Running the Security Scan

You can integrate scan configurations into your CI/CD tool and automate the application scan testing for the following. Ensure that fdevsec.yaml file is checked into the root folder of your source code.

• AWS CodePipeline
• Azure DevOps
• Bamboo
• CircleCI
• Drone CI
• GCP Cloud Build
• GitHub Actions
• GitLab
• Jenkins
• Travis CI

AWS CodePipeline

Paste the following code segment in the buildspec.yml file for only for SAST scan.

version: 0.1
phases:
install:
commands:
- echo "Entered the install phase..."
finally:
- echo "This always runs even if the update or install command fails"
pre_build:
commands:
- echo "Entered the pre_build phase..."
finally:
- echo "This always runs even if the login command fails."
build:
commands:
- echo "Entered the build phase..."
- echo "Build started on `date`"
finally:
- echo "This always runs even if the install command fails"
post_build:
on-failure: CONTINUE
commands:
- echo "Entered the post_build phase..."
- echo "Build completed on `date`"
- echo "Running FortiDevSec SAST scanner..."
- "docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest"
- "docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest"

Azure DevOps

Paste the following code segment in the azure-pipelines.yml file for a SAST scan.

trigger:
— main
pool:
vmImage: ubuntu-latest

steps:
–task: Bash@3
displayName: Install_Run_SAST
inputs:
targetType: 'inline'
script: |
docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Paste the following code segment in the azure-pipelines.yml file for a DAST scan.

trigger:
— main
pool:
vmImage: ubuntu-latest

steps:
– task: Bash@3
displayName: Install_Run_DAST
inputs:
targetType: 'inline'
script: |
docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

Bamboo

Paste the following code segment in the bamboo.yml file for a SAST scan.

— —
version: 2
plan:
project-key: MYAPP
name: Build the myapp
key: MYAPP

stages:
-scan the myapp stage:
jobs:
— Scan

Scan:
tasks:
– clean # To keep the working directory clean
-script:
– docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
– docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Paste the following code segment in the bamboo.yml file for a DAST scan.

— —
version: 2
plan:
project-key: MYAPP
name: Build the myapp
key: MYAPP

stages:
-scan the myapp stage:
jobs:
— Scan

Scan:
tasks:
– clean # To keep the working directory clean
-script:
– docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
– docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

CircleCI

We have a CircleCl Orb. Paste this code segment in the .circleci/config.yml file for a SAST scan. Refer to the Orb Registry page to use the latest version.

version: 2.1
jobs:
SAST:
machine: yes
steps:
— checkout
— run: |
docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest
workflows:
Scans:
jobs:
— SAST

Paste this code segment in the .circleci/config.yml file for a DAST scan.

version: 2.1
jobs:
DAST:
machine: yes
steps:
— checkout
— run: |
docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest
workflows:
Scans:
jobs:
— DAST

Drone CI

Paste this code segment in the workflow drone.yml file for a SAST scan.

---
kind: pipeline
type: exec
name: SCAN

platform:
os: linux
arch: amd64

steps:
#Run FortiDevSec SAST Scanner, once the build step is done.
- name: SAST
commands:
- docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
- docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Paste this code segment in the workflow drone.yml file for a DAST scan.

---
kind: pipeline
type: exec
name: SCAN

platform:
os: linux
arch: amd64

#Run FortiDevSec DAST Scanner, once the deploy step is done.
- name: DAST
commands:
- docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
- docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

GCP Cloud Build

Paste this code segment in the workflow cloudbuild.yaml file for a SAST scan.

steps:
# Run FortiDevSec SAST Scanner, once the build step is done.
- name: 'gcr.io/cloud-builders/docker'
entrypoint: bash
args: ['-c','docker run --rm --mount type=bind,source=$(pwd),target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest']

Paste this code segment in the workflow cloudbuild.yaml file for a DAST scan.

steps:
# Run FortiDevSec DAST Scanner, once the deploy step is done.
- name: 'gcr.io/cloud-builders/docker'
entrypoint: bash
args: ['-c','docker run --rm --mount type=bind,source=$(pwd),target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest']

GitHub Actions

Paste this code segment in the workflow main.yml file for a SAST scan.

name: FortiDevSec Scanner CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]

jobs:
build:
runs-on: ubuntu-latest
steps:
– uses: actions/checkout@v2

– name: SAST
run: |
docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Paste this code segment in the workflow main.yml file for a DAST scan.

name: FortiDevSec Scanner CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]

jobs:
build:
runs-on: ubuntu-latest
steps:
– uses: actions/checkout@v2

– name: DAST
run: |
docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

GitLab

Paste this code segment in the gitlab-ci.yml file for a SAST scan.

SAST:
tags:
— devsecops
image: registry.fortidevsec.forticloud.com/fdevsec_sast:latest
stage: test
script:
— main

Paste this code segment in the gitlab-ci.yml file for a DAST scan.

DAST:
tags:
— devsecops
image: https://registry.fortidevsec.forticloud.com/fdevsec_dast:latest
stage: deploy
script:
— main

Jenkins

Paste this code segment in Jenkins > (Your App) > Configure > Add build step > Execute Shell for a SAST scan.

docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Paste this code segment DAST scan.

docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

Travis CI

Paste this code segment in the .travis.yml file for a SAST scan.

language: python
python:
— "3.6"
service:
— docker
jobs:
include:
– stage: SAST
before_install: docker pull registry.fortidevsec.forticloud.com/fdevsec_sast:latest
script: docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest

Paste this code segment in the .travis.yml file for a DAST scan.

language: python
python:
— "3.6"
service:
— docker
jobs:
include:
– stage: DAST
before_install: docker pull registry.fortidevsec.forticloud.com/fdevsec_dast:latest
script: docker run --rm --mount type=bind,source=$PWD,target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest

To run a scan manually, navigate to the root folder of the source code and add the fdevsec.yaml file and run the following command.

docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest.

In this command a SAST (/fdevsec_sast:latest) scan is run, modify the value to DAST (/fdevsec_dast:latest) if required.

The following image depicts a sample command for SAST.

devopsuser@User1:~/Repos/OWASPBenchmark$ docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_sast:latest
2022/02/03 06:33:57 Loaded scan config for Org ID: d9d3dc20-9372-4188-884f-b18a5c75fe5c
2022/02/03 06:33:57 Languages configured in conf file: [java]
2022/02/03 06:34:02 Scanners configured in conf file: [sast]
2022/02/03 06:34:03 Total enabled scanners: 1
2022/02/03 06:34:03 Running parallel scan as per user config.
2022/02/03 06:37:25 FortiDevSec SAST scanner done, exiting.

The following image depicts a sample command for DAST.

devopsuser@Dev:~/Repo/OWASPBenchmark$ docker run --rm --mount type=bind,source="$PWD",target=/scan registry.fortidevsec.forticloud.com/fdevsec_dast:latest
2022/02/03 08:37:19 Loaded scan config for Org ID: d9d3dc20-9372-4188-884f-b18a5c75fe5c
2022/02/03 08:37:19 Scanners configured in conf file: [dast]
2022/02/03 08:37:20 Response Status: 202 Accepted
2022/02/03 08:37:20 Total enabled scanners: 0
2022/02/03 08:37:20 No scanners specified.
2022/02/03 08:37:20 FortiDevSec DAST scanner done, exiting.