SecureCI is an open-source continuous integration solution. We’ve assembled a number of open-source tools that we use, installed them in a VMware image and configured them to work together. SecureCI is packaged as a virtual machine that can be run with the VMware Player that way you can be up and running in minutes without the hassle and time commitment of putting it all together yourself. And it’s free.
Why did you build this?
Coveros does secure agile development, typically in Java. When we start a project we usually need a wiki, a source code repository, a build system, a continuous integration engine and a slew of tools to help us analyze and test our source code and application security. Someone on the team always spends the first few days of each project downloading and installing a bunch of software, making sure it’s all set up and talking to each other.
We decided it would be much easier to just do this once and package it all up. By packaging it as a virtual machine we can have everything set up, configured and running either from a laptop or a server within a few minutes instead of a few days. As soon as we load SecureCI, the team can point their web browser at it and start working.
What is included in SecureCI?
You can see a full list of packages and versions on the download site but here are some highlights. Information about all of the included tools and examples of their use are provided on the wiki in SecureCI.
Trac – wiki and issue tracking
One of the keys for successful communication within a project is being able to find the information we need, when we need it. Using a wiki is a convenient way for the team to gather and organize the project information with a minimum of overhead, as well as a minimal reliance on outside parties. Anyone associated with the project can be granted permission to add or modify information in the wiki.
So Trac is our “home base” for SecureCI. When you first visit SecureCI with a browser, the wiki is the first thing that pops up. There you find the documentation for SecureCI: information about the included tools, “How do I” articles on integrating the pieces into your process, etc. It is all easy to edit so you can go ahead and add your own project documentation right there from your web browser.
Trac also provides issue tracking capability. You can use it to track defects, enhancements, or even project stories and requirements. There are also links to other tools, a way to set up project milestones and track progress, and a web interface to the Subversion repository. All of it is editable and searchable.
Subversion – source code repository
Having a central repository for the project source code is critical to being able to successfully integrate frequently. Not only do developers need to be able to conveniently check out and commit any code they are working on, but automated tools such as the continuous integration server need to be able to check out code for automated building.
Subversion is set up and integrated with Trac. Access between them is coordinated so you can use the Trac web interface to add users and manage access control. You can even update and close issue tickets directly from your Subversion commit messages.
Ant and Maven – for builds
The hallmark of a professional build process is repeatability and the ability to run on a non-developer machine (to avoid the “it works on my machine” issues). Those qualities helps a new developer get started and makes sure that the application is always ready to be released, even if only for a demonstration.
SecureCI is build tool agnostic. We’ve included examples on getting your project building with Ant or Maven, but you should be able to use just about any other system for automating your build.
Hudson – continuous integration engine
Continuous integration is the practice of frequently integrating a code base that is actively being worked. The definition of frequently varies from team to team. It could mean many times each day, once each day, or as each task is completed.
Hudson just needs to be pointed to the project’s Subversion tree and told what build system the project uses. It will monitor the source code repository for changes. When new code is committed Hudson kicks off the automated build, runs unit tests and functional tests and can track code coverage. I can also perform code analysis. If anything goes wrong, developers and project managers are notified right away.
JUnit and Selenium – testing
One of the core practices in continuous integration is to “make your build self-testing”. As code is written, tests for that code are written. The goal is not just to prove that the code works but also to document (in code) the behavior of a method or section of code. This is important both for a new developers trying to learn how to use the code and for existing developers refactoring or changing code behaviors.
JUnit is included for unit testing and Selenium is included for functional testing of web applications.
Checkstyle, FindBugs, PMD, JDepend – code analysis
Code analysis tools run against compiled class files or raw source files to look for patterns that indicate potential problems. They look for style issues, potential code defects, race conditions and security holes. These tools are more akin to automated code review than to unit and integration tests. They are an inexpensive way to avoid the tedium of repeatedly reviewing a large code base by hand.
ratproxy – security scanning
Ratproxy is a web application security auditing tool. It is a passive proxy, watching data sent between a browser and a web application. It does not typically send extra requests or modify data being sent between the web application and the browser.
When you test a web application, either manually or using Selenium, ratproxy can watch what you are doing and report any potential security holes it sees. Because it is passive, it can even be used to audit web applications already in production.
Sonar – code quality dashboard
After Hudson builds your application and runs your tests, Sonar can step in to run code analysis and provide a visual dashboard of the code quality. All sorts of metrics about the source code size, rules compliance and code coverage are provided with trending reports, drill downs and a very informative dashboard.
What’s the catch?
No catch. It’s free. We built this on open source tools so it wouldn’t be fair us to turn around and try to charge for it. We’ve tried to make it as easy as possible to get started using SecureCI in your project. We’ve given you the documentation on how everything is installed and what you need to use the tools.
If you need some more help, we can teach you the fundamentals of continuous integration and how to use SecureCI to its maximum capability. We can help you get your project set up for continuous integration. If you have existing tools that you want integrated with SecureCI for your own project, we can help you do that as well.
How do I get started?
Just download a free copy. If you don’t already have VMware Player, you’ll need that too. Once you unpack SecureCI there is a readme file with installation instructions. Start up the VM, answer a few questions to get some some accounts setup, and at the end of the boot sequence SecureCI will be up and running for team to use.
If you have questions, comments, or suggestions, we’d love to hear from you at secureci@coveros.com.
