  4. Filter for "HTML Publisher"
  5. Tick the "HTML Publisher" plugin and click "Download now and install after restart"
  6. Tick the box "Restart Jenkins when installation is complete and no jobs are running" Jenkins Install Plugin And Restart
  7. While Jenkins restarts, explain that the HTML Publisher plugin allows us to add reports to the build history and explain that we will show this in more detail later
  8. Log back in to Jenkins
  9. Click on "Jenkins -> Manage Jenkins -> Configure System" Jenkins Manage System
  10. Scroll down to the Kubernetes Cloud configuration
  11. Highlight that we are using OpenShift and that the zap-demo namespace has already been populated. Jenkins Kubernetes Cloud
  12. Click on "Add Pod Template" and select "Kubernetes Pod Template"
  13. NOTE: If using production OpenShift cluster, the Pod and container will likely already be populated.
  14. Fill in the "Name" and "Labels" as zap-demo Jenkins Kubernetes Slave Config
  15. Click on "Add" under "Containers"
Name: jnlp
Docker image: 172.30.1.1:5000/zap-demo/owasp-zap-openshift  << The Docker image registry may be different on different OpenShift installations
Working directory: /tmp                                     << Explain that this MOUNTS a working directory, it does not set the working directory
Command to run slave agent: <blank>
Arguments to pass to the command: ${computer.jnlpmac} ${computer.name}
Allocate pseudo-TTY: Unchecked
  1. Max number of instances: 1
  2. Time in minutes to retain slave when idle: 10
  3. Leave all other settings with default values
  4. Click "Save"
  5. Click "New Item" on the Jenkins main page Jenkins New Pipeline
  6. Set the name to "Example", select "Pipeline" as the project type, then click "OK"
  7. Tick the box "Do not allow concurrent builds" Jenkins Deny Concurrent Builds
  8. Insert the pipeline script:
stage('Get a ZAP Pod') {
    node('zap-demo') {
        stage('Scan Web Application') {
            sh 'mkdir /tmp/workdir'
            dir('/tmp/workdir') {
                def retVal = sh returnStatus: true, script: '/zap/zap-baseline.py -r baseline.html -t http://<some-web-site>'
                publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk', reportFiles: 'baseline.html', reportName: 'ZAP Baseline Scan', reportTitles: 'ZAP Baseline Scan'])
                echo "Return value is: ${retVal}"
            }
        }
    }
}
  1. Set the web address to be scanned and explain the Pipeline script Jenkins Set Pipeline Script
  2. Switch back to Jenkins and run the Example build, wait for the ZAP baseline scan to complete. Jenkins Start Build
  3. While waiting, explain that we could also push in additional and more detailed specifications for the test by either copying in ZAP configurations or mounting Kubernetes ConfigMap file literals as provided by the security teams. These could be configured on a case-by-case basis part of the initial planning with the security team.
  4. The default baseline scan takes about 3 minutes to complete Jenkins Scan Console Output
  5. Once the scan is complete, show the saved ZAP report in the build sidebar. Jenkins ZAP Report Link ZAP Report Page