DevSecOps pipeline for Python Web App
A Jenkins end-to-end DevSecOps pipeline for Python web application, hosted on AWS Ubuntu 20.04
Note: This project is for demonstration purpose with surface level checks only, do not use as it is on production
Checkout project – check out python application project repository with XSS vulnerability
git secret check – check there is no password/token/keys/secrets accidently commited to project github
SCA – check external dependencies/libraries used by the project have no known vulnerabilities
SAST – static analysis of the application source code for exploits, bugs, vulnerabilites
Container audit – audit the container that is used to deploy the python application
DAST – deploy the application, register, login, attack & analyse it from the frontend as authenticated user
System security audit – analyse at the security posture of the system hosting the application
WAF – deploy application with WAF which will filter malicious requests according to OWASP core ruleset
- Clone this repository to your Ubuntu Server (t2-medium recommended)
git clone https://github.com/pawnu/PythonSecurityPipeline.git
Edit the code to make it work on your AWS
Run the setup script to create CICD server with Jenkins+pipeline ready to go
cd PythonSecurityPipeline sudo sh setup-ubuntu.sh
- Make sure your firewall allows incoming traffic to port 8080. Then, go to your jenkins server URL
- Use the temporary credentials provided on the logs to login. Change your password!
- Go to the python pipeline project dashboard, click on “Build Now” button to start it off.
Setting up a Jenkins Pipeline project manually on Local Machine
A sample pipeline is already provided through automation
- Click on New Item, input name for your project and select Pipeline as the option and click OK.
- Scroll down to Pipeline section – Definition, select “Pipeline script from SCM” from drop down menu.
- Select Git under SCM, and input Repository URL.
- (Optional) Create and Add your credentials for the Git repo if your repo is private, and click Save.
- You will be brought to the Dashboard of your Pipeline project, click on “Build Now” button to start off the pipeline.
To do checks:
- Select appropriate security tools and sample python project
- Set up Jenkins server using docker (Dockerfile) and pipeline as code (Jenkinsfile) to run the checks
- Use ansible to create AWS ec2 test instance, configure the environment, and interact with it
- Hook up the web-app with modsecurity providing WAF,reverse proxy capabilities
- Bootstrap with Jenkins API/configfile to setup and automatically create the pipeline job
- Carry out authenticated DAST scan on the python web app
- Devanshu Vashishtha – web-codegrammer
Project is Licensed Under the
Devanshu Vashishtha | Copyright