Jenkins is every AppSec engineer’s favorite tool for security automation. It also happens to be one of the most flexible CI/CD platforms out there, which makes it the ideal for automating DAST & SAST scans—and as we’ll explore in this course—Source Composition Analysis (SCA) scans.
As we go through this course, we’re going to learn about automating SCA tools with Jenkins in order to protect ourselves from vulnerable third-party packages and libraries that could lead to supply-chain attacks, which can be extremely dangerous if they’re not detected early.
We begin our lesson with creating basic jobs to run SCA scans, which is a key component in our DevSecOps pipeline. Once a scan is complete, we’re going to be generating results and storing them as artifacts for further analysis.
Finally, we’ll take a detailed look at Static Analysis for Container images, which is extremely important to prevent potential supply-chain attacks.
No application is ever built in a void—nearly all modern-day software uses third party libraries and packages. The danger to your application comes when these libraries are vulnerable themselves, putting your application at risk. By running SCA scans during the development stage and identifying these defects early, you end up saving hundreds of man-hours in bug-fixing.