Jenkins Single Pipeline for Multiple Repositories using Webhooks
First time using Jenkins? Please refer to the following documentation.
This integration addresses a single pipeline creation that serves multiple repositories. It is essential that the SCM system and Jenkins are accessible to each other, so the builds can occur automatically through the repository's webhooks, as well as Jenkins can request the code for the SCM through a clone.
Generic Webhook Trigger and Docker plugins installed at Jenkins;
A Personal Access Token from an automation user or a common user to SCM (GitHub, GitLab, Bitbucket, etc.) and Jenkins, to provide Jenkins access to code repositories;
Docker is installed at the host and docker group access privileges to the Jenkins user;
Groovy Sandbox available at pipeline script;
A Personal Token stored at Jenkins as user-password Credential. The user must be the token owner and the password as the token itself;
A generic token to act as the Conviso pipeline identifier. It may be a Credential type or not. It will be used at webhook's URL as a pipeline identifier
At Jenkins' main menu, create a new job;
Label the Job as you wish and select the Pipeline type;
At the Build Triggers section, create a Generic Webhook Trigger;
Create a Post Content Parameter labeled as Webhook, with the expression $ and JSONPATH type;
At Token, Use the Token value obtained at step 6 of the preceding section Requirements;
Cause will be the message shown when the job is started. For example, Conviso Job Pipeline started for repo:
$webhook_before. End Commit:
(Optional) When checking the Print Post Content option, Jenkins will exhibit the webhook received content;
(Optional) When checking the Print Contributed Variables option, Jenkins will exhibit the resolved variables available to use at the pipeline.
Jenkinsfile Pipeline Script
// Here you should map http_git_url with the Conviso project code
project_codes = [
args '-v /var/run/docker.sock:/var/run/docker.sock'
FLOW_API_KEY = credentials('FLOW_API_KEY')
FLOW_PROJECT_CODE = get_project_code(webhook_repository_git_http_url)
PREVIOUS_COMMIT = "$webhook_before"
CURRENT_COMMIT = "$webhook_after"
git credentialsId: '<credential_personal_access_token_name>', url: "$webhook_repository_git_http_url"
sh 'conviso deploy create -f env_vars with values -p $PREVIOUS_COMMIT -c $CURRENT_COMMIT > created_deploy_vars'
conviso sast run \
--start-commit "$FLOW_DEPLOY_PREVIOUS_VERSION_COMMIT" \
Associating Conviso Projects to the Pipeline
The repository must have an AST (Application Security Testing) or CCR (Continuous Code Review) Project. The Project mapping must be inserted at the pipeline's initialization session. As an example, as the Project Key from a particular Project is
deadbeef1234 and the repository is
https://github.com/convisoappsec/raptor, then the file's initial session will be as shown below:
project_codes = [
Thus, when receiving a webhook configured at the repository, the pipeline will be able to work at this repository. The
get_project_code function may work with multiple repositories, as long as you respect the syntax of a Groovy function:
project_codes = [
Creating a Webhook at the Repository
The webhook creation at the repository varies from platform to platform. However, by default it is called in push events, filtering to a specific branch (develop, staging) with the URL set as follows:
Where TOKEN is the token created at step 6 of the Requirements section above.