Articles on: Integrations (Pentest)

How to start a pentest from your CI/CD pipeline

To test vulnerabilities in your application, you can start an automated or manual pentest from within your CI/CDs pipeline. Astra provides integrations with the following platforms:

GitHub
GitLab
Jenkins
Bitbucket
Azure
CircleCI

If you use a a different CI/CD tool, you can refer to the generic steps for starting audits via a simple API call via curl

To get started with an integration:

Login to your Astra Dashboard
Navigate to the Pentest menu item, and open the project you want to audit from your CI/CD
Go to the Integrations, and click on the icon of the CI/CD tool you use
Activate the Integration, and follow the steps on the screen (or below)



GitHub



Select GitHub app
Choose the mode for the audit - Automated or Manual
Sign in to your GitHub account and open the repository for the chosen project
Go to Settings, select secrets and click on New repository secret
Set name as ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and set the value as the token you copied from the dashboard
Add a new step in your YAML file. We recommend to add this after the deploy step:

- shell: bash
  name: Run an Astra Pentest
  env:
    ASTRA_ACCESS_TOKEN: ${{ secrets.ASTRA_ACCESS_TOKEN }}
    ASTRA_PROJECT_ID: COPY-FROM-DASHBOARD
    ASTRA_AUDIT_MODE: automated
  run: |
    wget -O - https://git.io/JSHtC | bash


Gitlab



Select the GitLab app
Choose the mode for the audit - Automated or Manual
Sign in to your GitLab account and open the repository for the chosen Astra project
Go to Settings & choose CI/CD from the left navigation bar
Go to Variables, click on Expand and click on Add variable
Set ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, uncheck Mask Variable & Protect variable both
Add the following step in your YAML file
pentest-job:
  stage: .post
  variables:
    ASTRA_AUDIT_MODE: automated
  script:
    - wget -O - https://git.io/JSHtC | bash


Jenkins



Select the Jenkins app
Choose the mode for the audit - Automated or Manual
Add the following variables and stages to the Jenkins file of your repository (replace the values in ASTRA_PROJECT_ID and ASTRA_ACCESS_TOKEN as seen in the dashboard):

pipeline {
  agent any
  environment {
    ASTRA_PROJECT_ID = 'redacted'
    ASTRA_ACCESS_TOKEN = 'redacted'
    ASTRA_AUDIT_MODE = 'automated'
  }
  stages {
    stage('build') {
      steps {
        sh 'wget -O - https://git.io/JSHtC | bash'
      }
    }
}
}


BitBucket



Select the BitBucket app
Choose the mode for the audit - Automated or Manual
Sign in to your Bitbucket account
Click on Repositories and open the repository for the chosen project
Click on Repository settings. Then, scroll down in the left navbar till Pipelines & click on Repository variables
Add ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, uncheck Secured for both
Add a new step in the pipeline YAML file. We recommend to add this after the deploy stage.

- step:
    name: 'Astra Pentest Job'
    script:
      - export ASTRA_AUDIT_MODE="automated"
      - wget -O - https://git.io/JSHtC | bash


Azure



Select the Azure app
Choose the mode for the audit - Automated or Manual
Go to https://dev.azure.com and sign in to your account
Choose your organization and choose your project from the Projects tab
Click on Pipelines in the left navbar, and click on the pipeline for which you want to set up the pentest. Then Click on Edit
In the pipeline YAML page, click on Variables
Add ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, do not select Keep this value secret
Add a new step in the pipeline YAML file. We recommend to add this after the deploy stage.

variables:
  ASTRA_AUDIT_MODE: "automated"
steps:
  - script: |
      wget -O - https://git.io/JSHtC | bash
    displayName: 'Run an Astra Pentest'


CircleCI



Select the CircleCI app
Choose the mode for the audit - Automated or Manual
Sign in to your CircleCI account and open the repository for the chosen Astra project
Add the environment variables to the CircleCI project, as provided in the Astra dashboard.
Click on Mechanical Wheel Icon
Navigate to Environment Variables and click on Add Variable
Ensure the variable names are named as follows : ASTRA_ACCESS_TOKEN, ASTRA_PROJECT_ID (values can be copied from the dashboard)
Configure your config.yml in .circleci folder as follows:
Add the following snippet to jobs: section

astra-pentest-trigger:
    machine:
      image: ubuntu-2004:202008-01
    environment:
      ASTRA_AUDIT_MODE: automated
    steps:
        - run:
            command: wget -O - https://git.io/JSHtC | bash

Add the astra-pentest-trigger line to jobs: of workflow: section

Example:
workflows:
    version: x
    workflow-name:
        jobs:
            - job 1
            - job 2
            - astra-pentest-trigger

Updated on: 31/10/2022

Was this article helpful?

Share your feedback

Cancel

Thank you!