How to start a pentest from your CI/CD pipeline
To test vulnerabilities in your application, you can start an automated or manual pentest from within your CI/CDs pipeline. Astra provides integrations with the following platforms:
GitHub
GitLab
Jenkins
Bitbucket
Azure
CircleCI
If you use a a different CI/CD tool, you can refer to the generic steps for starting audits via a simple API call via curl
You can configure your CI/CD pipeline to fail if high severity vulnerabilities are found
To get started with an integration:
Login to your Astra Dashboard
Navigate to the Pentest menu item, and open the project you want to audit from your CI/CD
Go to the Integrations, and click on the icon of the CI/CD tool you use
Activate the Integration, and follow the steps on the screen (or below)
Select GitHub app
Choose the mode for the audit - Automated or Manual
Sign in to your GitHub account and open the repository for the chosen project
Go to Settings, select secrets and click on New repository secret
Set name as ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and set the value as the token you copied from the dashboard
Add a new step in your YAML file. We recommend to add this after the deploy step:
Select the GitLab app
Choose the mode for the audit - Automated or Manual
Sign in to your GitLab account and open the repository for the chosen Astra project
Go to Settings & choose CI/CD from the left navigation bar
Go to Variables, click on Expand and click on Add variable
Set ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, uncheck Mask Variable & Protect variable both
Add the following step in your YAML file
Select the Jenkins app
Choose the mode for the audit - Automated or Manual
Add the following variables and stages to the Jenkins file of your repository (replace the values in ASTRA_PROJECT_ID and ASTRA_ACCESS_TOKEN as seen in the dashboard):
Select the BitBucket app
Choose the mode for the audit - Automated or Manual
Sign in to your Bitbucket account
Click on Repositories and open the repository for the chosen project
Click on Repository settings. Then, scroll down in the left navbar till Pipelines & click on Repository variables
Add ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, uncheck Secured for both
Add a new step in the pipeline YAML file. We recommend to add this after the deploy stage.
Select the Azure app
Choose the mode for the audit - Automated or Manual
Go to https://dev.azure.com and sign in to your account
Choose your organization and choose your project from the Projects tab
Click on Pipelines in the left navbar, and click on the pipeline for which you want to set up the pentest. Then Click on Edit
In the pipeline YAML page, click on Variables
Add ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, do not select Keep this value secret
Add a new step in the pipeline YAML file. We recommend to add this after the deploy stage.
Select the CircleCI app
Choose the mode for the audit - Automated or Manual
Sign in to your CircleCI account and open the repository for the chosen Astra project
Add the environment variables to the CircleCI project, as provided in the Astra dashboard.
Click on Mechanical Wheel Icon
Navigate to Environment Variables and click on Add Variable
Ensure the variable names are named as follows : ASTRA_ACCESS_TOKEN, ASTRA_PROJECT_ID (values can be copied from the dashboard)
Configure your config.yml in .circleci folder as follows:
Add the following snippet to jobs: section
Add the astra-pentest-trigger line to jobs: of workflow: section
Example:
To ensure that your pipeline fails when vulnerabilities are detected during the Astra scan, follow these steps:
Set the ASTRA_JOB_EXIT_STRATEGY:
Set ASTRA_JOB_EXIT_STRATEGY='fail_when_vulnerable' in your pipeline configuration to make the pipeline fail when vulnerabilities are found.
Alternatively, you can set ASTRA_JOB_EXIT_STRATEGY='always_pass' if you want the pipeline to always pass regardless of vulnerabilities.
Configure the Refetch Interval and Max Retries:
Adjust the refetch interval and max retries based on your requirements:
ASTRA_JOB_EXIT_REFETCH_INTERVAL=10: This specifies the interval (in seconds) at which the pipeline checks for the scan status.
ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES=10: This sets the maximum number of retries the pipeline will attempt to check the scan status before failing.
Define the Exit Criterion:
Set the exit criterion to determine when the pipeline should fail based on vulnerability severity. Use the following example as a guide:
This criterion specifies that the pipeline should fail if there are any high or critical severity vulnerabilities detected during the scan.
Full example:
By following these steps and configuring the appropriate settings, your pipeline will automatically fail if vulnerabilities meeting the defined severity criteria are found during the Astra scan.
For further assistance or troubleshooting, please contact our support team.
GitHub
GitLab
Jenkins
Bitbucket
Azure
CircleCI
If you use a a different CI/CD tool, you can refer to the generic steps for starting audits via a simple API call via curl
You can configure your CI/CD pipeline to fail if high severity vulnerabilities are found
Starting a scan from your CI/CD
To get started with an integration:
Login to your Astra Dashboard
Navigate to the Pentest menu item, and open the project you want to audit from your CI/CD
Go to the Integrations, and click on the icon of the CI/CD tool you use
Activate the Integration, and follow the steps on the screen (or below)
GitHub
Select GitHub app
Choose the mode for the audit - Automated or Manual
Sign in to your GitHub account and open the repository for the chosen project
Go to Settings, select secrets and click on New repository secret
Set name as ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and set the value as the token you copied from the dashboard
Add a new step in your YAML file. We recommend to add this after the deploy step:
- shell: bash
name: Run an Astra Pentest
env:
ASTRA_ACCESS_TOKEN: ${{ secrets.ASTRA_ACCESS_TOKEN }}
ASTRA_PROJECT_ID: COPY-FROM-DASHBOARD
ASTRA_AUDIT_MODE: automated
run: |
wget -O - https://git.io/JSHtC | bashGitlab
Select the GitLab app
Choose the mode for the audit - Automated or Manual
Sign in to your GitLab account and open the repository for the chosen Astra project
Go to Settings & choose CI/CD from the left navigation bar
Go to Variables, click on Expand and click on Add variable
Set ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, uncheck Mask Variable & Protect variable both
Add the following step in your YAML file
pentest-job:
stage: .post
variables:
ASTRA_AUDIT_MODE: automated
script:
- wget -O - https://git.io/JSHtC | bashJenkins
Select the Jenkins app
Choose the mode for the audit - Automated or Manual
Add the following variables and stages to the Jenkins file of your repository (replace the values in ASTRA_PROJECT_ID and ASTRA_ACCESS_TOKEN as seen in the dashboard):
pipeline {
agent any
environment {
ASTRA_PROJECT_ID = 'redacted'
ASTRA_ACCESS_TOKEN = 'redacted'
ASTRA_AUDIT_MODE = 'automated'
}
stages {
stage('build') {
steps {
sh 'wget -O - https://git.io/JSHtC | bash'
}
}
}
}BitBucket
Select the BitBucket app
Choose the mode for the audit - Automated or Manual
Sign in to your Bitbucket account
Click on Repositories and open the repository for the chosen project
Click on Repository settings. Then, scroll down in the left navbar till Pipelines & click on Repository variables
Add ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, uncheck Secured for both
Add a new step in the pipeline YAML file. We recommend to add this after the deploy stage.
- step:
name: 'Astra Pentest Job'
script:
- export ASTRA_AUDIT_MODE="automated"
- wget -O - https://git.io/JSHtC | bashAzure
Select the Azure app
Choose the mode for the audit - Automated or Manual
Go to https://dev.azure.com and sign in to your account
Choose your organization and choose your project from the Projects tab
Click on Pipelines in the left navbar, and click on the pipeline for which you want to set up the pentest. Then Click on Edit
In the pipeline YAML page, click on Variables
Add ASTRA_ACCESS_TOKEN = <can be copied from dashboard> and ASTRA_PROJECT_ID = <can be copied from dashboard> variables, do not select Keep this value secret
Add a new step in the pipeline YAML file. We recommend to add this after the deploy stage.
variables:
ASTRA_AUDIT_MODE: "automated"
steps:
- script: |
wget -O - https://git.io/JSHtC | bash
displayName: 'Run an Astra Pentest'CircleCI
Select the CircleCI app
Choose the mode for the audit - Automated or Manual
Sign in to your CircleCI account and open the repository for the chosen Astra project
Add the environment variables to the CircleCI project, as provided in the Astra dashboard.
Click on Mechanical Wheel Icon
Navigate to Environment Variables and click on Add Variable
Ensure the variable names are named as follows : ASTRA_ACCESS_TOKEN, ASTRA_PROJECT_ID (values can be copied from the dashboard)
Configure your config.yml in .circleci folder as follows:
Add the following snippet to jobs: section
astra-pentest-trigger:
machine:
image: ubuntu-2004:202008-01
environment:
ASTRA_AUDIT_MODE: automated
steps:
- run:
command: wget -O - https://git.io/JSHtC | bashAdd the astra-pentest-trigger line to jobs: of workflow: section
Example:
workflows:
version: x
workflow-name:
jobs:
- job 1
- job 2
- astra-pentest-triggerHow to Configure Your Pipeline to Fail When Vulnerabilities are Found
To ensure that your pipeline fails when vulnerabilities are detected during the Astra scan, follow these steps:
Set the ASTRA_JOB_EXIT_STRATEGY:
Set ASTRA_JOB_EXIT_STRATEGY='fail_when_vulnerable' in your pipeline configuration to make the pipeline fail when vulnerabilities are found.
Alternatively, you can set ASTRA_JOB_EXIT_STRATEGY='always_pass' if you want the pipeline to always pass regardless of vulnerabilities.
Configure the Refetch Interval and Max Retries:
Adjust the refetch interval and max retries based on your requirements:
ASTRA_JOB_EXIT_REFETCH_INTERVAL=10: This specifies the interval (in seconds) at which the pipeline checks for the scan status.
ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES=10: This sets the maximum number of retries the pipeline will attempt to check the scan status before failing.
Define the Exit Criterion:
Set the exit criterion to determine when the pipeline should fail based on vulnerability severity. Use the following example as a guide:
ASTRA_JOB_EXIT_CRITERION="severityCount[\\\"high\\\"] > 0 or severityCount[\\\"critical\\\"] > 0"This criterion specifies that the pipeline should fail if there are any high or critical severity vulnerabilities detected during the scan.
Full example:
ASTRA_JOB_EXIT_STRATEGY='fail_when_vulnerable'
ASTRA_JOB_EXIT_REFETCH_INTERVAL=10
ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES=10
ASTRA_JOB_EXIT_CRITERION="severityCount[\\\"high\\\"] > 0 or severityCount[\\\"critical\\\"] > 0"By following these steps and configuring the appropriate settings, your pipeline will automatically fail if vulnerabilities meeting the defined severity criteria are found during the Astra scan.
For further assistance or troubleshooting, please contact our support team.
Updated on: 15/03/2024
Thank you!