Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
verify: contrastsecurity/verify@0.3.0
Use verify
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Query the Contrast API to check if vulnerabilites have been found in this application. If vulnerabilites have been found above the set threshold, then fail the build.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jobs:
contrast-verify:
executor: contrastsecurity/default
steps:
- checkout
- contrastsecurity/check-vulnerabilities:
application-id: (your application id)
contrast-url: https://app.contrastsecurity.com/Contrast
org-id: (your org id)
severities: CRITICAL,HIGH,MEDIUM
orbs:
contrastsecurity: contrastsecurity/verify@x.y.z
version: 2.1
workflows:
test:
jobs:
- contrast-verify
After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api-key | Name of environment variable storing your Contrast API key
| No | CONTRAST_API_KEY | env_var_name |
application-id | ID of your application in Contrast
| No | '' | string |
contrast-url | The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast
| No | https://app.contrastsecurity.com/Contrast | string |
executor | Executor within which to run this job, defaults to this orb's own `default` executor. The given execution environment should have Python and pip preinstalled.
| No | default | executor |
org-id | The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI.
| No | '' | string |
python-path | Absolute path to an installed Python shell
| No | /usr/local/bin/python | string |
service-key | Name of environment variable storing your Contrast service key
| No | CONTRAST_SERVICE_KEY | env_var_name |
severities | A comma-delimited list of serverities to use when filtering for vulnerabilities.
| No | CRITICAL,HIGH,MEDIUM,LOW,NOTE | string |
username | Name of environment variable storing your Contrast username
| No | CONTRAST_USERNAME | env_var_name |
vulnerability-threshold | For what number or greater of open vulnerabilities would you like your build to fail?
| No | 0 | integer |
After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build. Requirements: Python, pip
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api-key | Name of environment variable storing your Contrast API key
| No | CONTRAST_API_KEY | env_var_name |
application-id | ID of your application in Contrast
| No | '' | string |
contrast-url | The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast
| No | https://app.contrastsecurity.com/Contrast | string |
org-id | The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI.
| No | '' | string |
python-path | Absolute path to an installed Python shell
| No | /usr/local/bin/python | string |
service-key | Name of environment variable storing your Contrast service key
| No | CONTRAST_SERVICE_KEY | env_var_name |
severities | A comma-delimited list of serverities to use when filtering for vulnerabilities.
| No | CRITICAL,HIGH,MEDIUM,LOW,NOTE | string |
username | Name of environment variable storing your Contrast username
| No | CONTRAST_USERNAME | env_var_name |
vulnerability-threshold | For what number or greater of open vulnerabilities would you like your build to fail?
| No | 0 | integer |
CircleCI's Python convenience image: https://hub.docker.com/r/circleci/python
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image | The name of image | No | circleci/python | string |
tag | The image version tag | No | 2.7.16-jessie-node-browsers-legacy | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
commands:
check-vulnerabilities:
description: |
After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build. Requirements: Python, pip
parameters:
api-key:
default: CONTRAST_API_KEY
description: |
Name of environment variable storing your Contrast API key
type: env_var_name
application-id:
default: ""
description: |
ID of your application in Contrast
type: string
contrast-url:
default: https://app.contrastsecurity.com/Contrast
description: |
The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast
type: string
org-id:
default: ""
description: |
The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI.
type: string
python-path:
default: /usr/local/bin/python
description: |
Absolute path to an installed Python shell
type: string
service-key:
default: CONTRAST_SERVICE_KEY
description: |
Name of environment variable storing your Contrast service key
type: env_var_name
severities:
default: CRITICAL,HIGH,MEDIUM,LOW,NOTE
description: |
A comma-delimited list of serverities to use when filtering for vulnerabilities.
type: string
username:
default: CONTRAST_USERNAME
description: |
Name of environment variable storing your Contrast username
type: env_var_name
vulnerability-threshold:
default: 0
description: |
For what number or greater of open vulnerabilities would you like your build to fail?
type: integer
steps:
- run:
command: |
if [[ $EUID == 0 ]]; then export SUDO=""; else export SUDO="sudo"; fi
$SUDO pip install requests
name: Check for Python presence
- run:
command: |
if [[ $EUID == 0 ]]; then export SUDO=""; else export SUDO="sudo"; fi
$SUDO pip install requests
name: Install Python modules
- run:
command: |
import base64
import datetime
import json
import requests
import urllib
import sys
import os
# Set the severities you are interested in
SEVERITIES = os.path.expandvars("${<<parameters.severities>>}")
headers = {
'Accept': 'application/json',
'API-Key': os.path.expandvars("${<<parameters.api-key>>}"),
'Authorization': base64.b64encode(os.path.expandvars("${<<parameters.username>>}:${<<parameters.service-key>>}"))
}
# Contrast Security API request to get vulnerabilities
url = "<<parameters.contrast-url>>/api/ng/<<parameters.org-id>>/traces/<<parameters.application-id>>/quick?severities=<<parameters.severities>>"
print ('HTTP GET ' + url)
response = requests.get(url, headers = headers)
# Check the status of the request
if (not response.ok):
print ('We could not contact Contrast. Please make sure contrast-url, application-id, org-id, and all credentials are correct')
sys.exit(1)
# Parse the JSON content
json_data = json.loads(response.content)
vulns_all = 0
vulns_open = 0
for filter in json_data['filters']:
if (filter['name'] == 'All'):
vulns_all = filter['count']
elif (filter['name'] == 'Open'):
vulns_open = filter['count']
print ('All vulnerabilities: ' + str(vulns_all))
print ('Open vulnerabilities: ' + str(vulns_open))
# TODO Set the threshold for the number of vulnerabilities (of given severities)
if (vulns_open > <<parameters.vulnerability-threshold>>):
print("Above the vulnerabilities threshold. Failing build.")
sys.exit(1)
name: Check Contrast for vulnerabilities
shell: <<parameters.python-path>>
description: |
Install and configure/use Contrast Security on CircleCI https://contrastsecurity.com
The Contrast agent begins securing your code by adding sensors to the entire software stack of your applications - from runtime to custom code - to directly measure vulnerabilities and attacks. Contrast Assess continuously monitors all your code, including your libraries, for known and unknown vulnerabilities, and produces accurate results without dependence on application security experts.
You can find this orb's source code in the following GitHub repository https://github.com/Contrast-Security-OSS/contrast-security-orb
examples:
run-tests-check-vulnerabilities:
description: |
Query the Contrast API to check if vulnerabilites have been found in this application. If vulnerabilites have been found above the set threshold, then fail the build.
usage:
jobs:
contrast-verify:
executor: contrastsecurity/default
steps:
- checkout
- contrastsecurity/check-vulnerabilities:
application-id: (your application id)
contrast-url: https://app.contrastsecurity.com/Contrast
org-id: (your org id)
severities: CRITICAL,HIGH,MEDIUM
orbs:
contrastsecurity: contrastsecurity/verify@x.y.z
version: 2.1
workflows:
test:
jobs:
- contrast-verify
executors:
default:
description: |
CircleCI's Python convenience image: https://hub.docker.com/r/circleci/python
docker:
- image: <<parameters.image>>:<<parameters.tag>>
parameters:
image:
default: circleci/python
description: The name of image
type: string
tag:
default: 2.7.16-jessie-node-browsers-legacy
description: The image version tag
type: string
jobs:
check-vulnerabilities:
description: |
After running your tests, query the Contrast API to see if any new vulnerabilities were found in your build
executor: <<parameters.executor>>
parameters:
api-key:
default: CONTRAST_API_KEY
description: |
Name of environment variable storing your Contrast API key
type: env_var_name
application-id:
default: ""
description: |
ID of your application in Contrast
type: string
contrast-url:
default: https://app.contrastsecurity.com/Contrast
description: |
The Contrast url for your instance. The default is https://app.contrastsecurity.com/Contrast
type: string
executor:
default: default
description: |
Executor within which to run this job, defaults to this orb's own `default` executor. The given execution environment should have Python and pip preinstalled.
type: executor
org-id:
default: ""
description: |
The organization id for your Contrast organization. This can be found on the "Your Account" page in the Contrast UI.
type: string
python-path:
default: /usr/local/bin/python
description: |
Absolute path to an installed Python shell
type: string
service-key:
default: CONTRAST_SERVICE_KEY
description: |
Name of environment variable storing your Contrast service key
type: env_var_name
severities:
default: CRITICAL,HIGH,MEDIUM,LOW,NOTE
description: |
A comma-delimited list of serverities to use when filtering for vulnerabilities.
type: string
username:
default: CONTRAST_USERNAME
description: |
Name of environment variable storing your Contrast username
type: env_var_name
vulnerability-threshold:
default: 0
description: |
For what number or greater of open vulnerabilities would you like your build to fail?
type: integer
steps:
- check-vulnerabilities:
api-key: <<parameters.api-key>>
application-id: <<parameters.application-id>>
contrast-url: <<parameters.contrast-url>>
org-id: <<parameters.org-id>>
python-path: <<parameters.python-path>>
service-key: <<parameters.service-key>>
severities: <<parameters.severities>>
username: <<parameters.username>>
vulnerability-threshold: <<parameters.vulnerability-threshold>>
version: 2.1