AppSec Pipeline Simulator

A Docker-based simulation environment demonstrating Application Security (AppSec) integration in CI/CD pipelines using Jenkins and GitLab with OpenGrep/Semgrep scanners.

🎯 Overview

This project simulates security scanning in development workflows, showing how OpenGrep and Semgrep detect vulnerabilities in vulnerable test applications and generate SARIF reports for external platforms.

🏗️ Architecture

graph TB
    subgraph "Docker Environment"
        GL[GitLab CE]
        JK[Jenkins]
    end

    subgraph "Host System"
        GR[GitLab Runner - External]
    end

    subgraph "Test Applications"
        VJA[vulnerable-java-app]
        VJS[vulnerable-js-app]
    end

    subgraph "Security Scanners"
        OG[OpenGrep]
        SG[Semgrep]
    end

    subgraph "External Platform"
        RC[Rapticore Platform]
    end

    GL --> VJA
    GL --> VJS
    GR --> OG
    GR --> SG
    JK --> OG
    JK --> SG
    OG --> SF[SARIF Reports]
    SG --> SF
    SF --> RC

    style GL fill:#fc6d26
    style JK fill:#326ce5
    style RC fill:#ff6b6b
    style OG fill:#4ecdc4
    style SG fill:#4ecdc4

Loading

🚀 Quick Start

Prerequisites

• Docker & Docker Compose
• 4GB+ RAM
• 10GB+ free disk space

1. Setup

git clone <repository-url>
cd appsec-pipeline-simulator
chmod +x scripts/*.sh

2. Configure Environment

# Edit .env file with your Rapticore credentials
RAPTICORE_API_ENDPOINT=https://your-instance.com
RAPTICORE_USERNAME=admin
RAPTICORE_PASSWORD=your-password

3. Launch & Setup

docker-compose up -d
./scripts/setup-gitlab-projects.sh  # Sets up GitLab projects + external runner

4. Access

• GitLab: http://localhost:3000 (root/ComplexPassword123!)
• Jenkins: http://localhost:8080 (admin/admin123)

🔄 Pipeline Workflow

sequenceDiagram
    participant Dev as Developer
    participant GL as GitLab
    participant GR as Host Runner
    participant Scan as Scanner
    participant RC as Rapticore

    Dev->>GL: git push
    GL->>GR: Trigger Pipeline
    GR->>Scan: Run OpenGrep/Semgrep
    Scan->>GR: SARIF Results
    GR->>RC: Upload to Rapticore
    GR->>GL: Upload Artifacts

Loading

🛠️ Components

Test Applications

• vulnerable-java-app: Java app with security vulnerabilities
• vulnerable-js-app: Node.js app with common security issues

Security Scanners

• OpenGrep: Static analysis scanner
• Semgrep: Rule-based security scanner

Platforms

• Jenkins: Pipeline automation with security scanning jobs that upload SARIF to Rapticore
• GitLab CI/CD: Git-based CI/CD with external runner and automated security scans + Rapticore upload
• GitLab Runner: External runner installed on host system (not containerized)

🔧 Configuration

Environment Variables (.env)

RAPTICORE_API_ENDPOINT=https://your-rapticore-instance.com
RAPTICORE_USERNAME=admin
RAPTICORE_PASSWORD=your-password

File Structure

appsec-pipeline-simulator/
├── docker-compose.yml
├── .env
├── scripts/
│   ├── setup-gitlab-projects.sh
│   └── upload-sarif-to-rapticore.sh
├── jenkins/
│   └── init.groovy.d/
├── templates/
│   └── .gitlab-ci.yml
└── test-repos/
    ├── vulnerable-java-app/
    └── vulnerable-js-app/

🎛️ Usage

Running a GitLab Pipeline

1. Access GitLab at http://localhost:3000
2. Navigate to vulnerable-java-app or vulnerable-js-app project
3. View pipeline execution and SARIF artifacts

Running Jenkins Jobs

1. Access Jenkins at http://localhost:8080
2. Find auto-created security scan jobs
3. Trigger job execution and review console output

🚨 Troubleshooting

Jenkins Job Failures

# Check Jenkins logs
docker-compose logs jenkins

# Restart Jenkins
docker-compose restart jenkins

GitLab Runner Issues

# Check runner status
docker-compose logs gitlab-runner

# Re-run setup
./scripts/setup-gitlab-projects.sh

📚 References

• OpenGrep Documentation
• Semgrep Documentation
• SARIF Format