Written by Zachary Conger and Andrew Way
Modern software development is fast and iterative, with companies releasing significant new features and refinements daily. Doing that safely requires test automation in the build and delivery pipeline to ensure that flaws are identified before new code hits production. Security testing must also be automated to catch vulnerabilities before they are released to production, and ship secure code faster.
In a recent webinar, StackHawk and Armory showed how you can scan pre-production app deployments for security bugs. Tune in below for the full presentation.
Get Started with Spinnaker
Armory provides continuous delivery at enterprise scale. Armory’s platform brings the power of Spinnaker to your organization, along with mission-critical feature extensions, enterprise-grade stability, and 24/7 expert support from one of the leading members of the open source community.
To get started:
- Check out Armory’s Spinnaker 101 Docs
- Install Spinnaker in minutes using Armory Minnaker
- Here’s how to build a K8s pipeline in Spinnaker.
Get Started with StackHawk
StackHawk provides CI/CD-friendly dynamic application security testing (DAST) scanning combined with a platform to help your team discover, manage and triage security bugs from the moment they are introduced.
- Sign up for a free Developer account
- Check out the StackHawk getting started guide
- See the StackHawk Spinnaker integration guide for the full details on running HawkScan in Spinnaker
Add HawkScan to your Spinnaker Pipelines
If you already have Spinnaker deployment pipelines in place, here is how you can add HawkScan.
Before getting started, protect your StackHawk API key as a Kubernetes secret, and add a HawkScan configuration file to your application repository.
Protect Your API Key
kubectl to store your StackHawk API key as a Kubernetes secret.
kubectl create secret generic stackhawk-secrets \ --from-literal=API_KEY='hawk.xXXxxXxxXXxxxXxxXxXx.xxxxXXxxXXXxxXXXXxXx'
Create a HawkScan Configuration
Add a HawkScan scan configuration to your application’s Git repository. For starters, you can use a minimal configuration like the following and add more detail later.
app: applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX host: <http://servicename.development> env: Development
Fill in the
app.applicationId value with your StackHawk application ID, which you can find in the Applications section of your StackHawk app.
Add a HawkScan Stage
HawkScan runs as a script,
shawk, within the stackhawk/hawkscan Docker container. Normally, it runs automatically and looks for your code repository and configuration file in a volume mounted
/hawk directory. In Kubernetes, we will override this behavior and instead clone your repository into the container before running
Create a RunJob stage within Spinnaker like the following. For this example configuration, our application is named
servicename and it is deployed in the
development namespace, so it is reachable as http://servicename.development. Note that
shawk will look for your code repository and configuration file in the directory specified by the
apiVersion: batch/v1 kind: Job metadata: name: hawkscan namespace: default spec: backoffLimit: 0 template: spec: containers: - command: - /bin/bash - '-c' - | git clone $REPO_URL $REPO_DIR shawk env: - name: API_KEY valueFrom: secretKeyRef: key: API_KEY name: stackhawk-secrets - name: REPO_DIR value: /home/zap/workdir - name: REPO_URL value: <YOUR-PROJECT-GITHUB-URL> image: 'stackhawk/hawkscan:latest' name: hawkscan restartPolicy: Never ttlSecondsAfterFinished: 600
REPO_URL environment variable in the Job manifest above to the HTTPS URL for the git repository that contains your
stackhawk.yml configuration file. For a private repository, you can inject an OAuth token into
REPO_URL for authentication. In that case,
REPO_URL should be stored as a Kubernetes secret.
When this stage runs, it will start the HawkScan container and clone your application git repository into it. Then it will run a scan based on the
stackhawk.yml configuration file found at the base of that repository.
You can add this stage at any point in an existing pipeline to scan your application. We recommend running HawkScan against pre-production environments since it may make changes to a running application’s data in the normal course of a scan.
Where to Go From Here
Have a look at StackHawk’s Spinnaker integration guide for the latest up to date information on using HawkScan in Spinnaker. Then add more information about your application to your HawkScan configuration, such as authentication, GraphQL, and OpenAPI specifications.
You can also create a native stage for HawkScan within Spinnaker so users can easily configure a HawkScan for their pipelines from the Spinnaker UI, and without the need for editing a Job manifest. This also allows you to utilize Spinnaker secrets to store your API key.