Getting Started¶
Security is added to your code repositories in 3 easy steps:
- Set up the BoostSecurity integration for your Source Code Management (GitHub, Bitbucket, GitLab, etc...).
- Enable the Scanners.
- Update the Policies.
Install the BoostSecurity App for your Source Code Management¶
Installing the BoostSecurity App on your SCM organization enables the BoostSecurity service to:
- Access the SCM API.
- Insert comments on pull requests.
- Install and update check status.
- Enable the CI/CD and other supply chain security checks.
BoostSecurity supports GitHub, Bitbucket, and GitLab. BoostSecurity apps exist for GitHub, GitLab, and Bitbucket SCMs. The installation process for GitLab involves the use of a Personal Access Token.
Note The BoostSecurity application for Bitbucket is currently under review with Atlassian but can be installed in developer mode.
Installing the BoostSecurity Application for GitHub¶
To install the GitHub App on your GitHub organization, follow these steps:
- Navigate to the Integration view. i.e., in
Settings > Integrations
. Select the GitHub integration from the Available section. - Select Install: You will be directed to GitHub App to install the BoostSecurity GitHub App.
- Select the appropriate GitHub organization for which you want to install the BoostSecurity GitHub App.
- Select whether to install the GitHub App on All repositories or Only select repositories. It is recommended to install it for all repositories so that it makes it simpler to add the security scanner to new repositories.
- Select Install and Authorize.
Once the installation is completed, the BoostSecurity GitHub card is added to the Settings > Integrations > Installed
section. At this point, the BoostSecurity GitHub App is installed on your GitHub organization.
It is recommended to activate the security checks for both the CI/CD pipeline configuration and the Dependabot. To do so,
- Go to the installed integration in
Settings > Integrations
section. - Select the GitHub App card.
- Then, the
Configuration
tab. On the configuration line item for your GitHub organization, select the Dependabot and/or CI/CD toggles to turn on security checks. - Finally, add the desired scanners to the pipeline manually or via Zero Touch Provisioning.
Installing the BoostSecurity Application for Bitbucket¶
The BoostSecurity application for Bitbucket is under review with Atlassian, until the review process is completed, the application can be installed in developer mode. As a pre-requisite to installing the application, the option Enable development mode
must be selected in your Bitbucket's workspace Installed Applications
settings, such as:
To install the BoostSecurity App on your Bitbucket workspace, follow these steps:
- Navigate to the Integration view. I.e., in
Settings > Integrations
. Select the Bitbucket integration from theAvailable
section. - Select
Install
, and you will be directed to authorize access to BoostSecurity for your workspace. - Select the appropriate Bitbucket workspace for which you want to authorize the BoostSecurity App.
- Select
Grant access
.
Once the installation is completed, the BoostSecurity Bitbucket card is added to the Settings > Integrations > Installed
section. At this point, the BoostSecurity App is installed on your Bitbucket workspace.
Note: You should verify that Enable Pipelines is turned on in your project's settings page at
https://bitbucket.org/YOUR-ORGANIZATION/.boost/admin/pipelines/settings
.
Installing BoostSecurity for GitLab¶
As a pre-requisite to installing BoostSecurity with GitLab, a Personal Access Token with API permissions needs to be created in GitLab. To create a Personal Access Token:
- Navigate to the User Profile menu and select
- In the menu, select
Access Tokens
. - From the Personal Access Tokens view, create a new Access Token by:
- providing a
Token name
- uncheck the expiration date to make it a Personal Access Token that doesn't expire
- select the
API
scope.
- providing a
Note If the Personal Access Token is set to expire at a given time, the GitLab integration in BoostSecurity will need to be updated with a new Personal Access Token once the original token is expired.
Take note of the Personal Access Token when it is created, it will be required when setting up the GitLab integration in BoostSecurity.
Note: The BoostSecurity integration for GitLab requires account-level admin access, and every child in the selected group will also be onboarded.
To install the BoostSecurity integration for GitLab:
- Navigate to the
Integration view
- Select the GitLab integration from the
Available
section - Select Install: A window pops up directing into providing the Personal Access Token to GitLab. Provide the Personal Access Token and select
Next
. - Select the Group in GitLab: Once the Personal Access Token is provided, the GitLab Group with which to enable the integration, needs to be selected from the menu.
- Select
Complete
.
Once the installation is completed, the BoostSecurity GitLab card is added to the Settings > Integrations > Installed
section. At this point, BoostSecurity integration is enabled for your GitLab group. Note that the steps can be repeated for enabling the integration with additional GitLab groups.
Installing BoostSecurity for Azure DevOps¶
As a pre-requisite to installing BoostSecurity with Azure DevOps, a Personal Access Token needs to be created in Azure. The Personal Access Token needs to be assigned with the following permissions:
- Code: Status and Read
- Project & Team: Read
- Pull Request Threads: Read & Write
- Agent Pools: Read
To create a Personal Access Token:
- Navigate to the User Settings menu and select
Personal access tokens
- Select
New Token
. - From the Personal Access Tokens view, create a new Access Token by:
- providing a
Token name
- Select the organization the Personal Access Token is related to
- Set the expiration period, for example the token can be made to expire in 12 months
- Set the permissions
- providing a
Note If the Personal Access Token is set to expire at a given time, the Azure DevOps integration in BoostSecurity will need to be updated with a new Personal Access Token once the original token is expired.
Take note of the Personal Access Token when it is created, it will be required when setting up the Azure integration in BoostSecurity.
To install the BoostSecurity integration for Azure:
- Navigate to the
Integration view
- Select the Azure DevOps integration from the
Available
section - Select Install: A window pops up, directing to providing the organization name and the Personal Access Token for Azure. Provide the organization name as well as the Personal Access Token and select
Next
. - Select the project in Azure from the pull down
- Select
Complete
.
Once the installation is completed, the BoostSecurity Azure card is added to the Settings > Integrations > Installed
section. At this point, BoostSecurity integration is enabled for your Azure projects. Note that the steps can be repeated for enabling the integration with additional Azure projects.
Enable the Scanners¶
Once the BoostSecurity App is installed, scanner modules can be configured to run in your organization's repositories. This can be achieved by configuring the BoostSecurity scanner modules leveraging the supported Continuous Integration (CI) plugins for each repository.
Follow the steps described in Configure BoostSecurity Continuous Integration (CI) to configure the scanners in your code repositories.
Update the Policies¶
Once the required scanners are configured on your code repositories, you can then update or create policies for processing the security events triggered by the scanners with the policy rules required. A BoostSecurity policy allows your security team to define what types of findings are important to them. On the Policy page, you can configure what should cause a finding to be a violation. Violations are tracked separately in BoostSecurity so you can easily see where repositories are in violate your policy. The policy also lets you enable actions when violations occur. These actions can be to alert a developer by
- Adding a comment in a pull request.
- Blocking a pull request from merging.
- Send a Slack message to a specific channel - just to name a few.
Refer to Assigning the Policy to a Resource for how to create or update policies.
Reviewing the findings¶
Once BoostSecurity starts to receive data feeds, you can explore the results in the Findings page.
You can filter and drill-down through the findings using the filters, allowing you to focus on findings from one or more project(s) (i.e. GitHub repositories) or that were triggered by a specific scanner rule, for example.
For each finding in this page, you can see
- The rule that detected the Findings.
- The file path
- Source code lines where it was found
- A description and link to the documentation giving more explanation about why this is an issue and how to address it, and more.