KEMBAR78
Experiment 7 | PDF | Software Engineering | Software Development
Scribd
Upload
4 views4 pages

Experiment 7

The document outlines an experiment to understand Static Application Security Testing (SAST) and integrate Jenkins with SonarQube for automated code analysis. It includes objectives, required tools, installation steps, and configuration for both SonarQube and Jenkins, along with optional GitLab integration. The conclusion emphasizes the benefits of early detection of security flaws and the automation of secure coding standards in DevSecOps pipelines.

Uploaded by

surekha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views4 pages

Experiment 7

The document outlines an experiment to understand Static Application Security Testing (SAST) and integrate Jenkins with SonarQube for automated code analysis. It includes objectives, required tools, installation steps, and configuration for both SonarQube and Jenkins, along with optional GitLab integration. The conclusion emphasizes the benefits of early detection of security flaws and the automation of secure coding standards in DevSecOps pipelines.

Uploaded by

surekha
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

🧪 Experiment: Understanding SAST and Integrating

Jenkins SAST to SonarQube/GitLab

✅ Objective:
 Understand the concept and process of Static Application Security Testing (SAST).
 Install and configure SonarQube for static code analysis.
 Integrate Jenkins CI pipeline to automate SAST using SonarQube.
 Optionally integrate with GitLab for DevSecOps.

🧰 Tools Required:
 Jenkins (CI tool)
 SonarQube (SAST tool)
 GitLab (Source Control, optional)
 Java or Node.js sample project
 Docker (optional for faster setup)
 Ubuntu/Linux system or VM

📚 Theory:
🔷 What is SAST (Static Application Security Testing)?
 SAST analyzes source code, bytecode, or binary code to find security vulnerabilities
early in the development lifecycle (without executing the code).
 Helps detect issues like SQL injection, XSS, hardcoded credentials, and code smells.
 Often integrated into the CI/CD pipeline using tools like SonarQube, Fortify,
Checkmarx, etc.

🔶 Key Terms:
Term Description
SonarQube An open-source platform for continuous inspection of code quality and security
Jenkins Automation server to build, test, and deploy
SAST Static code analysis for security vulnerabilities
Quality Rule set that defines whether the project passes or fails analysis
Gate
🔧 Part A: Install & Setup SonarQube
Option 1: Install using Docker (Quick Setup)
docker pull sonarqube
docker run -d --name sonarqube -p 9000:9000 sonarqube

Access SonarQube: 🔗 http://localhost:9000 (Default login: admin / admin)


🔽 Screenshot Placeholder: SonarQube Dashboard

🔧 Part B: Configure SonarQube Project


1. Log in to SonarQube dashboard.
2. Create a new project: → Enter a project name (e.g., my-sast-project) → Generate token
(save it).
3. Choose method: Locally or CI (we’ll use CI via Jenkins).

🔧 Part C: Integrate SonarQube with Jenkins


Step 1: Install SonarQube Plugin in Jenkins
 Jenkins → Manage Jenkins → Manage Plugins → Available

 Search and install:

o SonarQube Scanner
o Pipeline
o GitHub/GitLab Integration (optional)

Step 2: Configure SonarQube in Jenkins


 Jenkins → Manage Jenkins → Configure System

 Find SonarQube servers

o Name: SonarQube
o Server URL: http://localhost:9000
o Authentication Token: paste the token generated earlier
🔽 Screenshot Placeholder: Jenkins SonarQube Configuration

Step 3: Configure Sonar Scanner


 Jenkins → Global Tool Configuration
 Add SonarQube Scanner

o Name: SonarScanner
o Install Automatically

Step 4: Create Jenkins Pipeline Job


Use the following example Jenkinsfile (Declarative Pipeline):
pipeline {
agent any

tools {
sonarQube 'SonarScanner'
}

stages {
stage('Checkout Code') {
steps {
git 'https://github.com/your-org/your-repo.git'
}
}

stage('Run SonarQube Analysis') {


steps {
withSonarQubeEnv('SonarQube') {
sh 'sonar-scanner'
}
}
}
}
}

🔧 Part D: GitLab Integration (Optional)


1. In GitLab → Integrations → Add Webhook

o URL: Jenkins webhook URL


o Trigger on push events
2. Push your code to GitLab → Jenkins triggers build → SonarQube scans
code.

🔽 Screenshot Placeholder: GitLab Pipeline with Jenkins Sonar


✅ Output:
 Code from Git/GitLab pulled into Jenkins.

 Jenkins pipeline executes sonar-scanner.

 SonarQube receives the scan and reports:

o Bugs
o Code Smells
o Vulnerabilities
o Duplications
o Coverage (if tests enabled)

📌 Conclusion:
 SAST helps detect security flaws early, reducing cost and time to fix.
 SonarQube is a powerful tool for SAST and code quality checks.
 Integration with Jenkins and GitLab allows automated analysis as part of DevSecOps
pipelines.
 With quality gates, teams can enforce secure coding standards automatically.

You might also like