Fortify on Demand – Jenkins Plugin


So, today we’re gonna integrate Jenkins
and Fortify on Demand as a part of our CI/CD pipeline. So I’m gonna go ahead and start that process so I’m gonna go into Fortify on Demand and I’m going to
gather a couple pieces of information that I’m gonna need later inside of
Jenkins to be able to set up my pipeline and do build and automatically kick off
scans inside of Fortify on Demand, so I’m gonna go over here get my personal
access token as you can see here I’ve already created a couple but I’m gonna
go ahead and add another one just to show you what that looks like and I’m
just gonna call this one test two and it automatically sets it to 180 days and
that’s fine authorized API s and we go ahead and apply all the different scopes
and I’m gonna save that and then that’s gonna generate the secret key which I’m
gonna save here for later because we’re gonna need that inside of Jenkins so
when I go ahead and save that and I’m gonna close that and now I’m gonna go
ahead and get my go into my application and I already have a build out here and
I’m gonna go ahead and click on my build and I’m gonna go ahead and hit start
static scan and now I’m gonna set up my scan details so I’ve actually already
gone through the process of setting that up so I’m gonna click static scan I’m
going to choose my entitlements so I’m going to choose subscription and I’m
gonna choose a manual upload and this is a java application so I’m going to click
java and this is java 11 so I’m gonna choose Java 11 and I’m gonna choose an
automated audit preference so now I’m gonna grab my BSI token and I’m gonna
save that because we’re gonna need that inside of Jenkins as well so I’m gonna
go ahead and save that and now I’m going to save my build, and now it’s saved and I’m gonna go into Jenkins so now I already have my
freestyle project set up inside of Jenkins for my regular build so now I’m
gonna go ahead and configure Fortify on Demand inside of Jenkins
first thing that you’re gonna need to do is go and configure the plug-in itself
so if you go out here and click configure no I’m sorry actually if you
go into manage Jenkins and manage plugins now you can come out here and
search for available plugins and search for fortify and it’s not showing because
I already have it installed but you can see that it’s actually Fortify on Demand
so you’re gonna want to pick and enable Fortify on Demand and install that
so once Fortify on Demand is installed you’re going to want to go back to your
pipeline I’m gonna click on my webgoat pipeline and I’m gonna go to configure
so I have this set up with my github project and I have I’m not doing source
code management on this and I just have it set to build out of my source
location which is in my local drive good thing to note here you’ll definitely
want to include the dependencies as a part of your source location so make
sure it’s a folder location where you’ve not only uploaded your source code but
also included all of your different dependencies we don’t need your test
dependencies or anything like that or any minute ated source code or I’m sorry
JavaScript but we definitely need all the underlying dependencies for for the
particular code so I’m gonna go ahead and enter my personal access token
information so you’ll definitely want to include a post action build step that’s
how you get to these things so if I go in and click post action build step and
choose Fortify on Demand and you’ll also want to choose pull Fortify on Demand
for results that way we’ll get back any information that we get from our scan to
identify if there’s any critical issues and if we want to fail to build based on
and you know not passing policy so for this I’m going to go ahead and enter in
my username that I use to log into FoD I’m gonna enter in my personal access
token which I’ve already done that we saved from earlier and I’m gonna enter
in my tenant ID and this is the tenant ID that you normally use to log into FoD
and I’ve already chosen subscription so this is a subscription only scheme that
because I want to scan it on a regular basis otherwise you can do a single scan
to do it as a one-time action but because we’re integrating this into our
CI CD pipeline I’m gonna be doing this on a regular basis as I do my builds and
I want to choose a remediation scan if available
that way it’ll do a follow-up scan and rescan for anything that I might have
already fixed upon upon me fixing it and the scan options I want to choose action
what happens when a scan is in progress so because I’m gonna do regular builds
with Jenkins you know there may be scans are already in progress maybe I want to
kick off another build so what I’m gonna do is actually go ahead and cancel the
previous scan that way I can start up a fresh scan without having without
breaking my build pipeline so I’m gonna go ahead and cancel scan and then start
I’m gonna enter in my BSI token from earlier and I’m going to put that in
here for a poll on results and that sets up the the ability to a poll so now I’m
gonna go ahead and set up some additional polling as well so I’m gonna
go ahead and enter in my username again personal access token and tenant ID I’m
gonna set my polling interval to one minute which is the default and I’m
gonna I want to have it fail if it doesn’t meet
my security policy and I can go ahead and test my connection to Fortify. Make
sure it’s successful can go back up here to do the same and it’s successful so
now I’m gonna go ahead and hit save and I’m gonna go ahead and kick off a build so now my build is scheduled and you can see it’s already in motion so now it’s going to go through the process of
building my application and actually kicking off a Fortify on Demand scan and
it’s going to run through the scanning process so I’m gonna get an email about
the scan being kicked off the scan is gonna run all the way through it’s gonna
complete and then I’m gonna get back results right in the Jenkins console so
we’ll just go ahead and wait for that that scan to finish up all right so now
the Fortify on Demand scan has finished it’s now the po;l is complete so I it’s
now showing 32 critical items and – high so then what that means is basically my
policy has failed so my build has now failed and that explanation is shown
right here so, you know this is not changing and it’s now changed my my build to a failure so I can actually click here on this link and it’ll actually
take me right to Fortify on Demand and I can actually see the issues that have
arisen so I can you know get details right here about which issues I need to
address and how they need to be addressed so now I can see here all the
individual issues that have come up and I can get recommendations on how to fix
them and what they are all right inside of Fortify on Demand and I can do that all
that right from Jenkins that’s all for today thank you very much

Leave a Reply

Your email address will not be published. Required fields are marked *