StackHawk


Automating Security in CI/CD

Test-Driven Security With StackHawk and Spinnaker

April Conger   |   Dec 18, 2020

LinkedIn
X (Twitter)
Facebook
Reddit
Subscribe To StackHawk Posts

Written by Zachary Conger and Andrew Way

Modern software development is fast and iterative, with companies releasing significant new features and refinements daily. Doing that safely requires test automation in the build and delivery pipeline to ensure that flaws are identified before new code hits production. Security testing must also be automated to catch vulnerabilities before they are released to production, and ship secure code faster.

In a recent webinar, StackHawk and Armory showed how you can scan pre-production app deployments for security bugs. Tune in below for the full presentation.

test-driven-security-with-stackhawk-and-spinnaker-video

Watch the Video Here

Get Started with Spinnaker

Armory provides continuous delivery at enterprise scale. Armory’s platform brings the power of Spinnaker to your organization, along with mission-critical feature extensions, enterprise-grade stability, and 24/7 expert support from one of the leading members of the open source community.

To get started:

Get Started with StackHawk

StackHawk provides CI/CD-friendly dynamic application security testing (DAST) scanning combined with a platform to help your team discover, manage and triage security bugs from the moment they are introduced.

Add HawkScan to your Spinnaker Pipelines

If you already have Spinnaker deployment pipelines in place, here is how you can add HawkScan.

Preparation

Before getting started, protect your StackHawk API key as a Kubernetes secret, and add a HawkScan configuration file to your application repository.

Protect Your API Key
Usekubectl
to store your StackHawk API key as a Kubernetes secret.

kubectl create secret generic stackhawk-secrets 
  --from-literal=API_KEY='hawk.xXXxxXxxXXxxxXxxXxXx.xxxxXXxxXXXxxXXXXxXx'

Create a HawkScan Configuration

Add a HawkScan scan configuration to your application’s Git repository. For starters, you can use a minimal configuration like the following and add more detail later.

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: <http://servicename.development>
	env: Development


Fill in theapp.applicationId
value with your StackHawk application ID, which you can find in the Applications section of your StackHawk app.

Add a HawkScan Stage

HawkScan runs as a script,shawk
, within the stackhawk/hawkscan Docker container. Normally, it runs automatically and looks for your code repository and configuration file in a volume mounted/hawk
directory. In Kubernetes, we will override this behavior and instead clone your repository into the container before runningshawk
.Create a RunJob stage within Spinnaker like the following. For this example configuration, our application is namedservicename
and it is deployed in thedevelopment
namespace, so it is reachable as http://servicename.development . Note thatshawk
will look for your code repository and configuration file in the directory specified by theREPO_DIR
variable.

apiVersion: batch/v1
 kind: Job
 metadata:
   name: hawkscan
   namespace: default
 spec:
   backoffLimit: 0
   template:
     spec:
       containers:
         - command:
             - /bin/bash
             - '-c'
             - |
               git clone $REPO_URL $REPO_DIR
               shawk
           env:
			- name: API_KEY
               valueFrom:
                 secretKeyRef:
                   key: API_KEY
                   name: stackhawk-secrets
             - name: REPO_DIR
               value: /home/zap/workdir
             - name: REPO_URL
               value: <YOUR-PROJECT-GITHUB-URL>
           image: 'stackhawk/hawkscan:latest'
           name: hawkscan
       restartPolicy: Never
   ttlSecondsAfterFinished: 600


Set theREPO_URL
environment variable in the Job manifest above to the HTTPS URL for the git repository that contains yourstackhawk.yml
configuration file. For a private repository, you can inject an OAuth token intoREPO_URL
for authentication. In that case,REPO_URL
should be stored as a Kubernetes secret.When this stage runs, it will start the HawkScan container and clone your application git repository into it. Then it will run a scan based on thestackhawk.yml
configuration file found at the base of that repository.

You can add this stage at any point in an existing pipeline to scan your application. We recommend running HawkScan against pre-production environments since it may make changes to a running application’s data in the normal course of a scan.

Where to Go From Here

Have a look at StackHawk’s Spinnaker integration guide for the latest up to date information on using HawkScan in Spinnaker. Then add more information about your application to your HawkScan configuration, such as authentication , GraphQL , and OpenAPI specifications.

You can also create a native stage for HawkScan within Spinnaker so users can easily configure a HawkScan for their pipelines from the Spinnaker UI, and without the need for editing a Job manifest. This also allows you to utilize Spinnaker secrets to store your API key.

FEATURED POSTS

7 Best DAST Tools of 2024

Feb 1, 2024 |

Dive into thebasic building blocks of Dynamic Application Security Testing, and why it's a critical part of modern security testing practices, and how it differs from other security testing methods.

Security Testing for the Modern Dev Team

See how StackHawk makes web application and API security part of software delivery.

Watch a Demo

StackHawk provides DAST & API Security Testing

Get Omdia analyst’s point-of-view on StackHawk for DAST.

"*" indicates required fields

More Hawksome Posts