You can use the Accurics CLI to scan code in your CI/CD pipeline and fail the builds if Accurics finds severe vulnerabilities in the code. Once you install Accurics CLI on the build machine, you must add the necessary instructions to the pipeline script to run the tool against the files present in the repository.
Here are a few examples:
Azure DevOps (on MAC)
- Create a new project.
- Add repository.
- Go to pipelines and select Create New Pipeline.
- Add repository (make sure repo has config file).
- Select Bitbucket Cloud in the Where is your code? section.
- Select your repository.
- Select starter pipeline .
- Add the following commands to the yaml file:
trigger: -master pool: vmImage: ‘macOS-latest’ steps task: CmdLine@2 inputs: script: | brew install terraform brew install accurics export ARM_SUBSCRIPTION_ID= subscription id export ARM_TENANT_ID= tenant id export ARM_CLIENT_ID= client id export ARM_CLIENT_SECRET= client secret accurics init accurics plan
- Click save
- Click Run to run the pipeline
- Click on the job to monitor the execution
AWS Code Pipeline (On Linux)
- Before creating the pipeline, go to the CodeBuild console to create the build project that will be attached to the pipeline. Select create build project.
- Add your source provider and repository.
- Select the following environment configurations.
- In the Buildspec section, select Use a buildspec file and add the path to the yaml file in your repo if it is not called buildspec.yml in the source code root directory. (Include accurics executable and config file from Accurics CLI in your repository).
- Add the following commands to the buildspec.yaml file:
version: 0.2 phases: install: commands: curl -s -qL -o terraform_install.zip https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_amd64.zip unzip terraform_install.zip -d /usr/bin/ chmod +x /usr/bin/terraform finally: terraform --version build: commands: export ARM_SUBSCRIPTION_ID=subscription ID export ARM_TENANT_ID=tenant ID export ARM_CLIENT_ID=client ID export ARM_CLIENT_SECRET=client secret ./accurics init ./accurics plan
- Once the CodeBuild project is created, open the CodePipeline console and click create new pipeline.
- Enter a pipeline name and either select an existing service role or create a new one.
- Add your source stage and select your source provider.
- In the build stage, select CodeBuild as your build provider and in the dropdown, find the CodeBuild project you just created.
- Skip the deploy stage.
- Review your selections and then click Create pipeline.
- Run the pipeline.
Jenkins (on Linux)
- Launch a Linux EC2 instance and connect to it. Once connected, make sure the ec2-user has execute permissions (sudo chmod 705 /home/ec2-user/).
- Before doing the steps make sure you have java1.8 rather than default java1.7. If you could see the 1.7 version you can uninstall and install the 1.8 using following commands:
[ec2-user ~]$ sudo yum remove java-1.7.0-openjdk
[ec2-user ~]$ sudo yum install java-1.8.0
- Install terraform.
[ec2-user ~]$ sudo yum install -y yum-utils
[ec2-user ~]$ sudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
[ec2-user ~]$ sudo yum -y install terraform
- Download the CLI and copy the Accurics CLI to your EC2 instance using scp -i
- To download and install Jenkins, run the following commands:
[ec2-user ~]$ sudo yum update -y
[ec2-user ~]$ sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo
[ec2-user ~]$ sudo rpm --import https://pkg.jenkins.io/redhat/jenkins.io.key
[ec2-user ~]$ sudo yum install jenkins -y
- To start Jenkins, run this command:
[ec2-user ~]$ sudo service jenkins start
- Connect to your Jenkins server by going to your EC2 instance on port 8080 – http://server-ip-address:8080/
- Visit the path above to get the initial password and paste it in the above image
[ec2-user ~]$ sudo cat /var/lib/jenkins/secrets/initialAdminPassword
- Install the suggested plugins.
- Once logged in, go to Manage Jenkins on the left and click Manage Plugins.
- Install the Bitbucket Plugin and the Git Plugin.
- Go to Manage Credentials on the page above and add your Bitbucket credentials.
- Go back to the dashboard and on the left, select New Item. Enter a name for your job and select freestyle project.
- Add a description and under Source Code Management, select Git, add your repository URL, and your credentials. Specify a branch if applicable.
- In the Jenkins Build section, add a build step to execute shell, and then add the following commands:
cp -r /home/ec2-user/Accurics/* . export ARM_SUBSCRIPTION_ID=subscription ID export ARM_TENANT_ID=tenant ID export ARM_CLIENT_ID=client ID export ARM_CLIENT_SECRET=client secret ./accurics init ./accurics plan
- Click save. On the left, click Build Now
- Build should be successful. A blue dot at the top of the build history signifies a successful build.
Bamboo (on Linux)
Add the following commands in the Script body of a Script Configuration in a Bamboo Task.
cp /home/user/AccuricsCLI/* ./ export ARM_SUBSCRIPTION_ID=<SUBSCRIPTION ID> export ARM_TENANT_ID=<TENANT ID> export ARM_CLIENT_ID=<CLIENT ID> export ARM_CLIENT_SECRET=<CLIENT SECRET> ./accurics init ./accurics plan if [ $? -eq 0 ]; then exit 0; else exit 1; fi
– SUBSCRIPTION ID
– TENANT ID
– CLIENT ID
– CLIENT SECRET
For detailed information, see Configuring Azure Resources on Bamboo.