DevSecOps pipeline for Python Web App
A Jenkins end-to-end DevSecOps pipeline for Python web application, hosted on AWS Ubuntu 20.04
Note: This project is for demonstration purpose with surface level checks only, do not use as it is on production
Checkout project - check out python application project repository with XSS vulnerability
git secret check - check there is no password/token/keys/secrets accidently commited to project github
SCA - check external dependencies/libraries used by the project have no known vulnerabilities
SAST - static analysis of the application source code for exploits, bugs, vulnerabilites
Container audit - audit the container that is used to deploy the python application
DAST - deploy the application, register, login, attack & analyse it from the frontend as authenticated user
System security audit - analyse at the security posture of the system hosting the application
WAF - deploy application with WAF which will filter malicious requests according to OWASP core ruleset
Installation Steps
- Clone this repository to your Ubuntu Server (t2-medium recommended)
git clone https://github.com/pawnu/PythonSecurityPipeline.git
-
Edit the code to make it work on your AWS
- Change to your AWS subnet vpc_subnet_id
- Change to your AWS security_group (allow inbound ssh(22), WAF(80), Optional web-app(10007) from your IP ONLY)
- Create an IAM role which gives full-ec2-access and assign it to your ubuntu server
-
Run the setup script to create CICD server with Jenkins+pipeline ready to go
cd PythonSecurityPipeline
sudo sh setup-ubuntu.sh
- Make sure your firewall allows incoming traffic to port 8080. Then, go to your jenkins server URL
http://your-jenkins-server:8080/
- Use the temporary credentials provided on the logs to login. Change your password!
- Go to the python pipeline project dashboard, click on "Build Now" button to start it off.
Setting up a Jenkins Pipeline project manually on Local Machine
A sample pipeline is already provided through automation
- Click on New Item, input name for your project and select Pipeline as the option and click OK.
- Scroll down to Pipeline section - Definition, select "Pipeline script from SCM" from drop down menu.
- Select Git under SCM, and input Repository URL.
- (Optional) Create and Add your credentials for the Git repo if your repo is private, and click Save.
- You will be brought to the Dashboard of your Pipeline project, click on "Build Now" button to start off the pipeline.
To do checks:
- Select appropriate security tools and sample python project
- Set up Jenkins server using docker (Dockerfile) and pipeline as code (Jenkinsfile) to run the checks
- Use ansible to create AWS ec2 test instance, configure the environment, and interact with it
- Hook up the web-app with modsecurity providing WAF,reverse proxy capabilities
- Bootstrap with Jenkins API/configfile to setup and automatically create the pipeline job
- Carry out authenticated DAST scan on the python web app
Report
Test Author
- Devanshu Vashishtha - web-codegrammer
Project is Licensed Under the
Issued to Devanshu Vashishtha
| Copyright