Questions tagged [jenkins]

10 questions
3
votes
0 answers

Secure a Jenkins node to only run approved scripts?

We have a series of Jenkins nodes that are used to deploy changes onto our SQL Servers, which works fine as long as everyone behaves and can be trusted. The worry is that a rogue developer or hacker could simply add something like this into a…
Lobsterpants
  • 131
  • 2
3
votes
2 answers

HP Fortify scan automation

I am asked to integrate the code audit tool HP Fortify in our development process, but the main constraint about it is that the whole code should not be scanned every time: only the classes impacted by the last backlog item should be analyzed. We…
MedAl
  • 225
  • 1
  • 6
2
votes
1 answer

Webhook Security

I'm following this guide on: How to set up CI/CD Pipeline for a node.js app with Jenkins I've installed Jenkins on a VPS and I can access the Web UI over an SSH Tunnel. Then I saw this: http://JENKINS.SERVER.IP:8080/github-webhook/ In order for…
2
votes
1 answer

Running Selenium Jenkins, through OWASP ZAP, before scanning

I suspect that what I am trying to do is something that has been done before. Hopefully, this is possible and someone knows how its done. Any information would be greatly appreciated. I am attempting to run both Selenium and OWASP ZAP in the same…
harrys
  • 109
  • 1
  • 8
2
votes
3 answers

Owasp Zap's active scan harming the database

I want to integrate OWASP Zap security tests in my continuous integration chain using the official Jenkins plugin. However, since it injects harmful payloads in database, I don't want the database to become corrupted! And it's a huge database. I was…
Amine al
  • 21
  • 2
1
vote
2 answers

Jenkins malicious process identification

I have a Jenkins (v2.120) machine hosted on AWS which has what looks like a malicious process: process has large CPU usage killing it, respawns it (with same name) restarting machine spawns it (with different name) exec is located in /dev/shm (same…
1
vote
0 answers

OWASP ZAP does not scan all urls in Jenkins

I have two set ups with ZAP and Selenium, local and on Jenkins. Locally, I can start ZAP, run a Selenium process with ZAP as a proxy and then start the spider and then put ZAP in attack mode. This will turn up a number of issues. On Jenkins, I have…
harrys
  • 109
  • 1
  • 8
1
vote
1 answer

What is the expected TLS traffic from Jenkins?

Given: We start a Jenkins instance on a Windows host as a Service. It looks like the server is correctly configured (--httpPort=-1 --httpsPort=8080 etc) and has an own key store. There is no proxy in front. The server uses a certificate (A) that is…
1
vote
0 answers

ERR_SSL_PROTOCOL_ERROR on a site that doesn't use SSL/TLS, on an odd port

I've set up a server running Jenkins. The web-interface doesn't have SSL/TLS support turned on by default, and I have not attempted to turn it on, and do not want to turn it on (for now at least). When I set this server up, (at say,…
Savara
  • 490
  • 3
  • 15
0
votes
1 answer

git reflog is showing plain text password used as a secret texts or files in Jenkins

We are using Jenkins Freestyle Project to push the changes on the remote server. We are executing shell script on remote host using ssh for it. To pull the changes on the remote server, we are using origin url with git username and git password. The…
Derek
  • 79
  • 1
  • 6