Test-Driven Security With StackHawk and Spinnaker

Zachary Conger
Zachary Conger
Share on twitter
Share on facebook
Share on linkedin
Share on reddit
Zachary Conger

Zachary Conger

Share on twitter
Share on facebook
Share on linkedin
Share on reddit

This post is a recap of a joint webinar from StackHawk and Spinnaker. We will walk through how to get started with application security testing in a Spinnaker Pipeline.

Written by Zachary Conger and Andrew Way

Modern software development is fast and iterative, with companies releasing significant new features and refinements daily. Doing that safely requires test automation in the build and delivery pipeline to ensure that flaws are identified before new code hits production. Security testing must also be automated to catch vulnerabilities before they are released to production, and ship secure code faster.

In a recent webinar, StackHawk and Armory showed how you can scan pre-production app deployments for security bugs. Tune in below for the full presentation.

Get Started with Spinnaker

Armory provides continuous delivery at enterprise scale. Armory’s platform brings the power of Spinnaker to your organization, along with mission-critical feature extensions, enterprise-grade stability, and 24/7 expert support from one of the leading members of the open source community.

To get started:

Get Started with StackHawk

StackHawk provides CI/CD-friendly dynamic application security testing (DAST) scanning combined with a platform to help your team discover, manage and triage security bugs from the moment they are introduced.

Add HawkScan to your Spinnaker Pipelines

If you already have Spinnaker deployment pipelines in place, here is how you can add HawkScan.

Preparation

Before getting started, protect your StackHawk API key as a Kubernetes secret, and add a HawkScan configuration file to your application repository.

Protect Your API Key

Use kubectl to store your StackHawk API key as a Kubernetes secret.

kubectl create secret generic stackhawk-secrets \
  --from-literal=API_KEY='hawk.xXXxxXxxXXxxxXxxXxXx.xxxxXXxxXXXxxXXXXxXx'
Create a HawkScan Configuration

Add a HawkScan scan configuration to your application’s Git repository. For starters, you can use a minimal configuration like the following and add more detail later.

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  host: <http://servicename.development>
	env: Development

Fill in the app.applicationId value with your StackHawk application ID, which you can find in the Applications section of your StackHawk app.

Add a HawkScan Stage

HawkScan runs as a script, shawk, within the stackhawk/hawkscan Docker container. Normally, it runs automatically and looks for your code repository and configuration file in a volume mounted /hawk directory. In Kubernetes, we will override this behavior and instead clone your repository into the container before running shawk.

Create a RunJob stage within Spinnaker like the following. For this example configuration, our application is named servicename and it is deployed in the development namespace, so it is reachable as http://servicename.development. Note that shawk will look for your code repository and configuration file in the directory specified by the REPO_DIR variable.

apiVersion: batch/v1
 kind: Job
 metadata:
   name: hawkscan
   namespace: default
 spec:
   backoffLimit: 0
   template:
     spec:
       containers:
         - command:
             - /bin/bash
             - '-c'
             - |
               git clone $REPO_URL $REPO_DIR
               shawk
           env:
			- name: API_KEY
               valueFrom:
                 secretKeyRef:
                   key: API_KEY
                   name: stackhawk-secrets
             - name: REPO_DIR
               value: /home/zap/workdir
             - name: REPO_URL
               value: <YOUR-PROJECT-GITHUB-URL>
           image: 'stackhawk/hawkscan:latest'
           name: hawkscan
       restartPolicy: Never
   ttlSecondsAfterFinished: 600

Set the REPO_URL environment variable in the Job manifest above to the HTTPS URL for the git repository that contains your stackhawk.yml configuration file. For a private repository, you can inject an OAuth token into REPO_URL for authentication. In that case, REPO_URL should be stored as a Kubernetes secret.

When this stage runs, it will start the HawkScan container and clone your application git repository into it. Then it will run a scan based on the stackhawk.yml configuration file found at the base of that repository.

You can add this stage at any point in an existing pipeline to scan your application. We recommend running HawkScan against pre-production environments since it may make changes to a running application’s data in the normal course of a scan.

Where to Go From Here

Have a look at StackHawk’s Spinnaker integration guide for the latest up to date information on using HawkScan in Spinnaker. Then add more information about your application to your HawkScan configuration, such as authentication, GraphQL, and OpenAPI specifications.

You can also create a native stage for HawkScan within Spinnaker so users can easily configure a HawkScan for their pipelines from the Spinnaker UI, and without the need for editing a Job manifest. This also allows you to utilize Spinnaker secrets to store your API key.

More StackHawk
Ryan Severns
Zachary Conger
Scott Gerlach

Subscribe!

Extra text goes here

KAAKAWW!!! [ kǝn'grats ]

You're signed up for the newsletter!
We’ll keep you up to date on content and other happenings here at StackHawk.

KAAKAWW!!! [ kǝn'grats ]

The Demo Gods Approve!
We’ll reach out to you soon to schedule a 45 minute demo. Please complete this 3 minute survey so we can prepare a demo that is specific to you.

KAAKAWW!!! [ kǝn'grats ]

You're signed up for the newsletter!
We’ll keep you up to date on content and other happenings here at StackHawk.