Versioning Systems Integrations

Your versioning system is the memory of your DevOps process. Read here how you can easily integrate the Crashtest Security Suite Scans.

Overview

In the past, versioning systems were used for storage, versioning, and managing different development branches. Nowadays, versioning systems are evolving to also include continuous delivery features.

Therefore, this article shows you how to integrate your versioning tool (such as Bitbucket, GitHub, or GitLab) with our security scans. But before that, we want to discuss best practices in code versioning.

Code Versioning Best Practices

For a great article on "A successful git branching model", please check out this link. Below is the visual representation from Vincent Driessen:

Git branching model from Vincent Driessen

To expand the mentioned concepts in the world of DevSecOps, we recommend development teams to start security scans for every release (when creating pull requests).

Before we dive into the setup for specific tools, let's look at the used webhook functionality.

Webhook Functionality

The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml.

#!/usr/bin/env sh

# TODO: Set WEBHOOK to webhook ID (without URL)
WEBHOOK="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"

API_ENDPOINT="https://api.crashtest.cloud/webhook"

# Start Scan and get scan ID
SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId`
echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID."

# Refresh Scan status
STATUS="100"
while [[ $STATUS -le "101" ]]
do
   echo "Scan Status currently is $STATUS (101 = Running)"

   # Only poll every minute
   sleep 60

    # Refresh status
   STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.code`

done

echo "Scan finished with status $STATUS."

# Download Report
curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/report/junit -o report.xml
echo "Downloaded Report to report.xml"

For other webhook functionalities (i.e. configuring authentication), please see this article

So, how can you apply that to your existing versioning systems?

Bitbucket

Bitbucket is a code versioning tool sold by Atlassian.

It also offers pipelines to enable continuous delivery of software projects. Please have a look at the Bitbucket documentation on how to trigger webhooks. Below you see a very simple example of a pipeline. You can use the script described in the webhook section to call the Crashtest Security webhook and enter it below the "script" line. 

pipelines:
default:
- step:
script:
- echo 'I made a pipeline!'

If you need any help on scripting your specific pipeline, please contact us

GitLab

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license, developed by GitLab Inc.

GitLab also offers GitLab CI to enable continuous integration and deployment of software projects. Please have a look at the GitLab documentation on how to configure pipelines (or check out their examples).

You can use the script described in the webhook section to call the Crashtest Security webhook. 

If you need any help on scripting your specific pipeline, please contact us

GitHub

GitHub is one of the most well-known and widely adopted versioning tools.

GitHub currently offers a closed beta for it's native continuous delivery capability (GitHub Actions). However, as the functionality might be limited in the first release, there are articles that suggest to use the more powerful CI/CD toolchains, such as Jenkins or Circle CI, for more script-intensive tasks.

If you are using GitHub and want to automatically start a scan for every pull request, just reach out to us - so we can support you with the implementation depending on what other tools you are using.