Skip to content

Getting Started

Security is added to your code repositories in 3 easy steps:

  1. Set up the BoostSecurity integration for your Source Code Management (GitHub, Bitbucket, GitLab, etc...).
  2. Enable the Scanners.
  3. Update the Policies.

3 Steps to Security

Install the BoostSecurity App for your Source Code Management

Installing the BoostSecurity App on your SCM organization enables the BoostSecurity service to:

  • Access the SCM API.
  • Insert comments on pull requests.
  • Install and update check status.
  • Enable the CI/CD and other supply chain security checks.

BoostSecurity supports GitHub, Bitbucket, and GitLab. BoostSecurity apps exist for GitHub, GitLab, and Bitbucket SCMs. The installation process for GitLab involves the use of a Personal Access Token.

Note The BoostSecurity application for Bitbucket is currently under review with Atlassian but can be installed in developer mode.

Installing the BoostSecurity Application for GitHub

To install the GitHub App on your GitHub organization, follow these steps:

  1. Navigate to the Integration view. i.e., in Settings > Integrations. Select the GitHub integration from the Available section.
  2. Select Install: You will be directed to GitHub App to install the BoostSecurity GitHub App.
  3. Select the appropriate GitHub organization for which you want to install the BoostSecurity GitHub App.
  4. Select whether to install the GitHub App on All repositories or Only select repositories. It is recommended to install it for all repositories so that it makes it simpler to add the security scanner to new repositories.
  5. Select Install and Authorize.

Once the installation is completed, the BoostSecurity GitHub card is added to the Settings > Integrations > Installed section. At this point, the BoostSecurity GitHub App is installed on your GitHub organization.

It is recommended to activate the security checks for both the CI/CD pipeline configuration and the Dependabot. To do so,

  1. Go to the installed integration in Settings > Integrations section.
  2. Select the GitHub App card.
  3. Then, the Configuration tab. On the configuration line item for your GitHub organization, select the Dependabot and/or CI/CD toggles to turn on security checks.
  4. Finally, add the desired scanners to the pipeline manually or via Zero Touch Provisioning.

Installing the BoostSecurity Application for Bitbucket

The BoostSecurity application for Bitbucket is under review with Atlassian, until the review process is completed, the application can be installed in developer mode. As a pre-requisite to installing the application, the option Enable development mode must be selected in your Bitbucket's workspace Installed Applications settings, such as: Bitbucket enable development mode

To install the BoostSecurity App on your Bitbucket workspace, follow these steps:

  1. Navigate to the Integration view. I.e., in Settings > Integrations. Select the Bitbucket integration from the Available section.
  2. Select Install, and you will be directed to authorize access to BoostSecurity for your workspace.
  3. Select the appropriate Bitbucket workspace for which you want to authorize the BoostSecurity App.
  4. Select Grant access.

Once the installation is completed, the BoostSecurity Bitbucket card is added to the Settings > Integrations > Installed section. At this point, the BoostSecurity App is installed on your Bitbucket workspace.

Note: You should verify that Enable Pipelines is turned on in your project's settings page at https://bitbucket.org/YOUR-ORGANIZATION/.boost/admin/pipelines/settings.

Installing BoostSecurity for GitLab

As a pre-requisite to installing BoostSecurity with GitLab, a Personal Access Token with API permissions needs to be created in GitLab. To create a Personal Access Token:

  1. Navigate to the User Profile menu and select Preferences
  2. In the menu, select Access Tokens.
  3. From the Personal Access Tokens view, create a new Access Token by:
    • providing a Token name
    • uncheck the expiration date to make it a Personal Access Token that doesn't expire
    • select the API scope.

Note If the Personal Access Token is set to expire at a given time, the GitLab integration in BoostSecurity will need to be updated with a new Personal Access Token once the original token is expired.

Personal Access Token Take note of the Personal Access Token when it is created, it will be required when setting up the GitLab integration in BoostSecurity.

Note: The BoostSecurity integration for GitLab requires account-level admin access, and every child in the selected group will also be onboarded.

To install the BoostSecurity integration for GitLab:

  1. Navigate to the Integration view
  2. Select the GitLab integration from the Available section
  3. Select Install: A window pops up directing into providing the Personal Access Token to GitLab. Provide the Personal Access Token and select Next. Installation
  4. Select the Group in GitLab: Once the Personal Access Token is provided, the GitLab Group with which to enable the integration, needs to be selected from the menu. Group
  5. Select Complete.

Once the installation is completed, the BoostSecurity GitLab card is added to the Settings > Integrations > Installed section. At this point, BoostSecurity integration is enabled for your GitLab group. Note that the steps can be repeated for enabling the integration with additional GitLab groups.

Installing BoostSecurity for Azure DevOps

As a pre-requisite to installing BoostSecurity with Azure DevOps, a Personal Access Token needs to be created in Azure. The Personal Access Token needs to be assigned with the following permissions:

  • Code: Status and Read
  • Project & Team: Read
  • Pull Request Threads: Read & Write
  • Agent Pools: Read

To create a Personal Access Token:

  1. Navigate to the User Settings menu and select Personal access tokens
  2. Select New Token.
  3. From the Personal Access Tokens view, create a new Access Token by:
    • providing a Token name
    • Select the organization or select all accessible organizations the Personal Access Token is related to
    • Set the expiration period, for example the token can be made to expire in 12 months
    • Set the permissions permissions

Note If the Personal Access Token is set to expire at a given time, the Azure DevOps integration in BoostSecurity will need to be updated with a new Personal Access Token once the original token has expired.

Take note of the Personal Access Token when it is created, it will be required when setting up the Azure integration in BoostSecurity.

To install the BoostSecurity integration for Azure:

  1. Navigate to the Integrations page.
  2. Select the Azure DevOps integration from the Available section.
  3. Select Install: A window pops up, directing you to select the Organization name or All accessible organizations from the drop-down and the Personal Access Token for Azure. Provide the organization name as well as the Personal Access Token and select Next. Installation
  4. Select the project in Azure from the drop-down menu
  5. Select Complete.

Once the installation is completed, the BoostSecurity Azure card is added to the Settings > Integrations > Installed section. At this point, BoostSecurity integration is enabled for your Azure projects. Note that the steps can be repeated to enable the integration with additional Azure projects.

Enable the Scanners

Once the BoostSecurity App is installed, scanner modules can be configured to run in your organization's repositories. This can be achieved by configuring the BoostSecurity scanner modules leveraging the supported Continuous Integration (CI) plugins for each repository.

Follow the steps described in Configure BoostSecurity Continuous Integration (CI) to configure the scanners in your code repositories.

Update the Policies

Once the required scanners are configured on your code repositories, you can then update or create policies for processing the security events triggered by the scanners with the policy rules required. A BoostSecurity policy allows your security team to define what types of findings are important to them. On the Policy page, you can configure what should cause a finding to be a violation. Violations are tracked separately in BoostSecurity so you can easily see where repositories are violating your policy. The policy also lets you enable actions when violations occur. These actions can be to alert a developer by

  • Adding a comment in a pull request.
  • Blocking a pull request from merging.
  • Send a Slack message to a specific channel - just to name a few.

Refer to Assigning the Policy to a Resource for how to create or update policies.

Reviewing the findings

Once BoostSecurity starts to receive data feeds, you can explore the results in the Findings page.

You can filter and drill-down through the findings using the filters, allowing you to focus on findings from one or more project(s) (i.e. GitHub repositories) or that were triggered by a specific scanner rule, for example.

For each finding in this page, you can see

  • The rule that detected the Findings.
  • The file path
  • Source code lines where it was found
  • A description and link to the documentation giving more explanation about why this is an issue and how to address it, and more.