Overview
In the cloud-native world, API security is an important concern as most microservices are exposed externally to users and to other internal services via APIs. Traceable AST complements the API Catalog in using the DNA to build intelligently targeted scans for detecting vulnerabilities at the API layer. It also helps close the loop of exploits found in production by running security scans in pre-prod environments. It helps in finding vulnerabilities in the early stages of SDLC, giving developers and Product security engineers more time and context to prioritize the mitigation of vulnerabilities and build secure APIs.
Traceable’s CI/CD Integrations can be used to continuously test your software builds for active vulnerabilities and get comprehensive reports which will help in deciding if a build should pass or not based on new or existing vulnerabilities exposed by the new code. It runs AST scans on defined pre-hooks and maps scan results which include a list of vulnerabilities with severities based on CVSS and CWE scores to help categorize issues correctly and get a comprehensive understanding of risks added by new code added in the relevant builds.
What do Traceable xAST CI/CD integrations provide?
-
Extensive security testing coverage for microservices and APIs.
-
Generate tests from live functional traffic for targeted security testing based on actual payloads
-
Insertion into DevSecOps with Scan initiation and Vulnerability Management from scan findings.
-
Inserts security seamlessly into existing functional tests in the same pipeline with full automation.
-
Risk-based prioritization using asset inventory, threat intel, and predictive modeling.
-
Make a decision around passing or failing the build based on security issues introduced in it.
This guide explains how you can configure and use Traceable xAST CI/CD Integrations and how to use this to run the scan during the build step and view the scan summary report. Currently, we support two integrations: Jenkins and GitHub actions.
Jenkins
Link to the repository: Traceableai/traceable-xast-jenkins-plugin
Prerequisite
Make sure you have a Jenkins setup and have permission to add and manage new plugins.
Integrating Traceable xAST with Jenkins
Install plugin
Note: Currently, the Traceable xAST Jenkins plugin is not publicly available, so you have to use the pre-built plugins provided by the Traceable team.
-
Open the Jenkins dashboard and click on Manage Jenkins in the left pane.
-
From the System Configuration menu, select the Manage Plugins option.
-
Go to the advanced tab and navigate to the Deploy Plugin option.
-
Click on Choose File and select traceable-xast.hpi file provided by the Traceable team and click on Deploy.
Using a plugin to run Traceable xAST with Jenkins
-
In the Jenkins Portal, click on New Item on the left side panel.
-
Enter the name of your choice which will help you identify the job which contains Traceable xAST and select Freestyle Project. You can also add this as a build step in the existing Freestyle Job.
-
Once you click OK, you will be taken to a configuration screen. You will need to select the Source code management of your choice.
-
Here add the build triggers of your choice and then select the build step as Traceable AST. Also, select Post-build action as required.
-
Once this is done, you will have to add all the necessary xAST configurations in the build configurations which include, Scan Name, Test Environment, Client Token, CLI Binary Location, Plugins, Include and exclude URL regex.
-
Once you are done with all the configurations, just save and apply and we are ready!
-
Now, this job should get triggered whenever the build trigger condition is satisfied.
Reports
-
Open the freestyle Job in which you are running Traceable xAST.
-
In the list of builds in the build menu, select the build job you want to see the report for.
-
Click on the Traceable AST report in the left pane. Here’s the example report.
GitHub actions
Link to the repository: Traceableai/ast-action
Prerequisite
-
Make sure you have an active account and repository on GitHub.
-
Basic understanding of GitHub actions and workflows.
Integrating Traceable xAST with GitHub workflows using GitHub actions
Find your action
-
All the GitHub actions by TraceableAI currently reside in this repository: Traceableai/ast-action
-
We are planning to release them in the GitHub marketplace by end of September which will make them easier to access and use. Please reach out to your POC at Traceable or concerned SE about early access.
-
Traceable AST action is available here: https://github.com/Traceableai/traceable-github-actions/blob/main/traceable-ast/action.yml
Understanding the inputs
Input |
Description |
step_name |
Scan action: init/ run/ init and run/stop. |
scan_name |
Name of the scan |
client_scan_token |
Access token from platform |
cli_version |
Version of CLI you want to use for AST. Current one is 1.0.0-rc.3. |
traffic_env |
Environment from where AST should observe traffic. |
plugins |
List of plugins you want to run the AST scan for. |
include_url_regex |
Include URL patterns to test. |
exclude_url_regex |
exclude URL patterns from scan. |
target_url |
Target URL for the tests. |
traceable_server |
URL for traceable server, not applicable for SaaS customers. |
idle_timeout |
Scan timeout for a scan when it goes in IDLE state. |
scan_timeout |
Scan timeout in general. |
reference_env |
Reference environment from where AST should pick up the API specs. |
max_retries |
Max retries for the scan after failure. |
Sample GitHub actions workflow
- Here is the sample GitHub actions workflow which shows how you can configure the AST GitHub action.
name: Test Traceable AST Init Action And Traceable AST Run Action
on:
push:
branches:
- main
pull_request:
jobs:
AstScan:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Init scan action
uses: traceable-github-actions/traceable-ast
with:
step_name: 'init'
client_scan_token: ${{ secrets.CLIENT_SCAN_TOKEN }}
traffic_env: 'crapi-demo-1'
traceable_server: ${{ secrets.TRACEABLE_SERVER }}
- name: Run a loop as functional test (This is sample)
run: |
for ((i=1;i<=100;i++));
do
echo $i
done
- name: Run scan action
uses: traceable-github-actions/traceable-ast
with:
step_name: 'run'
client_scan_token: ${{ secrets.CLIENT_SCAN_TOKEN }}
traffic_env: 'crapi-demo-1'
cli_version: '1.0.0-rc.3'
- As you can see in the above workflow, we have initiated the scan with the initiate scan action step which takes client_scan_token, traffic_env, and traceable_server as input.
-
In the next step, we are executing functional tests and then run the scan in the step after that which take client_scan_token,traffic_env, and cli_version as input.
Triggers
GitHub workflows support a wide range of triggers and you can read about them here: Events that trigger workflows - GitHub Docs
Report
Here is what the AST sample report looks like once the scan is executed. It shows all the details around the vulnerability category, subcategory, and severity.
You can find the report in a summary section like this: