Scanning Generated Artifacts¶
BoostSecurity Continuous Integration (CI) supports scanning build artifacts generated from repository code using a templating engine or script of your choice.
To generate such artifacts, BoostSecurity Continuous Integration (CI) provides the --pre-scan-command, which accepts the path to an executable and its relevant Command Line Interface (CLI) arguments. This executable will then be executed with your Git repository as its current working directory.
Warning "Adding generated artifacts output directory to
.boostinclude" The following examples assume that you have created a.boostincludefile which specifies the artifacts necessary for your--pre-scan-command, so that they are not subject to being pruned before its execution occurs.
GitHub Actions¶
Add the following to your .github/workflows/boost.yml:
name: BoostSecurity
on:
workflow_dispatch:
push:
branches:
- main
- master
pull_request:
branches:
- main
- master
types:
- opened
- synchronize
jobs:
boost_security_sast:
name: SAST / Scanner
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install pre-scan dependencies
run: |
download_verify_and_unpack() {
(curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3 -") && tar -C $(dirname "$2") -xzf /tmp/toxic "$4" && if [[ ! -z "$4" ]]; then mv "$(dirname $2)/$4" "$2"; else true; fi && chmod +x "$2") || (rm -f /tmp/toxic && false)
}
download_verify_and_unpack https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz /usr/local/bin/helm 6cd6cad4b97e10c33c978ff3ac97bb42b68f79766f1d2284cfd62ec04cd177f4 linux-amd64/helm
- name: Prepare pre-scan script
run: |
cat << EOF > /usr/local/bin/render-k8s.sh
#!/bin/bash
helm template charts/hello-world --output-dir ./generated
EOF
chmod +x /usr/local/bin/render-k8s.sh
- name: Scanner
uses: boostsecurityio/boostsec-scanner-github@v4
with:
action: scan
api_token: ${{ secrets.BOOST_API_TOKEN }}
additional_args: --pre-scan-command "/usr/local/bin/render-k8s.sh"
name: BoostSecurity
on:
workflow_dispatch:
push:
branches:
- main
- master
pull_request:
branches:
- main
- master
types:
- opened
- synchronize
jobs:
boost_security_sast:
name: SAST / Scanner
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install pre-scan dependencies
run: |
download_and_verify() {
(curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3 -") && chmod +x "$2") || (rm -f "$2" && false)
}
download_verify_and_unpack() {
(curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3 -") && tar -C $(dirname "$2") -xzf /tmp/toxic && chmod +x "$2") || (rm -f /tmp/toxic && false)
}
download_and_verify https://github.com/bitnami/kubecfg/releases/download/v0.22.0/kubecfg-linux-amd64 /usr/local/bin/kubecfg 198e2f6eb6d86460eea47be4444d986287745b3882026f3f228a1ec0f1453780
download_verify_and_unpack https://github.com/mogensen/kubernetes-split-yaml/releases/download/v0.3.0/kubernetes-split-yaml_0.3.0_linux_amd64.tar.gz /usr/local/bin/kubernetes-split-yaml f77587a3eeb602a11affd066512bb8736bb506a22a60640fe2e8a5be4f9b429b
- name: Prepare pre-scan script
run: |
cat << EOF > /usr/local/bin/render-k8s.sh
#!/bin/bash
kubecfg show -o yaml examples/guestbook.jsonnet | kubernetes-split-yaml -
EOF
chmod +x /usr/local/bin/render-k8s.sh
- name: Scanner
uses: boostsecurityio/boostsec-scanner-github@v4
with:
action: scan
api_token: ${{ secrets.BOOST_API_TOKEN }}
additional_args: --pre-scan-command "/usr/local/bin/render-k8s.sh"
name: BoostSecurity
on:
workflow_dispatch:
push:
branches:
- main
- master
pull_request:
branches:
- main
- master
types:
- opened
- synchronize
jobs:
boost_security_sast:
name: SAST / Scanner
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Install pre-scan dependencies
run: |
download_and_verify() {
(curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3 -") && chmod +x "$2") || (rm -f "$2" && false)
}
download_and_verify https://github.com/grafana/tanka/releases/download/v0.18.2/tk-linux-amd64 /usr/local/bin/tk ab71bd5ce4cdd12af5adfe02d5178dbdae61ed693f74537f3e73ec0801ab95f6
download_and_verify https://github.com/jsonnet-bundler/jsonnet-bundler/releases/download/v0.4.0/jb-linux-amd64 /usr/local/bin/jb 433edab5554a88a0371e11e93080408b225d41c31decf321c02b50d2e44993ce
- name: Prepare pre-scan script
run: |
cat << EOF > /usr/local/bin/render-k8s.sh
#!/bin/bash
set -x
cd examples/prom-grafana/
jb install
tk export manifests environments/prom-grafana/dev
EOF
chmod +x /usr/local/bin/render-k8s.sh
- name: Scanner
uses: boostsecurityio/boostsec-scanner-github@v4
with:
action: scan
api_token: ${{ secrets.BOOST_API_TOKEN }}
additional_args: --pre-scan-command "/usr/local/bin/render-k8s.sh"
Circle CI¶
Add the following to your .circleci/config.yml:
version: 2.1
orbs:
boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
version: 2
build:
jobs:
- boost-security-scan:
context: boost-security
jobs:
boost-security-scan:
machine:
docker_layer_caching: true
image: ubuntu-2004:202107-02
steps:
- checkout
- run:
name: Install pre-scan dependencies
command: |
download_verify_and_unpack() {
(curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3 -") && tar -C $(dirname "$2") -xzf /tmp/toxic "$4" && if [[ ! -z "$4" ]]; then mv "$(dirname $2)/$4" "$2"; else true; fi && chmod +x "$2") || (rm -f /tmp/toxic && false)
}
download_verify_and_unpack https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz /home/circleci/bin/helm 6cd6cad4b97e10c33c978ff3ac97bb42b68f79766f1d2284cfd62ec04cd177f4 linux-amd64/helm
- run:
name: Prepare pre-scan script
command: |
cat \<< EOF > /home/circleci/bin/render-k8s.sh
#!/bin/bash
helm template charts/hello-world --output-dir ./generated
EOF
chmod +x /home/circleci/bin/render-k8s.sh
- boost-security-scanner/scan:
cli_additional_args: --pre-scan-command /home/circleci/bin/render-k8s.sh
version: 2.1
orbs:
boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
version: 2
build:
jobs:
- boost-security-scan:
context: boost-security
jobs:
boost-security-scan:
machine:
docker_layer_caching: true
image: ubuntu-2004:202107-02
steps:
- checkout
- run:
name: Install pre-scan dependencies
command: |
download_and_verify() {
(curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3 -") && chmod +x "$2") || (rm -f "$2" && false)
}
download_verify_and_unpack() {
(curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3 -") && tar -C $(dirname "$2") -xzf /tmp/toxic && chmod +x "$2") || (rm -f /tmp/toxic && false)
}
download_and_verify https://github.com/bitnami/kubecfg/releases/download/v0.22.0/kubecfg-linux-amd64 /home/circleci/bin/kubecfg 198e2f6eb6d86460eea47be4444d986287745b3882026f3f228a1ec0f1453780
download_verify_and_unpack https://github.com/mogensen/kubernetes-split-yaml/releases/download/v0.3.0/kubernetes-split-yaml_0.3.0_linux_amd64.tar.gz /home/circleci/bin/kubernetes-split-yaml f77587a3eeb602a11affd066512bb8736bb506a22a60640fe2e8a5be4f9b429b
- run:
name: Prepare pre-scan script
command: |
cat \<< EOF > /home/circleci/bin/render-k8s.sh
#!/bin/bash
kubecfg show -o yaml examples/guestbook.jsonnet | kubernetes-split-yaml -
EOF
chmod +x /home/circleci/bin/render-k8s.sh
- boost-security-scanner/scan:
cli_additional_args: --pre-scan-command /home/circleci/bin/render-k8s.sh
version: 2.1
orbs:
boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
version: 2
build:
jobs:
- boost-security-scan:
context: boost-security
jobs:
boost-security-scan:
machine:
docker_layer_caching: true
image: ubuntu-2004:202107-02
steps:
- checkout
- run:
name: Install pre-scan dependencies
command: |
download_and_verify() {
(curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3 -") && chmod +x "$2") || (rm -f "$2" && false)
}
download_and_verify https://github.com/grafana/tanka/releases/download/v0.18.2/tk-linux-amd64 /home/circleci/bin/tk ab71bd5ce4cdd12af5adfe02d5178dbdae61ed693f74537f3e73ec0801ab95f6
download_and_verify https://github.com/jsonnet-bundler/jsonnet-bundler/releases/download/v0.4.0/jb-linux-amd64 /home/circleci/bin/jb 433edab5554a88a0371e11e93080408b225d41c31decf321c02b50d2e44993ce
- run:
name: Prepare pre-scan script
command: |
cat \<< EOF > /home/circleci/bin/render-k8s.sh
#!/bin/bash
cd examples/prom-grafana/
jb install
tk export manifests environments/prom-grafana/dev
EOF
chmod +x /home/circleci/bin/render-k8s.sh
- boost-security-scanner/scan:
cli_additional_args: --pre-scan-command /home/circleci/bin/render-k8s.sh