Scanning Generated Artifacts¶
BoostSecurity Continuous Integration (CI) supports scanning build artifacts generated from repository code using a templating engine or script of your choice.
To generate such artifacts, BoostSecurity Continuous Integration (CI) provides the --pre-scan-command, which accepts the path to an executable and its relevant Command Line Interface (CLI) arguments. This executable will then be executed with your Git repository as its current working directory.
Warning "Adding generated artifacts output directory to
.boostinclude" The following examples assume that you have created a.boostincludefile which specifies the artifacts necessary for your--pre-scan-command, so that they are not subject to being pruned before its execution occurs.
The following examples demonstrate how to use the --pre-scan-command to scan artifacts generated by Helm in GitHub Actions and Circle CI:
GitHub Actions¶
Add the following to your .github/workflows/boost.yml:
name: BoostSecurity
on:
workflow_dispatch:
push:
branches:
- main
- master
pull_request:
branches:
- main
- master
types:
- opened
- synchronize
jobs:
boost_security_helm_chart_scan:
name: Scan Helm Chart
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # 3.5.3
# This step is necessary so that we can use
# the helm binary within the runner.
# https://github.com/Azure/setup-helm
- name: Setup Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # 3.5.0
with:
version: v3.7.1
- name: Checkov scan
# We're pinning against a version here
# and not a git commit so that you are
# able to receive patches automatically.
uses: boostsecurityio/boostsec-scanner-github@v4
with:
api_token: ${{ secrets.BOOST_API_TOKEN }}
registry_module: boostsecurityio/checkov
pre_scan_cmd: |
# Because this example is specific to helm, the `helm`
# binary is locally rendering the chart to the ./generated
# directory. You will need to alter `charts/hello-world`
# to refer to the directory that your chart exists in.
# The value chosen for --output-dir is arbitrary.
helm template charts/hello-world --output-dir ./generated
Circle CI¶
Add the following to your .circleci/config.yml:
version: 2.1
orbs:
# https://circleci.com/developer/orbs/orb/boostsecurityio/scanner
boost-security-scanner: boostsecurityio/scanner@4.1.0
workflows:
version: 2
build:
jobs:
- boost-security-scan:
context: boost-security
jobs:
boost-security-scan:
machine:
docker_layer_caching: true
image: ubuntu-2004:2023.07.1
steps:
- checkout
- run:
name: Install pre-scan dependencies
command: |
download_verify_and_unpack() {
(curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3 -") && tar -C $(dirname "$2") -xzf /tmp/toxic "$4" && if [[ ! -z "$4" ]]; then mv "$(dirname $2)/$4" "$2"; else true; fi && chmod +x "$2") || (rm -f /tmp/toxic && false)
}
download_verify_and_unpack https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz /home/circleci/bin/helm 6cd6cad4b97e10c33c978ff3ac97bb42b68f79766f1d2284cfd62ec04cd177f4 linux-amd64/helm
- boost-security-scanner/scan:
registry_module: scanners/boostsecurityio/checkov
# Note: This is not the value of the environment variable
# (e.g. $BOOST_API_TOKEN), just the *name* of the environment
# variable.
api_token: BOOST_API_TOKEN
# Because this example is specific to helm, the `helm`
# binary is locally rendering the chart to the ./generated
# directory. You will need to alter `charts/hello-world`
# to refer to the directory that your chart exists in.
# The value chosen for --output-dir is arbitrary.
pre_scan_cmd: helm template charts/hello-world --output-dir ./generated