Incorporate security testing into your AWS CodeBuild and CodePipeline workflows by leveraging the HCL AppScan Command-Line Interface (CLI) capabilities. This tool empowers you to seamlessly conduct DAST (Dynamic Application Security Testing) scans through HCL AppScan On Cloud. The CLI tool also allows you to perform some additional supplementary operations. The first release supports integration with AppScan on Cloud Dynamic Analysis Security Testing (DAST).
-
You need an account at the HCL AppScan on Cloud service and an API Key and Secret for AppScan on Cloud Authentication. To generate an API key and secret credentials, refer to Generating API Keys (hcltechsw.com).
-
We recommend securely storing your API Key and Secret in an encrypted format using the AWS System Manager Parameter Store or the AWS Secrets Manager.
-
Create an application on the service to associate with your scans.
-
You need access to an AWS account with the necessary permissions to configure and run AWS Code Build, Code Pipeline, or both.
-
A Target website URL to perform a dynamic scan on.
-
Access to the AppScan CLI Tool Binary hosted on Maven Central
-
Java 11 or later should be available in AWS Codebuild environment.
This section provides instructions on configuring AWS CodeBuild for dynamic security scans and integrating it as a stage within an AWS CodePipeline. The AppScan CLI tool will perform the dynamic security scan as part of the build process.
-
Open the AWS Management Console and navigate to CodeBuild.
-
Click on Create build project.
-
Project configuration:
-
Project name: Enter a name for your Code Build project.
-
Source: From the Source provider dropdown, choose No source.
-
Environment: Choose an environment that suits your application (e.g., Ubuntu, Amazon Linux) and has Java 11. We recommend selecting Amazon Linux Coretto11 Image.
Image - aws/codebuild/amazonlinux2-x86_64-standard:corretto11
-
Buildspec: Choose "Use a buildspec file" and select the source location of your buildspec file (usually buildspec.yml). Alternatively, you can select "Insert build commands" and add the build commands in the onscreen editor.
Example buildspec --
version: 0.2 env: parameter-store: STAGING_ASOC_KEY: "STAGING_ASOC_KEY_ID" STAGING_ASOC_KEY_SECRET: "STAGING_ASOC_KEY_SECRET" phases: build: commands: - wget https://repo1.maven.org/maven2/com/hcl/appscan-cloud-cli/1.0.0/appscan-cloud-cli-1.0.0.jar - java -jar appscan-cloud-cli-1.0.0.jar invokedynamicscan --key=$STAGING_ASOC_KEY --secret=$STAGING_ASOC_KEY_SECRET --appId=<ASoC Application ID> --scanName=<Scan Name> --target=<Target URL> artifacts: files: - 'AppscanReports/*' discard-paths: yesIn your buildspec.yml, add the commands to download the AppScan CLI jar from maven repository and execute the security scan. See the commands in the above buildspec example for reference. We assume the API Key ID and Secret are stored in the AWS System Manager Parameter Store. For more information on Full list of CLI commands and options, refer to the HCL Appscan Cloud CLI Readme.
-
-
Artifacts: Configure where the build artifacts (Scan Analysis Report) should be stored after the build (scan) completes. For Example, you can store the scan report in the Amazon S3 Bucket of your preference and mention the path as "AppscanReports" and the Namespace type as Build ID.
-
Logs: Choose the desired CloudWatch settings for your build logs.
-
Service role: If you don't have a service role, create a new one or use an existing one with the necessary permissions.
-
VPC: Configure VPC settings if needed for your application.
-
Timeouts: Set appropriate timeouts for your build phases. You can specify a timeout value anywhere from 5 minutes to 8 hours. If you leave the hours and minutes fields blank, CodeBuild will default to a timeout of 60 minutes. It is recommended to carefully consider the nature of your builds and select a timeout that aligns with their expected duration.
-
Build badge: Configure a build badge if desired.
-
To create the CodeBuild project, click on Create build project.
-
Trigger a build manually to ensure your build configuration is working as expected.
-
Monitor the build progress in the AWS Management Console.
-
Verify that your CLI tool successfully performs the dynamic security scan during the build process.
-
Open the AWS Management Console and navigate to CodePipeline.
-
Click on Create pipeline.
-
Pipeline settings:
-
Pipeline name: Enter a name for your pipeline.
-
Service role: Choose an existing role or create a new one with permission to interact with CodeBuild and any necessary resources.
-
-
Source stage:
-
Choose the source provider and configure repository details.
-
Set up the appropriate source action settings.
-
-
Build and Deployment stages:
- Add and configure Build and Deploy stages to your pipeline, per your pipeline requirements.
-
Dynamic Security Analysis stage:
-
Click on Add stage.
-
Enter a name for the stage (e.g., "Dynamic_Security_Analysis").
-
Click on Add action group and choose "AWS CodeBuild" as the provider under Test action providers as shown below :
-
-
Configure test action:
-
Choose the CodeBuild project you created earlier (Part 1) step.
-
Set the appropriate action settings, including output artifacts.
-
-
Artifact stage :
-
Click on Add stage.
-
Enter a name for the stage (e.g., "Artifacts").
-
Configure actions to deploy or store your scan reports as shown below :
-
-
Click on Next to review your pipeline configuration.
-
Click on Create pipeline to create the CodePipeline.
-
Trigger your pipeline manually or by your configured source provider (e.g., code commits).
-
Monitor the pipeline execution in the AWS Management Console.
-
Verify that the CodeBuild stage runs your CLI tool and performs the dynamic security scan as part of the build process.
-
Upon successful completion of the scan , the build logs in AWS CodeBuild would contain scan details , Scan Result Findings Summary and other logs generated as part of the process. Along with this , the scan log file generated by AppScan on Cloud would be automatically downloaded in zip format at the same location as scan report file.
-
The Scan Report would be available to download in format specified using --reportFormat or HTML format by default. This report includes only the non-compliant issues. The report download location can be configured in CodePipeline Project in Bucket field as discussed in point 8 (Artifact Stage) in previous step.
Note: The scan report and summary are available only if --waitForResult is set to true in appscan cloud cli command while configuring buildspec.yaml file in a CodeBuild project. --waitForResult is by default set to true. The report and summary otherwise are available for download from HCL AppScan on Cloud.
You have successfully configured AWS CodeBuild to include dynamic security scans using your published CLI tool and integrated it as a stage within AWS CodePipeline. This integration enhances the security of your application by automatically conducting security scans during the CI/CD process.
Regularly monitor your pipeline's execution and review your CLI tool's configurations to ensure your security scanning remains effective and up to date.