Skip to content

Buildkite

Buildkite is a platform for running fast, secure, and scalable Continuous Integration pipelines on your infrastructure.

The BoostSecurity integration for Buildkite is packaged as a plugin that runs as a command hook. The plugin executes the BoostSecurity Scanner to scan repositories for vulnerabilities and uploads results to the BoostSecurity platform. Adding BoostSecurity scanning into your workflow is just a matter of adding a stanza to your Buildkite pipeline configuration file.

The configuration options and location to add the stanza depend on whether the scanning needs to be done on the project's source code or a generated artifact, such as container images.

The first step in setting BoostSecurity for Buildkite is to define the environment variable BOOST_API_TOKEN for your Buildkite Agent. Refer to the Buildkite documentation for how to do it.

Buildkite Pipeline Steps for scanning source code

This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code, for example.

Note

Even if the workflow is configured to run the SBOM scanner on pull requests, it does not collect component inventory on PRs.

When configuring your Buildkite to run the BoostSecurity scanning from the project's source code, add the following stanza to your pipeline.yml:

steps:
  - label: "boostsecurity scanner"
    plugins:
      - boostsecurityio/boostsec-scanner#v4:
          registry_module: boostsecurityio/trivy-sbom
        if: build.branch == "main"
      - boostsecurityio/boostsec-scanner#v4:
          registry_module: boostsecurityio/semgrep

Buildkite Pipeline Steps for scanning generated artifact

This configuration is appropriate for scanner modules that require scan-generated artifacts from the build process. For example, scanner modules generating SBOM from container images or scanning for vulnerabilities need to generate the container image first.

When configuring your Buildkite to run the BoostSecurity scanning from the generated artifacts, add the following stanza to your pipeline.yml:

steps:
  - command: echo 'BOOST_IMAGE_NAME=myimage:tag' >> $BUILDKITE_ENV_FILE
  - wait
  - label: "Building the Image"
    command: docker build -t ${BOOST_IMAGE_NAME} .
    branches: "main"
  - wait
  - label: "boostsecurity scanner"
    plugins:
      - boostsecurityio/boostsec-scanner#v4:
          registry_module: boostsecurityio/trivy-image
    branches: "main"

In the first step, the docker image is built. In the second step, the BoostSecurity image scanning module scans the image. The environment variable BOOST_IMAGE_NAME is set to the image name to scan the image.