Articles in this section

How to Integrate AppCheck Scanning With Your CI/CD Pipeline

Avatar
Sam Illingworth
  • Updated
Follow

Organisation which have purchased AppCheck's CI/CD Pipeline Integration service can use AppCheck's Command Line Interface (CLI) tool to enable easy integration with many CI/CD platforms.  Sample configurations are provided for some of the most popular platforms, and other platforms can be integrated using simple commands.

Modifying your CI/CD pipeline requires a thorough understanding of its configuration and should be handled by the team responsible for its management, for example a DevOps team.  If this team does not typically work with AppCheck, they may need assistance from an AppCheck user, for instance to select the appropriate scan to include in your pipeline.

Follow the steps below to integrate AppCheck into your CI/CD pipeline.

  1. Prepare a Scan
  2. Install AppCheck CLI Tool
  3. Add AppCheck CLI Action(s) to You Pipeline
  4. Sample Configurations

Prepare a Scan

In most cases the AppCheck action you will wish to integrate into your pipeline is Run a Scan.  This action takes a scan ID as an argument - a scan must already be configured with the appropriate target (it is not possible to configure an action in your pipeline which simply instructs AppCheck scan a given URL).

Log in to the AppCheck portal and create an appropriate scan if one does not already exist.  Once a scan has been created, note down its Scan ID, shown in the address bar.  For example if the URL of your scan is https://scanner.appcheck-ng.com/scans/123d45abcdefg67ui then the scan ID is 123d45abcdefg67ui.

AppCheck scans can take several hours to complete.  This should be borne in mind when planning your pipeline integration.

Install AppCheck CLI Tool

Follow the steps in Using the AppCheck CLI Tool to install and configure the AppCheck CLI Tool on your CI/CD server.

Make a note of your CI/CD Token.  You will use this within your pipeline configuration.

Add AppCheck CLI Action(s) to You Pipeline

Add the desired actions to the appropriate place in your pipeline configuration file.  This will usually be the action "Run a scan" after your application has been deployed to the environment targeted by your chosen scan.

You may wish to start by copying the sample configuration for your platform shown below, or you may prefer to from scratch using the full documentation described in Using the AppCheck CLI Tool.

Sample Configurations

GitLab CI/CD

stages:
  - scan

variables:
  APPCHECK_API_KEY: "[CI/CD access token]"

scan_job:
  stage: scan
  script:
    - echo "Starting AppCheck scan"
    - ./appcheck-cli --action run --scan-id $SCAN_ID --display-vulns
  only:
    - branches

Prerequisites:

  • Replace [CI/CD access token] with your actual AppCheck CI/CD token.
  • Set the SCAN_ID variable to the ID of the scan you wish to run.

 

GitHub Actions

name: AppCheck Scan

on:
  push:
    branches:
      - main

jobs:
  scan_job:
    runs-on: ubuntu-latest
    env:
      APPCHECK_API_KEY: ${{ secrets.APPCHECK_CICD_TOKEN }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Run AppCheck Scan
        env:
          SCAN_ID: ${{ secrets.SCAN_ID }}
        run: ./appcheck-cli --action run --scan-id $SCAN_ID --display-vulns

Prerequisites:

  • Create a secret in your GitHub repository called APPCHECK_CICD_TOKEN; set the value to your AppCheck CI/CD token.
  • Create a secret in your GitHub repository called scan_ID; set the value to your scan ID.

 

Azure DevOps

trigger:
  branches:
    include:
      - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  APPCHECK_API_KEY: $(APPCHECK_CICD_TOKEN)
  SCAN_ID: $(SCAN_ID)

steps:
  - script: |
      ./appcheck-cli --action run --scan-id $(SCAN_ID) --display-vulns
    displayName: 'Run AppCheck Scan'
    env:
      APPCHECK_CI/CD_TOKEN: $(APPCHECK_CI/CD_TOKEN)

Prerequisites:

  • Create a pipeline variable or environment variable called APPCHECK_CICD_TOKEN; set the value to your AppCheck CI/CD token.
  • Create a pipeline variable or environment variable called SCAN_ID; set the value to your scan ID.

 

Jenkins

pipeline {
    agent any
    environment {
        APPCHECK_API_KEY = credentials('APPCHECK_CICD_TOKEN')
        SCAN_ID = credentials('SCAN_ID')
    }
    stages {
        stage('Run Scan') {
            steps {
                sh './appcheck-cli --action run --scan-id $SCAN_ID --display-vulns'
            }
        }
    }
}

Prerequisites:

  • Create a Jenkins credential called APPCHECK_CICD_TOKEN; set the value to your AppCheck CI/CD token.
  • Create a Jenkins credential called SCAN_ID; set the value to your scan ID.

 

Jira

 

  1. Create a new Automation Rule:

    • Navigate to Jira settings > System > Automation rules.
    • Click "Create rule" and choose "Custom rule."

  2. Configure the trigger:

    • Add a trigger for when an issue is created or transitioned to a specific status (e.g., "Ready for Scan").

  3. Add a Webhook action:

    • Add a "Send web request" action.
    • Configure the webhook to trigger a build in your CI/CD system (GitHub Actions, Azure DevOps, Jenkins) which runs the AppCheck CLI scan.

 

{
  "ref": "main",
  "inputs": {
    "scan_id": "{{issue.fields.customfield_10000}}"
  }
}
  • Replace {{issue.fields.customfield_10000}} with the custom field ID containing the scan ID in your Jira issue.

 

Related articles

Comments

0 comments

Article is closed for comments.