The adoption of DevOps increased from 66 percent in 2015 to 74 percent in 2016 and the trend shows no sign of slowing down in 2017.
As more enterprises expand their teams working on continuous integration (CI), deployment, and delivery, there is an increasing demand to find the best solution to fit their deployment needs.
Read on to understand the benefits of Bamboo and Jenkins, two of the leading platforms for CI deployment and delivery, as well as the options available for implementing security through static code analysis in both of these solutions.
What is Bamboo?
Bamboo is a continuous integration server from Atlassian. Its purpose is to provide developers with an environment which quickly compiles code for testing so that release cycles can be quickly implemented in production, while giving full traceability from the feature request all the way to its deployment.
What is Jenkins?
Jenkins is a simple application designed to keep an eye on a series of executions in a software environment. For example – it works like ‘Cruise Control’ and offers a single simple use continuous system for integration. Developers can then execute test cycles more easily and the latest build can be quickly and efficiently delivered to users.
Benefits of Bamboo
Atlassian’s Bamboo really shines for developers who are using other Atlassian products such as Jira and Stash. Bamboo is also quite easy to use and supports Continuous Integration to Continuous Delivery.
More reasons to love Bamboo. Source; https://www.slideshare.net/AnnaIoceva/bamboo-presentation-annie-v2-46082758
Veteran Bamboo user Richard Cross outlines below what he considers to be some of the biggest benefits of using Bamboo:
- Simple and intuitive drag & drop UI for designing Pipelines, based on the same tasks, jobs, stages principles of Continuous Delivery. Fanning out/in is trivial.
- Temporarily disabling/re-ordering Stages, Jobs or Tasks is trivial. Jobs can be dragged/dropped between Stages, Stages and Tasks can be dragged/dropped to re-order, with pop-up warnings if what you’re about to do doesn’t make sense.
- Chaining pipelines together, while not as slick as GoCD, is also possible
- A separate Deployment manager, in which you can easily manage deployment environments, track what you have released and where, and full traceability from a Release back to the Git commits and the JIRA issues it comprises.
- Automatically detects new branches and builds them. It is even possible (albeit via a very inexpensive plugin) for the same pipeline to behave differently on a branch build.
- Build Artifacts are automatically managed through each pipeline run, right through to deployment; no need to stage artifacts in an external repository.
- Integration with other Atlassian products is, as you would expect, vastly superior to other combinations you can dream up.
Benefits of Jenkins
As an open source solution, Jenkins shines for anyone developing on a budget and is a simple and standalone continuous integration tool that is backed by a really supportive community.
Jenkins’ enthusiastic open source backers power the over 1,500 Jenkins community contributed plugins which are available here. These plugins enable users to better build, support and automate their many projects.
The Jenkins wiki includes a number of further reasons why Jenkins should be the build management solution of choice for developers. These arguments include the adoption statistics (detailed Jenkins statistics usage can be viewed here) which point to a major shift for developers from other platforms to Jenkins. Additionally, the team that had been developing Hudson (the project that Jenkins was forked from after a dispute with Oracle) is now working on the Jenkins core.
As mentioned earlier, the Jenkins community shines through their plugin development and most of the plugin developers have chosen to stay with the Jenkins project which means that improvements and bug fixes can be expected for many of the most used plugins.
Bamboo, Jenkins and Security
When it comes to implementing security through Static Code Analysis in build management plugins such as Bamboo and Jenkins, there is no built in, native functionality, meaning developers will need to consider the use of a 3rd party static code analysis in order to ensure that their static code analysis is conducted correctly and seamlessly.
One question that users of both Jenkins and Bamboo have often raised is how to implement static code analysis in a build management environment.
Bamboo and Static Code Analysis
The good news is that today’s leading Static Code Analysis (SCA) solutions (belonging to the SAST methodology) integrate with Bamboo out of the box to provide high quality static code analysis in a smooth, simple to operate environment. Developers can quickly integrate their testing with a fast compilation environment for higher levels of certainty that their code is fit for purpose. Developers can then concentrate on the advantages of the aforementioned code scanners to deliver prompt reporting regarding vulnerabilities and flaws in code. You can simply produce a high-level vulnerability report which is linked to a color coded HTML report that identifies the specific areas of code in which the vulnerabilities exist – to apply a fix. It’s also simple to set thresholds for failure and ensure that flawed code doesn’t move into production.
Alternatively, when you’re running Bamboo Static Code Analysis, you can report on the historical variation between builds. This means you can identify specific areas in the code or specific coders that are causing vulnerabilities. It’s also much easier to determine whether subsequent releases are becoming more or less stable. It’s not difficult to customize reporting so that you can see exactly what is relevant to your development team. You’ll be able to have more secure releases in a faster life cycle – which saves you time and resources.
Jenkins and Static Code Analysis
Jenkins has no facility for static code analysis within the application environment. It’s used for continuous build environments and to keep an eye on jobs running externally from an environment to report on outputs from those jobs. This can be frustrating for developers who would like to use Jenkins for its automation facility but are also looking for the application to assist with the security testing of their code.
It’s OK. Jenkins does support static code analysis from other packages. A plugin is used to capture the results and to parse them. Once these results are passed to Jenkins, the application enables the results to be visually represented in a consistent manner. Jenkins can report on the warnings generated by a build, deliver trend reporting that shows the level of warnings generated by subsequent builds, granular reporting (module, type, package, etc.) for warnings, severity reports, an HTML comparison of source and warnings, stability reporting, project health reporting, scoring for builds that are “warning free”, e-mail reports, etc. There is also support for a remote API so that the plugin can be simply integrated into Jenkins without hours of development time wasted on facilitating that integration.
The good news is that to enable Jenkins static code analysis, leading SCA vendors provide an out of the box integration with Jenkins to generate all these reports. Make sure this box is ticked before you purchase and invest in a static code scanner. Stay safe!
Read our whitepaper “The AppSec How To: Application Security in Continuous Integration” here.