1. defensecode/thunderscan@1.0.3

defensecode/thunderscan@1.0.3

Partner
Sections
DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. Developers and AppSec teams can rapidly find and triage security risks and have continuous visibility with every build.
Created: June 1, 2021Version Published: June 4, 2021Releases: 4
Org Usage:
< 25
Categories:

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: thunderscan: defensecode/thunderscan@1.0.3

Use thunderscan elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

thunderscan-scan

This example shows how to scan a repository project in the build pipeline with ThunderScan. Note that THUNDERSCAN_API_URL and THUNDERSCAN_API_TOKEN environment variables need to be set in context or project variables.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 version: '2.1' orbs: thunderscan: defensecode/thunderscan@1.0 workflows: build: jobs: - thunderscan/scan: post-run: - store_artifacts: path: ./thunderscan-report.json - store_artifacts: path: ./thunderscan-report.html report: true report-filename: thunderscan-report report-format: html,json scan-name: $CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM

Jobs

scan

Scans your application source code for vulnerabilities with DefenseCode ThunderScan® SAST

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
alm-trigger
Issue tracking trigger ID to be used with the scan
No
''
string
diff
Indicates if a differential/incremental scan should be performed if there is at least one baseline scan performed against an application.
No
false
boolean
email-trigger
Email trigger ID to be used with the scan
No
''
string
engines
Accepts a comma separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). Default will perform an auto-language recognition scan.
No
'0'
string
excluded-vt
Accepts a comma separated list of vulnerability type IDs to be excluded from the analysis, e.g. 0,1,2,3.
No
''
string
ignore-suppressed
Indicating if ThunderScan® should ignore previously suppressed vulnerabilities in result output.
No
false
boolean
image
Enter a custom docker image for this job. By default CircleCI's optimized `cimg/base` image will be used.
No
cimg/base:stable
string
parent
Specifies the ID of the parent application for the scan. If set to a wildcard (*), ThunderScan will automatically assign the parent application based on the target source or create a new one.
No
''
string
post-run
A list of steps to run after running the tests/application
No
[]
steps
pre-run
A list of steps that are run before running the tests/application
No
[]
steps
purge
Indicates if the uploaded archive should be deleted from the ThunderScan server following a finished scan.
No
false
boolean
report
Indicates if the reports should be generated.
No
false
boolean
report-filename
Specifies the filename of generated report. The input should be without a file extension as the chosen format extensions will be automatically appended to the name.
No
thunderscan-report
string
report-format
Accepts a comma separated list of report formats to be generated at the end of the scan, e.g. html,json,xml
No
html
string
scan-name
Specifies the name of the scan.
No
CircleCI CLI Scan
string
slack-trigger
Slack trigger ID to be used with the scan
No
''
string
threshold
Enables the client to break the build or pipeline process by returning an exit code 2 if the results match a defined vulnerability threshold. For example, with the threshold set to "high:5" the build will be interruped only if the scan results contain 5 or more high risk vulnerabilities. Usage - risk:count,risk:count,risk:count
No
high:1
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing version: 2.1 description: | DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. Developers and AppSec teams can rapidly find and triage security risks and have continuous visibility with every build. display: home_url: https://www.defensecode.com source_url: https://www.github.com/defensecode/thunderscan-orb jobs: scan: description: | Scans your application source code for vulnerabilities with DefenseCode ThunderScan® SAST docker: - image: <<parameters.image>> parameters: alm-trigger: default: "" description: Issue tracking trigger ID to be used with the scan type: string diff: default: false description: Indicates if a differential/incremental scan should be performed if there is at least one baseline scan performed against an application. type: boolean email-trigger: default: "" description: Email trigger ID to be used with the scan type: string engines: default: "0" description: Accepts a comma separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). Default will perform an auto-language recognition scan. type: string excluded-vt: default: "" description: Accepts a comma separated list of vulnerability type IDs to be excluded from the analysis, e.g. 0,1,2,3. type: string ignore-suppressed: default: false description: Indicating if ThunderScan® should ignore previously suppressed vulnerabilities in result output. type: boolean image: default: cimg/base:stable description: Enter a custom docker image for this job. By default CircleCI's optimized `cimg/base` image will be used. type: string parent: default: "" description: Specifies the ID of the parent application for the scan. If set to a wildcard (*), ThunderScan will automatically assign the parent application based on the target source or create a new one. type: string post-run: default: [] description: A list of steps to run after running the tests/application type: steps pre-run: default: [] description: A list of steps that are run before running the tests/application type: steps purge: default: false description: Indicates if the uploaded archive should be deleted from the ThunderScan server following a finished scan. type: boolean report: default: false description: Indicates if the reports should be generated. type: boolean report-filename: default: thunderscan-report description: Specifies the filename of generated report. The input should be without a file extension as the chosen format extensions will be automatically appended to the name. type: string report-format: default: html description: Accepts a comma separated list of report formats to be generated at the end of the scan, e.g. html,json,xml type: string scan-name: default: CircleCI CLI Scan description: Specifies the name of the scan. type: string slack-trigger: default: "" description: Slack trigger ID to be used with the scan type: string threshold: default: high:1 description: Enables the client to break the build or pipeline process by returning an exit code 2 if the results match a defined vulnerability threshold. For example, with the threshold set to "high:5" the build will be interruped only if the scan results contain 5 or more high risk vulnerabilities. Usage - risk:count,risk:count,risk:count type: string steps: - steps: <<parameters.pre-run>> - checkout: path: ./repository - run: command: | wget https://download.defensecode.com/latest/clients/tscli.tar.gz -O tscli.tar.gz tar xvzf tscli.tar.gz name: Download/Extract ThunderScan API CLI - run: command: | ./tscli --upload ./repository --name <<parameters.scan-name>> --engines <<parameters.engines>> --threshold <<parameters.threshold>> --diff=<<parameters.diff>> --report=<<parameters.report>> --formats <<parameters.report-format>> --filename <<parameters.report-filename>> --purge=<<parameters.purge>> environment: THUNDERSCAN_ALM_TRIGGER_ID: <<parameters.alm-trigger>> THUNDERSCAN_EMAIL_TRIGGER_ID: <<parameters.email-trigger>> THUNDERSCAN_EXLUDED_VULN_TYPES: <<parameters.excluded-vt>> THUNDERSCAN_IGNORE_SUPPRESSIONS: <<parameters.ignore-suppressed>> THUNDERSCAN_SCAN_PARENT_ID: <<parameters.parent>> THUNDERSCAN_SLACK_TRIGGER_ID: <<parameters.slack-trigger>> name: ThunderScan SAST Scan - steps: <<parameters.post-run>> examples: thunderscan-scan: description: | This example shows how to scan a repository project in the build pipeline with ThunderScan. Note that THUNDERSCAN_API_URL and THUNDERSCAN_API_TOKEN environment variables need to be set in context or project variables. usage: version: "2.1" orbs: thunderscan: defensecode/thunderscan@1.0 workflows: build: jobs: - thunderscan/scan: post-run: - store_artifacts: path: ./thunderscan-report.json - store_artifacts: path: ./thunderscan-report.html report: true report-filename: thunderscan-report report-format: html,json scan-name: $CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.