CircleCI¶
The BoostSecurity CI integration for CircleCI provides an orb with both a job running on a machine executor and a command to use within your pipeline configurations. Both invocation methods will execute the BoostSecurity Scanner to scan repositories for vulnerabilities and upload the results to the BoostSecurity service.
The CircleCI Orb is published on the registry and may be found here.
The configuration that needs to be added to your .circleci/config.yml depends on whether the scanner runs on the project's source code or on a produced artifact such as a built container image.
The first step in setting BoostSecurity for CircleCI is to create a CircleCI context called boost-security containing a secret named BOOST_API_TOKEN with your organization's API KEY.
CircleCi Job for source scanning¶
This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code, for example.
Note
Even if the workflow is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests.
When configuring your CircleCI to run the BoostSecurity scanning from the project's source code, add the following stanza to your .circleci/config.yml:
version: '2.1'
orbs:
boost-security-scanner: boostsecurityio/scanner@4
workflows:
build:
jobs:
steps:
- boost-security-scanner/scan:
context: boost-security
registry_module: boostsecurityio/semgrep
- when:
condition:
or:
- equal: [ main, << pipeline.git.branch >> ]
steps:
- boost-security-scanner/scan:
context: boost-security
registry_module: boostsecurityio/trivy-sbom
version: 2
Note
In the example above, the scanner modules semgrep and trivy-sbom are configured for use. However, you can configure the required scanner module. Refer to Registry Modules for the available scanner modules.
CircleCi Job for scanning generated artifacts¶
This configuration is appropriate for scanner modules requiring scan-generated artifacts from the build process. For example, scanner modules generating SBOM from container images or scanning for vulnerabilities must first create the container image.
To enable the scanning of generated artifacts, add the BoostSecurity scanner module-related stanza to your build workflow in .circleci/config.yml, in the appropriate location after the step where the artifact was generated. Note that the example below is related to scanning a container image for vulnerabilities.
version: '2.1'
orbs:
boost-security-scanner: boostsecurityio/scanner@4
workflows:
... some environment specific declarations and steps
jobs:
... some test and other jobs
build-push:
executor: default
steps:
... some steps specific to your environment
- checkout
- run:
command: make docker.build
- run:
command: make docker.push
- when:
condition:
or:
- equal: [ main, << pipeline.git.branch >> ]
steps:
- run:
name: make docker.echo.tag
command: |
BOOST_IMAGE_NAME=$(make docker.echo.tag)
echo "export BOOST_IMAGE_NAME=${BOOST_IMAGE_NAME}" | tee -a $BASH_ENV
- boost-security-scanner/scan:
registry_module: boostsecurityio/trivy-image
version: 2
The condition - equal: [ main, << pipeline.git.branch >> ] makes the image scanning module run on commit to main only after the image was built. The command BOOST_IMAGE_NAME=$(make docker.echo.tag) and echo "export BOOST_IMAGE_NAME=${BOOST_IMAGE_NAME}" | tee -a $BASH_ENV sets the environment variable required by the BoostSecurity Trivy scanner module to know which image to scan.