Skip to content

Scanning Generated Artifacts


BoostSecurity Continuous Integration (CI) supports scanning build artifacts generated from repository code using a templating engine or script of your choice.

To generate such artifacts, BoostSecurity Continuous Integration (CI) provides the --pre-scan-command, which accepts the path to an executable and its relevant Command Line Interface (CLI) arguments. This executable will then be executed with your Git repository as its current working directory.

Warning "Adding generated artifacts output directory to .boostinclude" The following examples assume that you have created a .boostinclude file which specifies the artifacts necessary for your --pre-scan-command, so that they are not subject to being pruned before its execution occurs.

The following examples demonstrate how to use the --pre-scan-command to scan artifacts generated by Helm in GitHub Actions and Circle CI:

GitHub Actions

Add the following to your .github/workflows/boost.yml:

name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_helm_chart_scan:
    name: Scan Helm Chart
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # 3.5.3

      # This step is necessary so that we can use
      # the helm binary within the runner.
      # https://github.com/Azure/setup-helm
      - name: Setup Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # 3.5.0
        with:
          version: v3.7.1

      - name: Checkov scan
        # We're pinning against a version here 
        # and not a git commit so that you are
        # able to receive patches automatically.
        uses: boostsecurityio/boostsec-scanner-github@v4
        with:
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          registry_module: boostsecurityio/checkov
          pre_scan_cmd: |
            # Because this example is specific to helm, the `helm`
            # binary is locally rendering the chart to the ./generated
            # directory. You will need to alter `charts/hello-world`
            # to refer to the directory that your chart exists in.
            # The value chosen for --output-dir is arbitrary.

            helm template charts/hello-world --output-dir ./generated

Circle CI

Add the following to your .circleci/config.yml:

version: 2.1
orbs:
  # https://circleci.com/developer/orbs/orb/boostsecurityio/scanner 
  boost-security-scanner: boostsecurityio/scanner@4.1.0
workflows:
  version: 2
  build:
    jobs:
      - boost-security-scan:
          context: boost-security
jobs:
  boost-security-scan:
    machine:
      docker_layer_caching: true
      image: ubuntu-2004:2023.07.1

    steps:
      - checkout

      - run:
          name: Install pre-scan dependencies
          command: |
            download_verify_and_unpack() {
              (curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3  -") && tar -C  $(dirname "$2") -xzf /tmp/toxic "$4" && if [[ ! -z "$4" ]]; then mv "$(dirname $2)/$4" "$2"; else true; fi && chmod +x "$2") || (rm -f /tmp/toxic && false)
            }
            download_verify_and_unpack https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz /home/circleci/bin/helm 6cd6cad4b97e10c33c978ff3ac97bb42b68f79766f1d2284cfd62ec04cd177f4 linux-amd64/helm

      - boost-security-scanner/scan:
          registry_module: scanners/boostsecurityio/checkov

          # Note: This is not the value of the environment variable
          # (e.g. $BOOST_API_TOKEN), just the *name* of the environment
          # variable.
          api_token: BOOST_API_TOKEN

          # Because this example is specific to helm, the `helm`
          # binary is locally rendering the chart to the ./generated
          # directory. You will need to alter `charts/hello-world`
          # to refer to the directory that your chart exists in.
          # The value chosen for --output-dir is arbitrary.

          pre_scan_cmd: helm template charts/hello-world --output-dir ./generated