1. contrastsecurity/verify@0.3.0

contrastsecurity/verify@0.3.0

Partner
Sections
Install and configure/use Contrast Security on CircleCI https://contrastsecurity.com The Contrast agent begins securing your code by adding sensors to the entire software stack of your applications - from runtime to custom code - to directly measure vulnerabilities and attacks. Contrast Assess continuously monitors all your code, including your libraries, for known and unknown vulnerabilities, and produces accurate results without dependence on application security experts. You can find this orb's source code in the following GitHub repository https://github.com/Contrast-Security-OSS/contrast-security-orb
Created: April 23, 2019Version Published: October 17, 2019Releases: 50
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: verify: contrastsecurity/verify@0.3.0

Use verify elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

run-tests-check-vulnerabilities

Query the Contrast API to check if vulnerabilites have been found in this application. If vulnerabilites have been found above the set threshold, then fail the build.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 jobs: contrast-verify: executor: contrastsecurity/default steps: - checkout - contrastsecurity/check-vulnerabilities: application-id: (your application id) contrast-url: https://app.contrastsecurity.com/Contrast org-id: (your org id) severities: CRITICAL,HIGH,MEDIUM orbs: contrastsecurity: contrastsecurity/verify@x.y.z version: 2.1 workflows: test: jobs: - contrast-verify

Jobs

check-vulnerabilities

After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api-key
Name of environment variable storing your Contrast API key
No
CONTRAST_API_KEY
env_var_name
application-id
ID of your application in Contrast
No
''
string
contrast-url
The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast
No
https://app.contrastsecurity.com/Contrast
string
executor
Executor within which to run this job, defaults to this orb's own `default` executor. The given execution environment should have Python and pip preinstalled.
No
default
executor
org-id
The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI.
No
''
string
python-path
Absolute path to an installed Python shell
No
/usr/local/bin/python
string
service-key
Name of environment variable storing your Contrast service key
No
CONTRAST_SERVICE_KEY
env_var_name
severities
A comma-delimited list of serverities to use when filtering for vulnerabilities.
No
CRITICAL,HIGH,MEDIUM,LOW,NOTE
string
username
Name of environment variable storing your Contrast username
No
CONTRAST_USERNAME
env_var_name
vulnerability-threshold
For what number or greater of open vulnerabilities would you like your build to fail?
No
0
integer

Commands

check-vulnerabilities

After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build. Requirements: Python, pip

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
api-key
Name of environment variable storing your Contrast API key
No
CONTRAST_API_KEY
env_var_name
application-id
ID of your application in Contrast
No
''
string
contrast-url
The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast
No
https://app.contrastsecurity.com/Contrast
string
org-id
The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI.
No
''
string
python-path
Absolute path to an installed Python shell
No
/usr/local/bin/python
string
service-key
Name of environment variable storing your Contrast service key
No
CONTRAST_SERVICE_KEY
env_var_name
severities
A comma-delimited list of serverities to use when filtering for vulnerabilities.
No
CRITICAL,HIGH,MEDIUM,LOW,NOTE
string
username
Name of environment variable storing your Contrast username
No
CONTRAST_USERNAME
env_var_name
vulnerability-threshold
For what number or greater of open vulnerabilities would you like your build to fail?
No
0
integer

Executors

default

CircleCI's Python convenience image: https://hub.docker.com/r/circleci/python

Show executor Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image
The name of image
No
circleci/python
string
tag
The image version tag
No
2.7.16-jessie-node-browsers-legacy
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing commands: check-vulnerabilities: description: | After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build. Requirements: Python, pip parameters: api-key: default: CONTRAST_API_KEY description: | Name of environment variable storing your Contrast API key type: env_var_name application-id: default: "" description: | ID of your application in Contrast type: string contrast-url: default: https://app.contrastsecurity.com/Contrast description: | The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast type: string org-id: default: "" description: | The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI. type: string python-path: default: /usr/local/bin/python description: | Absolute path to an installed Python shell type: string service-key: default: CONTRAST_SERVICE_KEY description: | Name of environment variable storing your Contrast service key type: env_var_name severities: default: CRITICAL,HIGH,MEDIUM,LOW,NOTE description: | A comma-delimited list of serverities to use when filtering for vulnerabilities. type: string username: default: CONTRAST_USERNAME description: | Name of environment variable storing your Contrast username type: env_var_name vulnerability-threshold: default: 0 description: | For what number or greater of open vulnerabilities would you like your build to fail? type: integer steps: - run: command: | if [[ $EUID == 0 ]]; then export SUDO=""; else export SUDO="sudo"; fi $SUDO pip install requests name: Check for Python presence - run: command: | if [[ $EUID == 0 ]]; then export SUDO=""; else export SUDO="sudo"; fi $SUDO pip install requests name: Install Python modules - run: command: | import base64 import datetime import json import requests import urllib import sys import os # Set the severities you are interested in SEVERITIES = os.path.expandvars("${<<parameters.severities>>}") headers = { 'Accept': 'application/json', 'API-Key': os.path.expandvars("${<<parameters.api-key>>}"), 'Authorization': base64.b64encode(os.path.expandvars("${<<parameters.username>>}:${<<parameters.service-key>>}")) } # Contrast Security API request to get vulnerabilities url = "<<parameters.contrast-url>>/api/ng/<<parameters.org-id>>/traces/<<parameters.application-id>>/quick?severities=<<parameters.severities>>" print ('HTTP GET ' + url) response = requests.get(url, headers = headers) # Check the status of the request if (not response.ok): print ('We could not contact Contrast. Please make sure contrast-url, application-id, org-id, and all credentials are correct') sys.exit(1) # Parse the JSON content json_data = json.loads(response.content) vulns_all = 0 vulns_open = 0 for filter in json_data['filters']: if (filter['name'] == 'All'): vulns_all = filter['count'] elif (filter['name'] == 'Open'): vulns_open = filter['count'] print ('All vulnerabilities: ' + str(vulns_all)) print ('Open vulnerabilities: ' + str(vulns_open)) # TODO Set the threshold for the number of vulnerabilities (of given severities) if (vulns_open > <<parameters.vulnerability-threshold>>): print("Above the vulnerabilities threshold. Failing build.") sys.exit(1) name: Check Contrast for vulnerabilities shell: <<parameters.python-path>> description: | Install and configure/use Contrast Security on CircleCI https://contrastsecurity.com The Contrast agent begins securing your code by adding sensors to the entire software stack of your applications - from runtime to custom code - to directly measure vulnerabilities and attacks. Contrast Assess continuously monitors all your code, including your libraries, for known and unknown vulnerabilities, and produces accurate results without dependence on application security experts. You can find this orb's source code in the following GitHub repository https://github.com/Contrast-Security-OSS/contrast-security-orb examples: run-tests-check-vulnerabilities: description: | Query the Contrast API to check if vulnerabilites have been found in this application. If vulnerabilites have been found above the set threshold, then fail the build. usage: jobs: contrast-verify: executor: contrastsecurity/default steps: - checkout - contrastsecurity/check-vulnerabilities: application-id: (your application id) contrast-url: https://app.contrastsecurity.com/Contrast org-id: (your org id) severities: CRITICAL,HIGH,MEDIUM orbs: contrastsecurity: contrastsecurity/verify@x.y.z version: 2.1 workflows: test: jobs: - contrast-verify executors: default: description: | CircleCI's Python convenience image: https://hub.docker.com/r/circleci/python docker: - image: <<parameters.image>>:<<parameters.tag>> parameters: image: default: circleci/python description: The name of image type: string tag: default: 2.7.16-jessie-node-browsers-legacy description: The image version tag type: string jobs: check-vulnerabilities: description: | After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build executor: <<parameters.executor>> parameters: api-key: default: CONTRAST_API_KEY description: | Name of environment variable storing your Contrast API key type: env_var_name application-id: default: "" description: | ID of your application in Contrast type: string contrast-url: default: https://app.contrastsecurity.com/Contrast description: | The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast type: string executor: default: default description: | Executor within which to run this job, defaults to this orb's own `default` executor. The given execution environment should have Python and pip preinstalled. type: executor org-id: default: "" description: | The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI. type: string python-path: default: /usr/local/bin/python description: | Absolute path to an installed Python shell type: string service-key: default: CONTRAST_SERVICE_KEY description: | Name of environment variable storing your Contrast service key type: env_var_name severities: default: CRITICAL,HIGH,MEDIUM,LOW,NOTE description: | A comma-delimited list of serverities to use when filtering for vulnerabilities. type: string username: default: CONTRAST_USERNAME description: | Name of environment variable storing your Contrast username type: env_var_name vulnerability-threshold: default: 0 description: | For what number or greater of open vulnerabilities would you like your build to fail? type: integer steps: - check-vulnerabilities: api-key: <<parameters.api-key>> application-id: <<parameters.application-id>> contrast-url: <<parameters.contrast-url>> org-id: <<parameters.org-id>> python-path: <<parameters.python-path>> service-key: <<parameters.service-key>> severities: <<parameters.severities>> username: <<parameters.username>> vulnerability-threshold: <<parameters.vulnerability-threshold>> version: 2.1
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.