Your versioning system is the memory of your DevOps process. Read here how you can easily integrate the Crashtest Security Suite Scans.
In the past, versioning systems were used for storage, versioning, and managing different development branches. Nowadays, versioning systems are also evolving to include continuous delivery features.
Therefore, this article shows you how to integrate your versioning tool (such as Bitbucket, GitHub, or GitLab) with our security scans. But before that, we want to discuss best practices in code versioning.
Code Versioning Best Practices
For a great article on “A successful git branching model,” please check out this link. Below is the visual representation from Vincent Driessen:
To expand the mentioned concepts in DevSecOps, we recommend development teams start security scans for every release (when creating pull requests).
Before we dive into the setup for specific tools, let’s look at the used webhook functionality.
The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml.
#!/usr/bin/env sh # TODO: Set WEBHOOK to webhook ID (without URL) WEBHOOK="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" API_ENDPOINT="https://api.crashtest.cloud/webhook" # Start Scan and get scan ID SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId` echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID." # Refresh Scan status STATUS="100" while [[ $STATUS -le "101" ]] do echo "Scan Status currently is $STATUS (101 = Running)" # Only poll every minute sleep 60 # Refresh status STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.code` done echo "Scan finished with status $STATUS." # Download Report curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/report/junit -o report.xml echo "Downloaded Report to report.xml"
Please see this article for other webhook functionalities (i.e., configuring authentication).
So, how can you apply that to your existing versioning systems?
Bitbucket is a code versioning tool sold by Atlassian.
It also offers pipelines to enable the continuous delivery of software projects. Please have a look at the Bitbucket documentation on how to trigger webhooks. Below you see a straightforward example of a pipeline. You can use the script described in the webhook section to call the Crashtest Security webhook and enter it below the “script” line.
pipelines: default: - step: script: - echo 'I made a pipeline!'
GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking, and CI/CD pipeline features, using an open-source license developed by GitLab Inc.
You can use the script described in the webhook section to call the Crashtest Security webhook.
GitHub is one of the most well-known and widely adopted versioning tools.
GitHub currently offers a closed beta for its native continuous delivery capability (GitHub Actions). However, as the functionality might be limited in the first release, some articles suggest using the more powerful CI/CD toolchains, such as Jenkins or Circle CI, for more script-intensive tasks.
Crashtest Security integrates with GitHub. If you are using GitHub and want to automatically start a scan for every pull request, reach out to us – so we can support you with the implementation depending on what other tools you are using.