Versioning systems integrations

Your versioning system is the memory of your DevOps process. Read here how you can easily integrate the Crashtest Security Suite scans.

Overview

In the past, versioning systems stored and managed different development branches. Nowadays, versioning systems are also evolving to include continuous delivery features.

Therefore, you can integrate your versioning tool (such as Bitbucket, GitHub, or GitLab) with the security scans.

Code Versioning Best Practices

For detailed information, see A successful Git branching model. Below is the visual representation from Vincent Driessen:

To expand the mentioned concepts in DevSecOps, your development teams should start security scans for every release (when creating pull requests).

Webhook Functionality

The following script will start the scan for your project and periodically poll the status of the scan. When the scan is finished, the report will be downloaded to the file report.xml.

#!/usr/bin/env sh  
  
# TODO: Set WEBHOOK to webhook ID (without URL)  
WEBHOOK="aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"  
  
API_ENDPOINT="https://api.crashtest.cloud/webhook"  
  
# Start Scan and get scan ID  
SCAN_ID=`curl --silent -X POST --data "" $API_ENDPOINT/$WEBHOOK | jq .data.scanId`  
echo "Started Scan for Webhook $WEBHOOK. Scan ID is $SCAN_ID."  
  
# Refresh Scan status  
STATUS="100"  
while [[ $STATUS -le "101" ]]  
do  
    echo "Scan Status currently is $STATUS (101 = Running)"  
  
    # Only poll every minute  
    sleep 60  
  
    # Refresh status  
    STATUS=`curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/status | jq .data.status.code`  
  
done  
  
echo "Scan finished with status $STATUS."  
  
# Download Report  
curl --silent $API_ENDPOINT/$WEBHOOK/scans/$SCAN_ID/report/junit -o report.xml  
echo "Downloaded Report to report.xml"

So, how can you apply that to your existing versioning systems?

Bitbucket

Bitbucket is a code versioning tool sold by Atlassian.

It also offers pipelines to enable the continuous delivery of software projects. See the Bitbucket documentation on how to trigger webhooks. Below you see a straightforward example of a pipeline. You can use the script described in the webhook section to call the Crashtest Security webhook and enter it below the "script" line.

pipelines:  
  default:  
    - step:  
        script:  
          - echo 'I made a pipeline!'

If you need any help scripting your specific pipeline, contact Veracode Technical Support.

GitLab

GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking, and CI/CD pipeline features, using an open-source license developed by GitLab Inc.

GitLab also offers GitLab CI to enable continuous integration and deployment of software projects. See the GitLab documentation on configuring pipelines or their examples.

You can use the script described in the webhook section to call the Crashtest Security webhook.

If you need any help scripting your specific pipeline, contact Veracode Technical Support.

GitHub

GitHub is one of the most well-known and widely adopted versioning tools.

GitHub currently offers a closed beta for its native continuous delivery capability (GitHub Actions). However, as the functionality might be limited in the first release, some articles suggest using the more powerful CI/CD toolchains, such as Jenkins or CircleCI, for more script-intensive tasks.

If you are using GitHub and want to start a scan for every pull request automatically, contact Veracode Technical Support. Support can help you with the implementation, depending on what other tools you are using.

Overview​

Code Versioning Best Practices​

Webhook Functionality​

Bitbucket​

GitLab​

GitHub​