# Security-tools This repo holds all containerized security tools that we want to run against our web applications ## Jenkins Jobs Builder ### Description Jenkins jobs builder or JJB is an [Openstack](https://www.openstack.org/) tool that takes simple descriptions of Jenkins jobs in YAML or JSON and uses them to configure Jenkins. This helps keeping jobs in a human readable format in a version control system, and to make changes and auditing easier. ### Project structure Under *jobs/* you can find the *projects* and *tools-templates*. **projects** contains all active projects that we currently audit regularly, and so we run several tools against. **tools-templates** contains all tools' templates and two important *job-groups*: - The first job-group is the *dynamic-tools* group that contains all dynamic analysis tools, e.g. nmap, ZAP - The second job-group is the *static-tools* group that contains all static analysis tools, e.g. bandit All other tools templates are tool specific, for example, the template for nmap follows: ```yaml - job-template: name: '{name}-nmap' description: "Nmap scanner" concurrent: true domain: builders: - shell: | #!/bin/bash -e docker pull linosgian/nmap mkdir -p /tmp/nmap docker run --rm linosgian/nmap {domain} {nmap_extra_args} | tee /tmp/nmap/{name} triggers: - timed: '@hourly' ``` The above sets several default value for name, description etc. Next we declare the "builder", which is how we will run the nmap inside the container. And lastly, how often will the job be triggered. In this example we run it ~hourly~. ## Tools Under *tools/* you will find every containerized tool that is available for use in the jenkinks jobs builder (jjb) templates. Hence in the example above, we pull *linosgian/nmap* from docker's public repository, this docker image generated by the Dockerfile under *tools/nmap/Dockerfile*