First time using Jenkins? Please refer to the following documentation.
This integration uses the CLI as a docker image for all the execution and communication with Flow.
By the end of this tutorial you will know how to:
- Run a SAST scan
- Run a SCA scan
- Send diff code to Flow's security Codereview module.
In order to integrate with Jenkins, your environment should fullfills the followings requirements:
- Jenkins version 2.222.3 or higher;
- Docker installed;
- Jenkins user must have access to the Docker daemon;
- External access (can be restricted to specific Conviso addresses);
If you need help about docker installation you can read all the process in the links below:
The steps below will show what does your Jenkinsfile should have to perform our actions. These stages also can be inserted inside your current Jenkinsfile.
The following code snippet will trigger a SAST scan and send the results to Flow.
The following code snippet will trigger a SCA scan and send the results to Flow.
The following code snippet will send diff code to Flow's security Codereview module so you can perform a continuous codereview assessment. There are three approaches depending on how you work with your project. In a nutshell:
- Using Tags, ordered by time
- Using Tags, ordered by versioning style (semantic version)
- Without using Tags, ordered by Git tree
The SAST analysis can be complementary to the code review carried out by the professional at Conviso, even serving as input for the analyst. The job below will perform the deploy for code review of the code and will use the same diff identifiers to perform the SAST analysis, forming a complete solution in the pipeline. An example of a complete pipeline with both solutions can be seen in the snippet below: