Test-Driven Security
With StackHawk and Spinnaker

zachary-conger

Zachary Conger|December 18, 2020

This post is a recap of a joint webinar from StackHawk and Spinnaker. We will walk through how to get started with application security testing in a Spinnaker Pipeline.

Written by Zachary Conger and Andrew Way

Modern software development is fast and iterative, with companies releasing significant new features and refinements daily. Doing that safely requires test automation in the build and delivery pipeline to ensure that flaws are identified before new code hits production. Security testing must also be automated to catch vulnerabilities before they are released to production, and ship secure code faster.

In a recent webinar, StackHawk and Armory showed how you can scan pre-production app deployments for security bugs. Tune in below for the full presentation.

test-driven-security-with-stackhawk-and-spinnaker-video image

Watch the Video Here

Get Started with Spinnaker

Armory provides continuous delivery at enterprise scale. Armory’s platform brings the power of Spinnaker to your organization, along with mission-critical feature extensions, enterprise-grade stability, and 24/7 expert support from one of the leading members of the open source community.

To get started:

Get Started with StackHawk

StackHawk provides CI/CD-friendly dynamic application security testing (DAST) scanning combined with a platform to help your team discover, manage and triage security bugs from the moment they are introduced.

Add HawkScan to your Spinnaker Pipelines

If you already have Spinnaker deployment pipelines in place, here is how you can add HawkScan.

Preparation

Before getting started, protect your StackHawk API key as a Kubernetes secret, and add a HawkScan configuration file to your application repository.

Protect Your API Key

Use kubectl to store your StackHawk API key as a Kubernetes secret.

YAML
kubectl create secret generic stackhawk-secrets \
  --from-literal=API_KEY='hawk.xXXxxXxxXXxxxXxxXxXx.xxxxXXxxXXXxxXXXXxXx'

Create a HawkScan Configuration

Add a HawkScan scan configuration to your application’s Git repository. For starters, you can use a minimal configuration like the following and add more detail later.

YAML
app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: <http://servicename.development>
	env: Development

Fill in the app.applicationId value with your StackHawk application ID, which you can find in the Applications section of your StackHawk app.

Add a HawkScan Stage

HawkScan runs as a script, shawk, within the stackhawk/hawkscan Docker container. Normally, it runs automatically and looks for your code repository and configuration file in a volume mounted /hawk directory. In Kubernetes, we will override this behavior and instead clone your repository into the container before running shawk.

Create a RunJob stage within Spinnaker like the following. For this example configuration, our application is named servicename and it is deployed in the development namespace, so it is reachable as http://servicename.development. Note that shawk will look for your code repository and configuration file in the directory specified by the REPO_DIR variable.

YAML
apiVersion: batch/v1
 kind: Job
 metadata:
   name: hawkscan
   namespace: default
 spec:
   backoffLimit: 0
   template:
     spec:
       containers:
         - command:
             - /bin/bash
             - '-c'
             - |
               git clone $REPO_URL $REPO_DIR
               shawk
           env:
			- name: API_KEY
               valueFrom:
                 secretKeyRef:
                   key: API_KEY
                   name: stackhawk-secrets
             - name: REPO_DIR
               value: /home/zap/workdir
             - name: REPO_URL
               value: <YOUR-PROJECT-GITHUB-URL>
           image: 'stackhawk/hawkscan:latest'
           name: hawkscan
       restartPolicy: Never
   ttlSecondsAfterFinished: 600

Set the REPO_URL environment variable in the Job manifest above to the HTTPS URL for the git repository that contains your stackhawk.yml configuration file. For a private repository, you can inject an OAuth token into REPO_URL for authentication. In that case, REPO_URL should be stored as a Kubernetes secret.

When this stage runs, it will start the HawkScan container and clone your application git repository into it. Then it will run a scan based on the stackhawk.yml configuration file found at the base of that repository.

You can add this stage at any point in an existing pipeline to scan your application. We recommend running HawkScan against pre-production environments since it may make changes to a running application’s data in the normal course of a scan.

Where to Go From Here

Have a look at StackHawk’s Spinnaker integration guide for the latest up to date information on using HawkScan in Spinnaker. Then add more information about your application to your HawkScan configuration, such as authentication, GraphQL, and OpenAPI specifications.

You can also create a native stage for HawkScan within Spinnaker so users can easily configure a HawkScan for their pipelines from the Spinnaker UI, and without the need for editing a Job manifest. This also allows you to utilize Spinnaker secrets to store your API key.


Zachary Conger  |  December 18, 2020