Fortify on Demand - Jenkins Plugin

Fortify on Demand - Jenkins Plugin

Fortify on Demand - Jenkins Plugin

A demo about how the Jenkins Plugin for Fortify on Demand works.

LEARN MORE about Fortify: https://www.microfocus.com/en-us/solu

LEARN MORE about how Micro Focus was named a leader in the Gartner MQ for Application Security Testing: https://software.microfocus.com/en-us

SUBSCRIBE TO FORTIFY UNPLUGGED:    / @fortifyunplugged  

CONNECT with the Fortify Online Community: https://community.microfocus.com/t5/F
- Connect with peers and share your knowledge
- Find solutions and answers to your technical questions
- Stay informed on new releases and product enhancements
- Access downloads, demos, videos and support tips


Content

3.62 -> So, today we're gonna integrate Jenkins and Fortify on Demand as a part of our
8.099 -> CI/CD pipeline. So I'm gonna go ahead and start that process so I'm gonna go into
14.33 -> Fortify on Demand and I'm going to gather a couple pieces of information
18.18 -> that I'm gonna need later inside of Jenkins to be able to set up my pipeline
22.289 -> and do build and automatically kick off scans inside of Fortify on Demand, so I'm
29.16 -> gonna go over here get my personal access token as you can see here I've
33.39 -> already created a couple but I'm gonna go ahead and add another one just to
36.75 -> show you what that looks like and I'm just gonna call this one test two and
43.379 -> it automatically sets it to 180 days and that's fine authorized API s and we go
49.35 -> ahead and apply all the different scopes and I'm gonna save that and then that's
54.36 -> gonna generate the secret key which I'm gonna save here for later because we're
58.92 -> gonna need that inside of Jenkins so when I go ahead and save that and I'm
65.4 -> gonna close that and now I'm gonna go ahead and get my go into my application
72.409 -> and I already have a build out here and I'm gonna go ahead and click on my build
78.99 -> and I'm gonna go ahead and hit start static scan and now I'm gonna set up my
84.24 -> scan details so I've actually already gone through the process of setting that
87.6 -> up so I'm gonna click static scan I'm going to choose my entitlements so I'm
93.9 -> going to choose subscription and I'm gonna choose a manual upload and this is
100.259 -> a java application so I'm going to click java and this is java 11 so I'm gonna
105.78 -> choose Java 11 and I'm gonna choose an automated audit preference so now I'm
112.02 -> gonna grab my BSI token and I'm gonna save that because we're gonna need that
116.79 -> inside of Jenkins as well so I'm gonna go ahead and save that and now I'm going
121.619 -> to save my build, and now it's saved and I'm gonna go into
128.14 -> Jenkins so now I already have my freestyle project set up inside of
135.66 -> Jenkins for my regular build so now I'm gonna go ahead and configure Fortify on Demand
140.8 -> inside of Jenkins first thing that you're gonna need to do
144.55 -> is go and configure the plug-in itself so if you go out here and click
150.4 -> configure no I'm sorry actually if you go into manage Jenkins and manage
159.31 -> plugins now you can come out here and search for available plugins and search
164.86 -> for fortify and it's not showing because I already have it installed but you can
173.53 -> see that it's actually Fortify on Demand so you're gonna want to pick and enable
179.59 -> Fortify on Demand and install that so once Fortify on Demand is installed
185.13 -> you're going to want to go back to your pipeline I'm gonna click on my webgoat
189.67 -> pipeline and I'm gonna go to configure so I have this set up with my github
196.51 -> project and I have I'm not doing source code management on this and I just have
202.87 -> it set to build out of my source location which is in my local drive good
209.32 -> thing to note here you'll definitely want to include the dependencies as a
212.62 -> part of your source location so make sure it's a folder location where you've
216.97 -> not only uploaded your source code but also included all of your different
221.82 -> dependencies we don't need your test dependencies or anything like that or
226.42 -> any minute ated source code or I'm sorry JavaScript but we definitely need all
234.16 -> the underlying dependencies for for the particular code so I'm gonna go ahead
238.66 -> and enter my personal access token information so you'll definitely want to
243.22 -> include a post action build step that's how you get to these things so if I go
249.37 -> in and click post action build step and choose Fortify on Demand and you'll also
255.08 -> want to choose pull Fortify on Demand for results that way we'll get back any
261.049 -> information that we get from our scan to identify if there's any critical issues
266 -> and if we want to fail to build based on and you know not passing policy so for
275.66 -> this I'm going to go ahead and enter in my username that I use to log into FoD
280.49 -> I'm gonna enter in my personal access token which I've already done that we
284.09 -> saved from earlier and I'm gonna enter in my tenant ID and this is the tenant
288.62 -> ID that you normally use to log into FoD and I've already chosen subscription so
294.95 -> this is a subscription only scheme that because I want to scan it on a regular
300.02 -> basis otherwise you can do a single scan to do it as a one-time action but
305.63 -> because we're integrating this into our CI CD pipeline I'm gonna be doing this
310.82 -> on a regular basis as I do my builds and I want to choose a remediation scan if
317.69 -> available that way it'll do a follow-up scan and
321.11 -> rescan for anything that I might have already fixed upon upon me fixing it and
328 -> the scan options I want to choose action what happens when a scan is in progress
333.44 -> so because I'm gonna do regular builds with Jenkins you know there may be scans
338.419 -> are already in progress maybe I want to kick off another build so what I'm gonna
341.93 -> do is actually go ahead and cancel the previous scan that way I can start up a
346.16 -> fresh scan without having without breaking my build pipeline so I'm gonna
350.66 -> go ahead and cancel scan and then start I'm gonna enter in my BSI token from
357.26 -> earlier and I'm going to put that in here for a poll on results and that sets
362.84 -> up the the ability to a poll so now I'm gonna go ahead and set up some
371.3 -> additional polling as well so I'm gonna go ahead and enter in my username again
375.62 -> personal access token and tenant ID I'm gonna set my polling interval to one
380.84 -> minute which is the default and I'm gonna I want to have it fail if it
385.19 -> doesn't meet my security policy and I can go ahead
388.62 -> and test my connection to Fortify. Make sure it's successful can go back up here
393.81 -> to do the same and it's successful so now I'm gonna go ahead and hit save and
402.96 -> I'm gonna go ahead and kick off a build
408.05 -> so now my build is scheduled and you can see it's already in motion so now it's
413.46 -> going to go through the process of building my application and actually
417.33 -> kicking off a Fortify on Demand scan and it's going to run through the scanning
421.95 -> process so I'm gonna get an email about the scan being kicked off the scan is
426.45 -> gonna run all the way through it's gonna complete and then I'm gonna get back
430.56 -> results right in the Jenkins console so we'll just go ahead and wait for that
435.87 -> that scan to finish up all right so now the Fortify on Demand scan has finished
441.33 -> it's now the po;l is complete so I it's now showing 32 critical items and - high
447.27 -> so then what that means is basically my policy has failed so my build has now
452.22 -> failed and that explanation is shown right here so, you know this is
459.45 -> not changing and it's now changed my my build to a failure so I can actually click
464.7 -> here on this link and it'll actually take me right to Fortify on Demand and I
470.22 -> can actually see the issues that have arisen so I can you know get details
475.77 -> right here about which issues I need to address and how they need to be
479.76 -> addressed so now I can see here all the individual issues that have come up and
487.17 -> I can get recommendations on how to fix them and what they are all right inside
492.93 -> of Fortify on Demand and I can do that all that right from Jenkins that's all for
498.99 -> today thank you very much
518.15 ->

Source: https://www.youtube.com/watch?v=MQfqyoVEvxA