Mobb can be integrated into any CI/CD platform of your choice. In this guide, the process of integration with Jenkins will be demonstrated.
After logging into Mobb, select the last option in the menu: “Connect Mobb to Your Workflow”.
To run Mobb within Jenkins, select “Jenkins”.
You will be presented with a sample Jenkinsfile script that you can use within a Jenkins pipeline.
Example 1 - Jenkins + GitHub Repo
This example uses the following combinations of tools to achieve the integration:
SCM: GitHub Repo
CI/CD: Jenkins
SAST Tool: Checkmarx One
This particular example uses Checkmarx One as the SAST scanner, however, you may want to modify the script to use the SAST tool of your choice.
def MOBBURL
pipeline {
agent any
// Setting up environment variables
environment {
MOBB_API_KEY = credentials('MOBB_API_KEY')
CX_API_TOKEN = credentials('CX_API_TOKEN')
GITHUBREPOURL = 'https://github.com/antonychiu2/testrepo' //change this to your GitHub Repository URL
}
tools {
nodejs 'NodeJS'
}
stages {
// Checkout the source code from the branch being committed
stage('Checkout') {
steps {
checkout scmGit(
branches: [[name: '$ghprbActualCommit']],
extensions: [],
userRemoteConfigs: [[
credentialsId: '2760a171-4592-4fe0-84da-2c2f561c8c88',
refspec: '+refs/pull/*:refs/remotes/origin/pr/*',
url: "${GITHUBREPOURL}"]]
)
}
}
// Run SAST scan
stage('SAST') {
steps {
sh 'wget https://github.com/Checkmarx/ast-cli/releases/download/2.0.54/ast-cli_2.0.54_linux_x64.tar.gz -O checkmarx.tar.gz'
sh 'tar -xf checkmarx.tar.gz'
sh './cx configure set --prop-name cx_apikey --prop-value $CX_API_TOKEN'
sh './cx scan create --project-name my-test-project -s ./ --report-format json --scan-types sast --branch nobranch --threshold "sast-high=1"'
}
}
}
post {
// If SAST scan complete with no issues found, pipeline is successful
success {
echo 'Pipeline succeeded!'
}
// If SAST scan complete WITH issues found, pipeline enters fail state, triggering Mobb autofix analysis
failure {
echo 'Pipeline failed!'
script {
MOBBURL = sh(returnStdout: true,
script:'npx mobbdev@latest analyze -f cx_result.json -r $GITHUBREPOURL --ref $ghprbSourceBranch --api-key $MOBB_API_KEY --ci')
.trim()
}
echo 'Mobb Fix Link: $MOBBURL'
// Provide a "Mobb Fix Link" in the GitHub pull request page as a commit status
step([$class: 'GitHubCommitStatusSetter',
commitShaSource: [$class: 'ManuallyEnteredShaSource', sha: '$ghprbActualCommit'],
contextSource: [$class: 'ManuallyEnteredCommitContextSource', context: 'Mobb Fix Link'],
reposSource: [$class: 'ManuallyEnteredRepositorySource', url: '$GITHUBREPOURL'],
statusBackrefSource: [$class: 'ManuallyEnteredBackrefSource', backref: "${MOBBURL}"],
statusResultSource: [$class: 'ConditionalStatusResultSource',
results: [[$class: 'AnyBuildResult', message: 'Click on "Details" to access the Mobb Fix Link', state: 'SUCCESS']]]
])
}
}
}
For a demonstration of how this integration works, you can visit the following YouTube video:
Example 2 - Jenkins + GitLab Repo
This example uses the following combinations of tools to achieve the integration:
SCM: GitLab Repo
CI/CD: Jenkins
SAST Tool: Checkmarx One
def MOBBURL
pipeline {
agent { label 'agent1' }
environment {
MOBB_API_KEY = credentials('MOBB_API_KEY')
CX_API_TOKEN = credentials('CX_API_TOKEN')
}
tools {
nodejs 'NodeJS'
}
stages {
stage('Checkout') {
steps {
git branch: "${gitlabSourceBranch}", url: "${gitlabSourceRepoHomepage}"
}
}
stage('Initialize') {
steps {
// Updates GitLab MR Commit Status with the pipeline in "pending" state
updateGitlabCommitStatus name: 'Jenkins/Checkmarx/Mobb', state: 'pending'
}
}
stage('SAST') {
steps {
// This step downloads the Checkmarx One CLI and executes a SAST Scan on the code
sh """
wget https://github.com/Checkmarx/ast-cli/releases/download/2.0.54/ast-cli_2.0.54_linux_x64.tar.gz -O checkmarx.tar.gz
tar -xf checkmarx.tar.gz
./cx configure set --prop-name cx_apikey --prop-value $CX_API_TOKEN
./cx scan create --project-name my-test-project -s ./ --report-format json --scan-types sast --branch nobranch --threshold "sast-high=1"
"""
}
}
}
post {
// If SAST scan complete with no issues found, pipeline is successful
success {
echo 'Pipeline succeeded!'
updateGitlabCommitStatus name: 'Jenkins/Checkmarx/Mobb', state: 'success'
}
// If SAST scan complete WITH issues found, pipeline enters fail state, triggering Mobb autofix analysis
failure {
echo 'Pipeline failed!'
script {
MOBBURL = sh(returnStdout: true,
script:'npx mobbdev@latest analyze -f cx_result.json -r ${gitlabSourceRepoHomepage%"/"} --ref $gitlabBranch --api-key $MOBB_API_KEY --ci')
.trim()
}
echo "Mobb Fix Link: ${MOBBURL}"
//Sends th Mobb Link to the GitLab Merge Request via a comment.
addGitLabMRComment(comment: "[Click here for the Mobb Autofix link](${MOBBURL})")
updateGitlabCommitStatus name: 'Jenkins/Checkmarx/Mobb', state: 'failed'
}
}
}
You can find a detailed step-by-step guide on how to run SAST to automatically detect code vulnerabilities and automatically fix them using Mobb on every pull request using GitHub and Jenkins pipeline .
