Fawkes Dojo Module 7: Security Scanning & Quality Gates
đ¯ Module Overview
Belt Level: đĄ Yellow Belt - CI/CD Mastery Module: 3 of 4 (Yellow Belt) Duration: 60 minutes Difficulty: Intermediate Prerequisites:
- Module 5 & 6 complete
- Understanding of CI/CD pipelines
- Basic security awareness
- Familiarity with code quality concepts
đ Learning Objectives
By the end of this module, you will:
- â Understand "Shift Left on Security" principles
- â Implement static code analysis with SonarQube
- â Scan container images for vulnerabilities with Trivy
- â Detect secrets and sensitive data in code
- â Perform dependency scanning and SBOM generation
- â Configure quality gates that enforce standards
- â Integrate security scanning into Golden Path pipelines
DORA Capabilities Addressed:
- â CD6: Shift Left on Security
- â CD8: Test Data Management
- â Security & Compliance Automation
đ Part 1: Shift Left on Security
The Traditional Security Approach (Shift Right)
Develop â Build â Test â Deploy â [SECURITY SCAN] â Production
â
Find issues AFTER deployment
Expensive to fix
Delays release
Problems:
- Security as afterthought
- Issues found late, expensive to fix
- Security team bottleneck
- Slow feedback (days/weeks)
Shift Left on Security
[SECURITY SCAN] â Develop â [SECURITY SCAN] â Build â [SECURITY SCAN] â Deploy
â â â
IDE plugins CI/CD Pipeline Container scan
Immediate feedback Fast feedback (5 min) Pre-deploy check
Benefits:
- â Catch issues early (cheaper to fix)
- â Developer ownership of security
- â Automated enforcement
- â Faster feedback loops
- â Reduced security team bottleneck
Cost of Finding Bugs by Stage
| Stage | Cost to Fix | Time to Fix | Impact |
|---|---|---|---|
| IDE/Dev | $1 | Minutes | None |
| CI/CD | $10 | Hours | Blocks build |
| QA/Test | $100 | Days | Delays release |
| Production | $1,000+ | Weeks | Customer impact, reputation damage |
10x-100x cheaper to catch early!
đī¸ Part 2: Static Application Security Testing (SAST)
What is SAST?
Static Analysis: Analyze source code without executing it
Detects:
- Security vulnerabilities (SQL injection, XSS, etc.)
- Code quality issues (dead code, duplicates)
- Code smells (complex methods, poor structure)
- Technical debt
- Coverage gaps
SonarQube in Fawkes
SonarQube is the SAST tool integrated into Fawkes platform.
Key Features:
- 30+ language support
- 5,000+ rules
- Quality gates
- Technical debt tracking
- Security hotspots
- Pull request decoration
Architecture:
ââââââââââââââââââââââââââââââââââââââââââ
â Jenkins Pipeline â
â ââââââââââââââââââââââââââââââââââââ â
â â sonar-scanner â â
â â âĸ Analyzes code â â
â â âĸ Sends to SonarQube server â â
â ââââââââââââââââŦââââââââââââââââââââ â
âââââââââââââââââââŧâââââââââââââââââââââââ
â
âââââââââââŧâââââââââââ
â SonarQube Server â
â âĸ Stores results â
â âĸ Applies rules â
â âĸ Quality gates â
âââââââââââŦâââââââââââ
â
âââââââââââŧâââââââââââ
â PostgreSQL DB â
â âĸ Historical data â
ââââââââââââââââââââââ
đ ī¸ Part 3: Hands-On Lab - Implementing Security Scanning
Step 1: Add SonarQube to Pipeline
Update your Golden Path pipeline:
// vars/goldenPathJava.groovy
stage('Code Analysis') {
steps {
container('maven') {
withSonarQubeEnv('Fawkes-SonarQube') {
sh '''
mvn sonar:sonar \
-Dsonar.projectKey=${JOB_NAME} \
-Dsonar.projectName="${JOB_NAME}" \
-Dsonar.projectVersion=${BUILD_NUMBER} \
-Dsonar.sources=src/main/java \
-Dsonar.tests=src/test/java \
-Dsonar.java.binaries=target/classes \
-Dsonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml
'''
}
}
}
}
stage('Quality Gate') {
steps {
timeout(time: 5, unit: 'MINUTES') {
waitForQualityGate abortPipeline: true
}
}
}
Step 2: Configure Quality Gate
In SonarQube UI:
- Go to Quality Gates
- Create new gate: "Fawkes Standard"
- Add conditions:
Conditions:
âââ Coverage < 80% â FAILED
âââ Duplicated Lines (%) > 3% â FAILED
âââ Maintainability Rating worse than A â FAILED
âââ Reliability Rating worse than A â FAILED
âââ Security Rating worse than A â FAILED
âââ Security Hotspots Reviewed < 100% â FAILED
âââ New Critical Issues > 0 â FAILED
- Set as default gate
Step 3: Add Container Scanning with Trivy
stage('Container Security Scan') {
steps {
container('docker') {
script {
def imageName = "${env.DOCKER_IMAGE}"
echo "đ Scanning image: ${imageName}"
// Scan for vulnerabilities
sh """
trivy image \
--severity HIGH,CRITICAL \
--exit-code 1 \
--no-progress \
--format json \
--output trivy-report.json \
${imageName}
"""
// Also generate human-readable report
sh """
trivy image \
--severity HIGH,CRITICAL \
--format table \
${imageName}
"""
}
}
}
post {
always {
archiveArtifacts artifacts: 'trivy-report.json',
allowEmptyArchive: true
}
}
}
Step 4: Secret Scanning
stage('Secret Detection') {
steps {
container('maven') {
script {
echo "đ Scanning for secrets..."
// Install trufflehog
sh '''
pip3 install trufflehog
'''
// Scan repository
sh '''
trufflehog filesystem . \
--json \
--fail \
--no-update \
> trufflehog-report.json || true
'''
// Check results
def report = readFile('trufflehog-report.json')
if (report.trim()) {
error("đ¨ Secrets detected in code! See trufflehog-report.json")
}
}
}
}
}
Step 5: Dependency Scanning
stage('Dependency Scan') {
steps {
container('maven') {
script {
echo "đĻ Scanning dependencies..."
// OWASP Dependency Check
sh '''
mvn dependency-check:check \
-DfailBuildOnCVSS=7 \
-DsuppressionFile=dependency-check-suppressions.xml
'''
}
}
}
post {
always {
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'target',
reportFiles: 'dependency-check-report.html',
reportName: 'Dependency Check Report'
])
}
}
}
đ Part 4: Understanding Security Scan Results
SonarQube Metrics Explained
1. Bugs đ
- Code that is demonstrably wrong
- Example: Null pointer dereference
- Standard: 0 bugs
2. Vulnerabilities đ
- Security-related issues
- Example: SQL injection risk
- Standard: 0 vulnerabilities
3. Code Smells đ
- Maintainability issues
- Example: Method too complex
- Standard: < 5% code smells
4. Security Hotspots đĨ
- Security-sensitive code requiring review
- Example: Cryptographic operations
- Standard: 100% reviewed
5. Coverage đ
- % of code covered by tests
- Standard: > 80%
6. Duplications Šī¸
- Duplicate code blocks
- Standard: < 3%
7. Technical Debt đ¸
- Time to fix all issues
- Standard: < 5% debt ratio
Trivy Severity Levels
| Severity | CVSS Score | Action Required |
|---|---|---|
| CRITICAL | 9.0-10.0 | Block deployment immediately |
| HIGH | 7.0-8.9 | Fix within 7 days |
| MEDIUM | 4.0-6.9 | Fix within 30 days |
| LOW | 0.1-3.9 | Fix when convenient |
| UNKNOWN | N/A | Investigate |
Trivy Output Example:
myapp:1.0 (alpine 3.18.0)
âââââââââââââââââââââââââââââââââââââââ
Total: 2 (HIGH: 1, CRITICAL: 1)
ââââââââââââââââââŦâââââââââââââââââŦâââââââââââŦââââââââââââââââââââ
â Library â Vulnerability â Severity â Installed Version â
ââââââââââââââââââŧâââââââââââââââââŧâââââââââââŧââââââââââââââââââââ¤
â openssl â CVE-2023-12345 â CRITICAL â 3.0.8-r0 â
â curl â CVE-2023-67890 â HIGH â 8.0.1-r0 â
ââââââââââââââââââ´âââââââââââââââââ´âââââââââââ´ââââââââââââââââââââ
đ¯ Part 5: Configuring Quality Gates
Quality Gate Philosophy
"Quality gates should prevent bad code from progressing, not punish developers"
Good Quality Gates:
- â Focus on new code (not legacy)
- â Achievable standards
- â Fast feedback (<5 min)
- â Clear remediation steps
Bad Quality Gates:
- â Unrealistic standards (100% coverage)
- â Block on legacy debt
- â Slow feedback (>30 min)
- â Vague error messages
Recommended Quality Gates by Stage
Development (IDE/PR):
gates:
- New Bugs: 0
- New Vulnerabilities: 0
- New Code Coverage: > 80%
- New Duplications: < 3%
CI/CD (Main Branch):
gates:
- Overall Bugs: < 10
- Overall Vulnerabilities: 0
- Overall Coverage: > 70%
- Security Hotspots Reviewed: 100%
- Maintainability Rating: âĨ B
Production (Release):