This free and open-source lab teaches developers and security practitioners how to integrate static and dynamic analysis (SAST and DAST) into a Jenkins CI/CD pipeline. It's based on RailsGoat, an intentionally-vulnerable security training web app.
Thanks to Vagrant and Virtualbox, the lab is cross-platform and runs on your local machine. It's tested against current versions of Linux, Windows, Vagrant, and Virtualbox. It should work on Mac OS as well.
Here are some ways you can use this lab:
- Follow the walkthrough. You'll deploy a Jenkins server and use it to automate vulnerability analysis: SAST (with semgrep and brakeman) and DAST (with ZAP).
- Adapt the lab's code for your own purposes. It models these DevSecOps patterns:
- Using Ansible to deploy and provision Jenkins (including plugins)
- Using Docker and Docker Compose within declarative
Jenkinsfile
s to automate vulnerability analysis
- Learn by reading the lab's source code (explanatory comments are sprinkled throughout)
First set up a machine meeting these prerequisites:
- Vagrant (install instructions)
- Virtualbox (install instructions)
- Git (install instructions)
- A browser on your Vagrant host machine
- ~15GB of disk space for the lab VM
- 6GB+ of physical RAM (8GB+ is better)
- Bandwidth to download lab environment components
Then get the code and launch the lab environment:
git clone https://github.com/dachiefjustice/railsgoat-cicd-lab.git
cd railsgoat-cicd-lab
vagrant up
Once vagrant up
is done you can access the Jenkins server at http://localhost:8080 (default credentials: admin/admin
). Open the lab walkthrough to start performing and automating vulnerability analysis.
Credentials: admin/admin
- Create and run a Jenkins job from the hold-open Jenkinsfile.
- Open http://localhost:3002 in your browser (or other HTTP tools)
Edit the Vagrantfile
:
config.vm.provider "virtualbox" do |vb|
vb.memory = "6144" # for 6GB of RAM
end
Run vagrant reload
after adjusting RAM or other Vagrantfile
settings.
You can also adjust CPU and RAM limits in the ZAP job's compose.yaml
.
Use htop
:
vagrant ssh
htop
Software | Purpose |
---|---|
Virtualbox | Hypervisor |
Vagrant | VM management |
Ansible | VM provisioning |
Debian Linux | Lab VM OS |
Alpine Linux | Support containers |
Git | Move code and tools arond |
Jenkins | Build/deploy/test RailsGoat |
Docker + Docker Compose | Automating pipeline tasks |
semgrep, brakeman | Static analysis of RailsGoat |
ZAP | Dynamic analysis of RailsGoat |
Special thanks to the authors and contributors of key lab components: