Building CI Pipeline

Using OWASP Juiceshop and GitLab to build CI Pipeline.

Building a CI Pipeline to Learn DevSecOps Using OWASP Juice Shop

Introduction

In today's fast-paced software development world, integrating security into the DevOps process (DevSecOps) is crucial. This blog will guide you through setting up a CI/CD pipeline using GitLab to learn DevSecOps concepts. We'll use OWASP Juice Shop, a vulnerable web application, as our target application. Our pipeline will include tools for static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and secret management.

Prerequisites

Before we start, ensure you have the following:

  • A GitLab account

  • Basic understanding of Git

  • Basic understanding of CI/CD pipelines

Step 1: Fork and Clone OWASP Juice Shop

First, fork the OWASP Juice Shop repository from GitHub to your account. Then, clone the forked repository to your local machine.

git clone https://github.com/YOUR_USERNAME/juice-shop.git
cd juice-shop

Step 2: Push the Repository to GitLab

Create a new project in GitLab and push the cloned repository to it.

git remote add gitlab https://gitlab.com/YOUR_USERNAME/juice-shop.git
git push -u gitlab master

Step 3: Setting Up the GitLab CI/CD Pipeline

Create .gitlab-ci.yml File

Create a .gitlab-ci.yml file in the root directory of your repository. This file will define the stages and jobs in your pipeline.

stages:
  - build
  - test
  - security

variables:
  SONAR_PROJECT_KEY: "juice-shop"
  SONAR_HOST_URL: "http://sonarqube:9000"
  SONAR_TOKEN: $SONAR_TOKEN

build:
  stage: build
  image: node:12
  script:
    - npm install
    - npm run build
  artifacts:
    paths:
      - dist/

sast:
  stage: security
  image: sonarsource/sonar-scanner-cli:latest
  script:
    - sonar-scanner
  allow_failure: true
  artifacts:
    paths:
      - sonar-report/

dependency-check:
  stage: security
  image: owasp/dependency-check:latest
  script:
    - dependency-check --scan . --format "ALL" --out dependency-check-report
  artifacts:
    paths:
      - dependency-check-report/
  allow_failure: true

dast:
  stage: security
  image: owasp/zap2docker-stable
  script:
    - zap-baseline.py -t http://localhost:3000 -r zap-report.html
  artifacts:
    paths:
      - zap-report.html
  allow_failure: true

secrets-scan:
  stage: security
  image: zricethezav/gitleaks:latest
  script:
    - gitleaks detect --source . --report-path gitleaks-report.json
  artifacts:
    paths:
      - gitleaks-report.json
  allow_failure: true

Explanation of Each Stage

  1. Build Stage:

    • Installs dependencies and builds the Juice Shop application.

  2. SAST Stage:

    • Uses SonarQube to perform static code analysis.

  3. SCA Stage:

    • Uses OWASP Dependency-Check to identify vulnerabilities in third-party dependencies.

  4. DAST Stage:

    • Uses OWASP ZAP to perform dynamic security testing against the running application.

  5. Secret Management:

    • Uses Gitleaks to detect any hardcoded secrets in the codebase.

Configuring SonarQube

If you haven't already, configure SonarQube by following these steps:

  1. Download and run SonarQube

  2. Create a new project in SonarQube

  3. Generate a token for the project

  4. Add the token to your GitLab project settings under CI/CD > Variables as SONAR_TOKEN.

Step 4: Running the Pipeline

After setting up the .gitlab-ci.yml file and pushing it to your GitLab repository, navigate to CI/CD > Pipelines in your GitLab project. You should see a new pipeline running. Each job will execute in sequence according to the stages defined.

Monitoring the Pipeline

  1. Pipeline List:

    • Navigate to CI/CD > Pipelines to see the list of pipelines.

    • Click on the pipeline to view details.

  2. Job Logs:

    • Click on individual jobs to view their logs and results.

    • Logs provide insights into the execution of each stage.

  3. Artifacts:

    • Download and view artifacts (e.g., reports) generated by each job.

Step 5: Reviewing the Results

SonarQube

  • Access the SonarQube dashboard to view detailed static analysis reports.

Dependency-Check

  • Open the generated dependency-check report to review vulnerabilities in third-party dependencies.

OWASP ZAP

  • Open the ZAP report (zap-report.html) to see the results of dynamic security testing.

Gitleaks

  • Review the gitleaks-report.json file for any detected secrets.

Conclusion

By following these steps, you've successfully set up a CI/CD pipeline in GitLab that integrates essential DevSecOps practices using OWASP Juice Shop. This setup helps you understand how to automate security testing at different stages of the software development lifecycle, ensuring that security is an integral part of the process.

This guide provides a comprehensive walkthrough, ensuring that even beginners can follow along and learn the essentials of integrating security into their CI/CD pipelines using GitLab and OWASP Juice Shop.

PreviousDevSecOpsNextThreat Modeling

Last updated