Security is added to your code repositories in 3 easy steps:
- Install the BoostSecurity App for your Source Code Management (GitHub, Bitbucket, etc...).
- Enable the Scanners.
- Update the Policies.
Install the BoostSecurity App for your Source Code Management¶
Installing the BoostSecurity App on your SCM organization enables the BoostSecurity service
- Access the SCM API
- Insert comments on pull requests
- Install and update check status
- Enable the CI/CD and other supply chain security checks.
BoostSecurity supports both GitHub and Bitbucket. Boost's apps exists for these two SCMs.
Note The BoostSecurity application for Bitbucket is currently under review with Atlassian, but can be installed in developer mode.
Installing the BoostSecurity Application for GitHub¶
To install the GitHub App on your GitHub organization, follow these steps:
- Navigate to the Integration view. I.e., in
Settings > Integrations. Select the GitHub integration from the
- Select Install: You will be directed to GitHub App to install the BoostSecurity GitHub App.
- Select the appropriate GitHub organization for which you want to install the BoostSecurity GitHub App.
- Select whether to install the GitHub App on
Only select repositories. It is recommended to install it for all repositories so that it makes it simpler to add the security scanner to new repositories.
Install and Authorize.
Once the installation is completed, the BoostSecurity GitHub card is added to the
Settings > Integrations > Installed section. At this point, the BoostSecurity GitHub App is installed on your GitHub organization. You might want to enable the CI/CD pipeline configuration security checks and Dependabot security checks. To do so,
- Go in the installed integration in
Settings > Integrationssection.
- Select the GitHub App card.
- Then the
Configurationtab. On the configuration line item for your GitHub organization, select the Dependabot and/or CI/CD toggles to turn on security checks.
Installing the BoostSecurity Application for Bitbucket¶
The BoostSecurity application for Bitbucket is under review with Atlassian, until the review process is completed, the application can be installed in developer mode. As a pre-requisite to installing the application, the option
Enable development mode must be selected in your Bitbucket's workspace
Installed Applications settings, such as:
To install the BoostSecurity App on your Bitbucket workspace, follow these steps:
- Navigate to the Integration view. I.e., in
Settings > Integrations. Select the Bitbucket integration from the
- Select Install: You will be directed to authorize access to BoostSecurity, to your workspace
- Select the appropriate Bitbucket workspace for which you want to authorize the BoostSecurity App.
Once the installation is completed, the BoostSecurity Bitbucket card is added to the
Settings > Integrations > Installed section. At this point, the BoostSecurity App is installed on your Bitbucket workspace.
Enable the Scanners¶
Once the BoostSecurity App is installed, scanner modules can be configured to run in your organization's repositories. This can be achieved by configuring the BoostSecurity scanner modules leveraging the supported Continuous Integration (CI) plugins for each repository.
Follow the steps described in Configure BoostSecurity Continuous Integration (CI) to configure the scanners in your code repositories.
Update the Policies¶
Once the required scanners are configured on your code repositories, you can then update or create policies for processing the security events triggered by the scanners with the policy rules required. A BoostSecurity policy allows your security team to define what types of findings are important to them. On the Policy page, you can configure what should cause a finding to be a violation. Violations are tracked separately in BoostSecurity so you can easily see where repositories are in violate your policy. The policy also lets you enable actions when violations occur. These actions can be to alert a developer by
- Adding a comment in a pull request.
- Blocking a pull request from merging.
- Send a Slack message to a specific channel - just to name a few.
Refer to Assigning the Policy to a Resource for how to create or update policies.
Reviewing the findings¶
Once BoostSecurity starts to receive data feeds, you can explore the results in the Findings page.
You can filter and drill-down through the findings using the filters, allowing you to focus on findings from one or more project(s) (i.e. GitHub repositories) or that were triggered by a specific scanner rule, for example.
For each finding in this page, you can see
- The rule that detected the Findings.
- The file path
- Source code lines where it was found
- A description and link to the documentation giving more explanation about why this is an issue and how to address it, and more.