CircleCI Security Tool Integration

Connecting Uleska to CircleCI CI/CD Pipelines

 

Adding Uleska security testing into your CircleCI pipelines is easy with the following steps.

 

Step 1: Choose which projects to test

First of all, choose a project into your Uleska account to automate testing for.  This can be hooked to your current projects, or tied to a few sandbox repos while your trying things out (see our page on sandbox testing you can quickly set up).

Choose your application and version with the relevant GIT repo, container image:tag, or dynamic URL, and the set of testing tools you want to run.

Then grab an authentication token for your account.  Copy this token and we'll use it in step 2.

 

Step 2: ADD the Uleska CLI to your CIrcleci pipeline yaml

 

First of all, add the Uleska auth token to your CircleCI secret environment variables as in the CircleCI documentation.  In our steps below we've used the variable name 'MY_ULESKA_TOKEN' to retrieve this auth token in the pipeline YAML.

In Step 1 you will have some applications and projects, now we can reference these to be tested.  Go to the Uleska UI and grab the application and version name you are using (note these can also be retrieved via our API and CLI):

appver

Depending on the toolkit (/version) of security testing tools you want to run, you can now add the Uleska template call into your project YAML files to specify where and when to run security:

# Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1

jobs:
  # This is the sample initial code build job
  code_build:
    docker:
      - image: circleci/python:3.7

    steps:
      # Step: Pretend to build something
      - run:
          name: building something
          command: |
            echo "Building something..."
  code_test:
    docker:
      - image: circleci/python:3.7
    steps:
      # Step:: Now that code has successfully built, run SAST and SCA security tests
      - run:
          name: run Uleska SAST & SCA testing
          command: |
            python3 -m pip install requests uleska-automate
            uleska-automate --uleska_host https://uleska-live-one.uleska.com/ --application_name 'my_app_name' --version_name 'my_static_testing'' --token $MY_ULESKA_TOKEN --test_and_compare --fail_if_issue_risk_over 2000000


  # This is the sample container build job
  container_build:
    docker:
      - image: circleci/python:3.7

    steps:
      # Step: Pretend to build something
      - run:
          name: building some containers
          command: |
            echo "Building some containers..."
  container_test:
    docker:
      - image: circleci/python:3.7
    steps:
      # Step:: Now that container is built, run Container security tests
      - run:
          name: run Uleska Container testing
          command: |
            python3 -m pip install requests uleska-automate
            uleska-automate --uleska_host https://uleska-live-one.uleska.com/ --application_name 'my_app_name' --version_name 'my_containers'' --token $MY_ULESKA_TOKEN --test_and_compare --fail_if_issue_risk_over 2000000

# This is the sample deployment job
  staging:
    docker:
      - image: circleci/python:3.7

    steps:
      # Step: Pretend to deploy something
      - run:
          name: deploying something
          command: |
            echo "Deploying something..."
  staging_test:
    docker:
      - image: circleci/python:3.7
    steps:
      # Step:: Now that container is built, run Container security tests
      - run:
          name: run Uleska DAST and Cloud testing
          command: |
            python3 -m pip install requests uleska-automate
            uleska-automate --uleska_host https://uleska-live-one.uleska.com/ --application_name 'my_app_name' --version_name 'my_dynamic_testing' --token $MY_ULESKA_TOKEN --test_and_results --fail_if_issue_risk_over 2000000


workflows:
  code_build_and_test:
    jobs:
      - code_build
      - code_test:
          requires:
            - code_build
      - container_build:
          requires:
            - code_test
      - container_test:
          requires:
            - container_build
      - staging:
          requires:
            - container_test
      - staging_test:
          requires:
            - staging

 

The Uleska CLI uses Python3 to run, and this template lets us specify how our pipelines are going to run security testing.  In this example we are running the scan type of 'test_and_compare' runs the suite of security tools in the toolkit and highlights differences from the last scan (new issues or fixed issues).  See the CLI documentation for more details.

Note this template runs testing against the existing configuration.  If you want to use the Uleska CLI to dynamically update your repos, URLs, etc, based on what's running through the pipeline, then you can modify this template.

For example, you'd likely run source code security testing tools (SAST) after the source code has compiled, or Container security tools after the Dockerfile or image has been updated.  Your dynamic testing would be in staging, and Cloud/Infrastructure testing at deployment.

 

STEP 3: all the results of all your tests in CIRCLECI (in one place)

 

Now when you run your pipelines, the security testing suite setup in Uleska is run every time, and the results are compared with the last scan, or overall, all within your CircleCI output:

CircleCIoutput

This not only gives you great visibility of the existing and new issues being returned by the security tools (well, the ones that haven't been marked as duplicates or false positives within Uleska), but you also get automated control on release go/no-go that goes way beyond simple HIGH/MEDIUM/LOW.

Here you can see the new issues found in this latest scan run, and see the build was stopped because one of the new issues was too high a risk.  Remember all of these issues can be seen and triaged in the Uleska Platform.

 

STEP 4: Change your security testing without affecting your CI/cd pipeline yaml

 

Now you have the Uleska CLI hook into your project YAML, that's all you will need to change on your YAML files.  Now if you want to change or add new security tools, modify profiles, etc, you can do that all from within the Uleska UI, giving you more flexibility around security testing, without constantly needing to update CI/CD code.

Note that Uleska are looking forward to creating a CircleCI Orb just as soon as we can get to it.