Skip to content

AWS CodeBuild

Scanning steps can be added to your AWS pipeline by using our CLI installer. A scanning step is included by adding the boost scanning stanza in the buildspec.yml. For example:

  version: 0.2
  env:
    variables:
      BOOST_GIT_BRANCH: main
      BOOST_GIT_PROJECT: <'organization'/'repository'>
      BOOST_SCANNER_REGISTRY_MODULE: boostsecurityio/scanner
      BOOST_API_TOKEN: <'API token'>
      TMPDIR: /tmp
  phases:
    pre_build:
      commands:
        - env
        - curl -s https://assets.build.boostsecurity.io/boost-cli/get-boost-cli | bash
    build:
      commands:
        - ${TMPDIR}/boost-cli/latest scan repo

The environment variables that need to be set:

BOOST_GIT_BRANCH specifies the branch for which the scan is being done. Given the scan is set up for main branches, the environment variable should be set to main.

BOOST_GIT_PROJECT: the organization and the repository for the scan. It should be specified in the format: organization/repository, for example, my_test_org/my_test_repo.

BOOST_SCANNER_REGISTRY_MODULE: The scanner scans the codeā€”for example, boostsecurityio/brakeman.

BOOST_API_TOKEN: The API token created in your Boost account.

TMPDIR: temporary directory used during the scanning. Use /tmp.

The pre_builds command downloads the BoostSecurity command line interface (CLI). The BoostSecurity CLI enables the running of the specified scanner module and publishes the scan results to the BoostSecurity service.

The build command boost-cli/latest scan repo instructs the BoostSecurity to run the scanner module specified in the environment variable BOOST_SCANNER_REGISTRY_MODULE.