Dockerized, OWASP-ZAP security scanning, in Jenkins, part two

Following up from my earlier blog post, I was able to get a Dockerized ZAP-CLI up and running in a Jenkins instance!

I’ll break this down into five main parts, as follows:

  1. Installing Jenkins
  2. Installing Docker
  3. Configuring and running ZAP-CLI within Jenkins
  4. Configuring Docker further
  5. Running the build

Installing Jenkins

I followed the directions from this page: https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+Red+Hat+distributions

Before I could use wget to grab the Jenkins install script, I had to get wget itself, like so:

$ sudo dnf install wget

Next, it was just a matter of:

$ sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat-stable/jenkins.repo

Then:

$ sudo rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key
$ sudo dnf install jenkins

And now, even though Jenkins is installed, I also needed to install Java, which I did:

$ sudo dnf install java

And, finally

$ sudo service jenkins start
$ sudo chkconfig jenkins on

Installing Docker

From the official instructions on Docker’s Installation on Fedora page, I chose the “Install with the script” option.

$ sudo dnf update

$ curl -fsSl https://get.docker.com/ | sh

$ sudo systemctl start docker

$ sudo docker run hello-world

$ sudo groupadd docker
$ sudo usermod -aG docker jenkins

The following command enables Docker on system startup:

$ sudo systemctl enable docker

Separately, now, both Jenkins and Docker (in that order) should be set up and ready. However, a few more installations of binaries and plugins are needed to make the two work together.

Configuring and running ZAP-CLI within Jenkins

To configure Jenkins to pull and run the docker-zap shell script, let’s do the following.

  1. Load our Jenkins URL (with default :8080 port)
  2. Click on New Item
  3. In the “Item name” field, I’ll choose “docker-zap-cli” and choose “Freestyle project”
  4. Oops! We know that we’ll be using a GitHub (and thus, Git) project, so we’ll need a Git/GitHub binary/executable, as well as its Jenkins plugins
  5. OK, so from the command-line, let’s do (from How to Install and Configure Git on Fedora 23)
    $ dnf -y install git
  6. Type
    which git

    to let us know where it installed to, successfully.  That should be:

    /usr/bin/git
  7. Now, let’s go to “Manage Jenkins”
  8. Click on “Manage Plugins”
  9. Click on the “Available” tab
  10. In the top-right’s “Filter” textfield, let’s type “git” and see what it offers us
  11. We need: Git client plugin, Git plugin, GitHub API Plugin, and the GitHub Authentication Plugin
  12. Let’s choose those, and then choose “Download now and install after restart,” just to be safe
  13. (There will be a full list of other dependencies which will also be installed, and that’s expected.)
  14. Let’s make sure our Git binary installation works.  Under the /configure URL, in “Git” let’s provide the “Path to Git executable” which, as we’ve seen above, should be
    usr/bin/git
  15. Now, let’s go back to our “docker-zap-cli” job in Jenkins, and choose “Configure”
  16. Under Source Code Management, now, we should see a “Git” option.  Click on that and enter https://github.com/stephendonner/docker-zap.git
  17. Scroll down to the “Build” option, choose “Add build step” and pick “Execute shell”
  18. In the “Command” textfield, let’s put
    ./run-docker.sh
  19. Click “Save”
  20. Now, let’s click “Build Now”
  21. If you see any “permission denied” errors, particularly with
    /bin/docker

    and can confirm with the SELinux audit log, then try the following:

Disabling SELinux support

I should note that, once I identified the SELinux-related issues with Docker in Fedora, I didn’t spend much time trying to fully understand how to make them work. I do plan on returning to this in future work, as disabling SELinux is *NOT* recommended. There’s an official FAQ here: https://fedoraproject.org/wiki/SELinux_FAQ. (In fact, the Docker Daemon docs reference the –selinux-enabled option.) However, to go about disabling SELinux on a test system, per RedHat’s docs, we need to change

SELINUX=enforcing

to read

SELINUX=disabled

in

/etc/selinux/config

So do:

$ sudo vi /etc/selinux/config

and make the edit.

We need a logout/restart, here, so let’s do:

$ systemctl stop jenkins.service
$ systemctl stop docker.service
$ shutdown -r now

Configuring Docker further

Now, because we’re using a Fedora version which has systemd, we want to configure Docker using systemd.

We want to put in the following:

$ sudo mkdir /etc/systemd/system/docker.service.d
$ sudo vi /etc/systemd/system/docker.service.d/docker.conf
EnvironmentFile=-/etc/sysconfig/docker
EnvironmentFile=-/etc/sysconfig/docker-storage
EnvironmentFile=-/etc/sysconfig/docker-network
$DOCKER_STORAGE_OPTIONS \
$DOCKER_NETWORK_OPTIONS \
$BLOCK_REGISTRY \
$INSECURE_REGISTRY
ExecStart=
ExecStart=/usr/bin/dockerd -D -H tcp://127.0.0.1:2375

Now we also want to make Docker available via that TCP port we specified, 2375:

$ sudo vi /etc/systemd/system/docker-tcp.socket

Put in the following:

[Unit]
Description=Docker Socket for the API

[Socket]
ListenStream=2375
BindIPv6Only=both
Service=docker.service

[Install]
WantedBy=sockets.target

Now, let’s enable and start Docker’s binding to TCP:2375:

$ systemctl stop docker.service
$ systemctl enable docker-tcp.socket
$ systemctl start docker-tcp.socket
$ systemctl start docker.service

(Here’s also a nice article for more in-depth info on the above.)

Running the build

Now that we’ve installed and configured Jenkins, Docker, and Git and other necessary plugins, it’s time to build!

  1. In Jenkins, for the docker-zap-cli job view, click on “Build” in the left
  2. If all goes well, you should see something very close to the following:
GitHub-repo pulling...
20:47:20 [INFO]            Accessing URL https://www.allizom.org/en-US/firefox/
20:47:34 [INFO]            Running spider...
20:49:15 [INFO]            Running an active scan...
6310 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap  - ZAP is now listening on 127.0.0.1:2375
43023 [Thread-9] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Starting spidering scan on SpiderApi-0 at Tue Jun 28 20:47:34 UTC 2016
43028 [Thread-9] INFO org.zaproxy.zap.spider.Spider  - Spider initializing...
43055 [Thread-9] INFO org.zaproxy.zap.spider.Spider  - Starting spider...

105166 [pool-1-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
105174 [Thread-10] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true

20:49:35 155113 [Thread-12] INFO org.parosproxy.paros.core.scanner.HostProcess  - completed host https://www.allizom.org in 11.491s
20:49:35 155115 [Thread-11] INFO org.parosproxy.paros.core.scanner.Scanner  - scanner completed in 11.532s
20:49:35 c7017c8e9ca40054acf9e1a88dc36c14d1866419da6ca974efd61298b423c43f
20:49:35 Finished: SUCCESS

Here's a Pastebin entry with the full output.

In fact, the output should very nearly match that in https://blog.mozilla.org/webqa/2016/05/11/docker-owasp-zap-part-one/ , since Docker is just executing the commands we've already set up.

I plan on continuing to work further in my GitHub repository, so keep an eye on and/or add to Issues/Pull Requests!

I'd absolutely love more help and feedback on how to make this more useful; thanks!

No comments yet

Post a comment

Leave a Reply

Your email address will not be published. Required fields are marked *