From DevOps to DevSecOps (3 Part Series)
In a previous post, I explained the quick opportunities about adding more security within your organisation.
In this post, I will go through all the process of adding a Static Application Security Testing software to your pipeline in order to scan your code for security vulnerabilities.
That Software is Checkmarx.
Checkmarx is an Application Security Testing and Static Code Analysis Solution.
It scans source code, identifies security vulnerabilities within it, and provides remediation with sample code.
Features include :
- Static Application Security Testing
- Dependency Scanning
- Interactive Application Security Testing
- Runtime Application Security Testing.
Compared to other similar security tools, Checkmarx is flexible, integrates with other popular CI/CD tools, and supports a wide range of programming languages.
On the flipside, as an enterprise-level software, it is not cheap. 💸
To use a software like Checkmarx to its best, you have to automate it within your CI/CD pipeline.
The point is to check the security of all your repositories everytime you are releasing something (either a major version or on a more frequent basis).
Nevertheless, remember that this analysis will require work from your teams to triage the identified vulnerabilities and correct them.
So do it at a sustainable pace regarding your team capabilities.
- Download the repository (or repositories)
- Start a scan using the Checkmarx Command Line Interface
- Check the scan result on the Checkmarx interface
I assume you are using Jenkins on your CI/CD pipeline.
- A hook on Jenkins starts a script
- That script downloads the repository
- That script starts a scan on the downloaded repository
- That script alerts if something went wrong during the scan (through return code)
- Checkmarx alerts on the scan result
You can use that tool to mass clone the repositories on your machine,
Download all the repositories that you can access on Bitbucket to easily statically analyze the security of it and data leakage.
Download all the repositories that you can access on Bitbucket
This program is made to clone all the repositories that you have on Bitbucket at once. It is very usefull if you want to statically analyze the code on a security perspective for instance.
You can look for Certificate files, leaked information (like password, logins, keys, etc...).
And more than that, you can look in the git history if some information where leaked in the past, even if they are not available in the code at the moment.
It is very easy to start a scan from your machine.
Download the Checkmarx CLI Plugin on the following links :
Install the Checkmarx CLI PLugin ("CxConsolePlugin") to any folder that you feel appropriate.
Then, to start a scan, you just have to fire the
runCxConsole.sh script which is inside the "CxConsolePlugin" folder.
CxConsolePlugin Usage :
runCxConsole.sh Scan -Projectname "SP/Cx/Engine/AST/SecurityScanTest" -CxServer https://securecode.itn.intraorange/ -cxuser $checkmarxLogin -cxpassword $checkmarxAppPassword -locationtype GIT -locationprivatekey $locationPrivateKey -locationurl $locationUrl locationbranch $locationBranch -preset All -comment 'Scan de test' -reportpdf ~/SecurityScanTest.pdf
As you can see in the command above, at some point you have to fill in your Checkmarx login and password (
It is good security practice to never ever write your password in clear text in your terminal.
Just because, anyone (or any malware) can just look at your command-line history on your terminal and then have your password available in plain text.
ctrl+ron your terminal and then look for
Or you can try
history | grep "git clone"(as you frequently leak your passwords through git commands).
That is why you MUST never enter your password on your terminal as anyone can then have access to it.
To avoid leaking passwords in the terminal history, I developed a short script to start a Checkmarx's scan using its CLI plugin.
You can find it in the following Github repository (feel free to fork it and improve it 😉).
How to Automate Checkmarx Scans
Script Usage :
./CheckmarxAutomation.sh -h usage: CheckmarxAutomation [[-u|--cxuser] <username>] Your Login on Checkmarx [-h|--help]
Using It :
./CheckmarxAutomation.sh -u remi Please, Fill in your Checkmarx Password :
So that way, your password is not going to leak in your terminal history. 👍🏼
1. SSH Private Keys not Found
You are using SSH to connect to your repository, but Checkmarx cannot find the private key, as you can see below :
[2019-09-25 09:42:00,000 FATAL] Command parameters are invalid: Private key file is not found in: ~/.ssh/PrivateKey
If you are using ssh keys to log to your Git repository (and you should 🔐), you MUST use an absolute path to describe it on the
2. Checkmarx Server not Available
The Checkmarx server cannot be accessed from your machine, as you can see below :
[2019-09-25 09:42:00,000 ERROR] Failed to validate server connectivity: Cx web service is not available at: https://securecode.mysersver/
To solve this issue, you have to be sure that Checkmarx is allowed from your proxy and use the Checkmarx server's IP address.
Tell me if you think that adding that kind of solution is something that you are thinking about.
And if you are already using it, tell me if you find it useful and if it is improving the level of security of your application.
Level up every day