Your versioning system is the memory of your DevOps process. Read here how you can easily integrate the Crashtest Security Suite Scans.

Overview

In the past, versioning systems were used for storage, versioning, and managing different development branches. Nowadays, versioning systems are also evolving to include continuous delivery features.

Therefore, this article shows you how to integrate your versioning tool (such as Bitbucket, GitHub, or GitLab) with our security scans. But before that, we want to discuss best practices in code versioning.

Code Versioning Best Practices

For a great article on “A successful git branching model”, please check out this link. Below is the visual representation from Vincent Driessen:

Git branching model from Vincent Driessen

To expand the mentioned concepts in DevSecOps, we recommend development teams start security scans for every release (when creating pull requests).

Before we dive into the setup for specific tools, let’s look at the used webhook functionality.

Webhook Functionality

The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml.

#!/usr/bin/env sh

# TODO: Set WEBHOOK to webhook ID (without URL)
WEBHOOK="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"

API_ENDPOINT="https://api.crashtest.cloud/webhook"

# Start Scan and get scan ID
SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId`
echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID."

# Refresh Scan status
STATUS="100"
while [[ $STATUS -le "101" ]]
do
    echo "Scan Status currently is $STATUS (101 = Running)"

    # Only poll every minute
    sleep 60

    # Refresh status
    STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.code`

done

echo "Scan finished with status $STATUS."

# Download Report
curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/report/junit -o report.xml
echo "Downloaded Report to report.xml"

For other webhook functionalities (i.e. configuring authentication), please see this article.

So, how can you apply that to your existing versioning systems?

Bitbucket

Bitbucket is a code versioning tool sold by Atlassian.

It also offers pipelines to enable the continuous delivery of software projects. Please have a look at the Bitbucket documentation on how to trigger webhooks. Below you see a straightforward example of a pipeline. You can use the script described in the webhook section to call the Crashtest Security webhook and enter it below the “script” line.

pipelines:
  default:
    - step:
        script:
          - echo 'I made a pipeline!'

If you need any help on scripting your specific pipeline, please contact us.

GitLab

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking, and CI/CD pipeline features, using an open-source license, developed by GitLab Inc.

GitLab also offers GitLab CI to enable continuous integration and deployment of software projects. Please look at the GitLab documentation on how to configure pipelines (or check out their examples).

You can use the script described in the webhook section to call the Crashtest Security webhook.

If you need any help on scripting your specific pipeline, please contact us.

GitHub

GitHub is one of the most well-known and widely adopted versioning tools.

GitHub currently offers a closed beta for its native continuous delivery capability (GitHub Actions). However, as the functionality might be limited in the first release, some articles suggest using the more powerful CI/CD toolchains, such as Jenkins or Circle CI, for more script-intensive tasks.

If you are using GitHub and want to start a scan for every pull request automatically, reach out to us – so we can support you with the implementation depending on what other tools you are using.

 

See if Your Web App or API Has Security Vulnerabilities

SCAN FOR FREE NOW