DE

CI / CD Pipeline Integrations

In this article:

Your CI/CD is the engine of your DevOps process. Here, you can easily integrate the Crashtest Security Suite into your CI/CD Pipeline.



Overview

This article first highlights the conceptual integration of our tool before explaining the webhook functionality. Then we dive deeper into the specific integration in Circle CI, Jenkins, TeamCity, Bamboo, and Travis CI.

Please don’t hesitate to contact us if you have any questions or need additional help.

How does the integration work?

CI / CD Integration of the Crashtest Security Suite
CI / CD Integration of the Crashtest Security Suite
  1. Your developer commits code or triggers your CI/CD pipeline through another event.
  2. Your CI/CD toolchain deploys your code to your staging/test system.
  3. After building your staging system, your CI/CD pipeline triggers our scan via webhook.
    (Check here on how to create a webhook or look at the next section for webhook scripts)
  4. The Crashtest Security Suite scans your newly built system and launches our attack vector scanners.
  5. Our software provides reports via the UI or as a report in a .pdf or .junit – format.
    These reports can be pulled back into the CI/CD toolchain through the above-mentioned webhook.
  6. Because our reports can be read by machines, you can let builds fail based on your own set of rules. Example rules to let builds fail to include:
    1. The number of detected vulnerabilities
    2. The maximum severity of detected vulnerabilities

      If we find a vulnerability, we enable you to quickly fix the detected vulnerabilities through our integrated Wiki with specific code examples to easily remediate vulnerabilities.
      If there are no vulnerabilities, your CI/CD toolchain deploys the new code to your production system.

That’s how we make sure you only release secure software.

Let’s look deeper into the webhook functionality that makes this magic real.

Webhook Functionality

The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml. For the examples below, assume that you have stored this file as ./start_crashtest.sh.

#!/usr/bin/env sh

# TODO: Set WEBHOOK to webhook ID (without URL)
WEBHOOK="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"

API_ENDPOINT="https://api.crashtest.cloud/webhook"

# Start Scan and get scan ID
SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId`
echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID."

# Refresh Scan status
STATUS="100"
while [[ $STATUS -le "101" ]]
do
    echo "Scan Status currently is $STATUS (101 = Running)"

    # Only poll every minute
    sleep 60

    # Refresh status
    STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.status_code`

done

echo "Scan finished with status $STATUS."

# Download Report
curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/report/junit -o report.xml
echo "Downloaded Report to report.xml"

Please see this article for other webhook functionalities (i.e., configuring authentication).

So, how can you apply that to your existing CI/CD tools?

Circle CI

For Circle CI, we created a complete example that allows you to run an example app, set up your own CI/CD pipeline in Circle CI, and configure rules for failing / passing builds.

Please check out the complete article on our DevSecOps example pipeline here.

Jenkins

In your Jenkinsfile test stage, you can easily define a security test with the Crashtest Security Suite:

Jenkinsfile (Scripted Pipeline)
node {
   stage('Build') {
      sh 'make'
    }
    stage('Test') {
        sh 'make check'
    }
    if (currentBuild.currentResult == 'SUCCESS') {
        stage('Deploy') {
            sh 'make publish'
        }
        stage('Security') {
            sh './start_crashtest.sh'
        }
    }
}

Analog the webhook script defined above; you can configure the scan and set up your own pass / fail rules. Ensure the Jenkins JUnit plugin is installed to parse the scan output.

For more information on Jenkins pipelines, please check out the Jenkins documentation.

TeamCity

In TeamCity, you can create a new build step where you run the webhook directly or use the script above:

TeamCity Webhook Integration
TeamCity Webhook Integration

Please check out their documentation page for more information on TeamCity build steps.

Bamboo

Like TeamCity, Bamboo allows you to set up an individual job for your Crashtest Security scan.

Please look at this guide if you need an introductory guide on setting up projects, plans, and jobs.

You can find the Bamboo documentation with more support on the Atlassian help page.

Travis CI

For Travis CI, you can define your build stages in your travis.yml file:

jobs:
  include:
    - stage: test
      script: ./test 1
    - # stage name not required, will continue to use `test`
      script: ./test 2
    - stage: deploy
      script: ./deploy
    - stage: deploy
      script: ./start_crashtest.sh

As for the above examples, you can enter your script to start the Crashtest Security Scan and enter pass/fail rules.

For more information on Travis CI, check out their documentation link.

Get a quick security audit of your website for free now

We are analyzing https://example.com
Scanning target https://example.com
Scan status: In progress
Scan target: http://example.com/laskdlaksd/12lklkasldkasada.a
Date: 24/05/2023
Crashtest Security Suite will be checking for:
Information disclosure Known vulnerabilities SSL misconfiguration Open ports
Complete your scan request
Please fill in your details receive the
quick security audit by email.
Security specialist is analyzing your scan report.
То verify your identity please provide your phone/mobile:
Thank you.
We have received your request.
As soon as your security audit is ready, we will notify you.