Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
thunderscan: defensecode/thunderscan@1.0.3
Use thunderscan
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
This example shows how to scan a repository project in the build pipeline with ThunderScan. Note that THUNDERSCAN_API_URL and THUNDERSCAN_API_TOKEN environment variables need to be set in context or project variables.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
version: '2.1'
orbs:
thunderscan: defensecode/thunderscan@1.0
workflows:
build:
jobs:
- thunderscan/scan:
post-run:
- store_artifacts:
path: ./thunderscan-report.json
- store_artifacts:
path: ./thunderscan-report.html
report: true
report-filename: thunderscan-report
report-format: html,json
scan-name: $CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM
Scans your application source code for vulnerabilities with DefenseCode ThunderScan® SAST
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
alm-trigger | Issue tracking trigger ID to be used with the scan | No | '' | string |
diff | Indicates if a differential/incremental scan should be performed if there is at least one baseline scan performed against an application. | No | false | boolean |
email-trigger | Email trigger ID to be used with the scan | No | '' | string |
engines | Accepts a comma separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). Default will perform an auto-language recognition scan. | No | '0' | string |
excluded-vt | Accepts a comma separated list of vulnerability type IDs to be excluded from the analysis, e.g. 0,1,2,3. | No | '' | string |
ignore-suppressed | Indicating if ThunderScan® should ignore previously suppressed vulnerabilities in result output. | No | false | boolean |
image | Enter a custom docker image for this job. By default CircleCI's optimized `cimg/base` image will be used. | No | cimg/base:stable | string |
parent | Specifies the ID of the parent application for the scan. If set to a wildcard (*), ThunderScan will automatically assign the parent application based on the target source or create a new one. | No | '' | string |
post-run | A list of steps to run after running the tests/application | No | [] | steps |
pre-run | A list of steps that are run before running the tests/application | No | [] | steps |
purge | Indicates if the uploaded archive should be deleted from the ThunderScan server following a finished scan. | No | false | boolean |
report | Indicates if the reports should be generated. | No | false | boolean |
report-filename | Specifies the filename of generated report. The input should be without a file extension as the chosen format extensions will be automatically appended to the name. | No | thunderscan-report | string |
report-format | Accepts a comma separated list of report formats to be generated at the end of the scan, e.g. html,json,xml | No | html | string |
scan-name | Specifies the name of the scan. | No | CircleCI CLI Scan | string |
slack-trigger | Slack trigger ID to be used with the scan | No | '' | string |
threshold | Enables the client to break the build or pipeline process by returning an exit code 2 if the results match a defined vulnerability threshold. For example, with the threshold set to "high:5" the build will be interruped only if the scan results contain 5 or more high risk vulnerabilities. Usage - risk:count,risk:count,risk:count | No | high:1 | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
DefenseCode ThunderScan® is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing deep and extensive security analysis of application source code. Developers and AppSec teams can rapidly find and triage security risks and have continuous visibility with every build.
display:
home_url: https://www.defensecode.com
source_url: https://www.github.com/defensecode/thunderscan-orb
jobs:
scan:
description: |
Scans your application source code for vulnerabilities with DefenseCode ThunderScan® SAST
docker:
- image: <<parameters.image>>
parameters:
alm-trigger:
default: ""
description: Issue tracking trigger ID to be used with the scan
type: string
diff:
default: false
description: Indicates if a differential/incremental scan should be performed if there is at least one baseline scan performed against an application.
type: boolean
email-trigger:
default: ""
description: Email trigger ID to be used with the scan
type: string
engines:
default: "0"
description: Accepts a comma separated list of SAST engine/language IDs to be used in the analysis (e.g. 1,2). Default will perform an auto-language recognition scan.
type: string
excluded-vt:
default: ""
description: Accepts a comma separated list of vulnerability type IDs to be excluded from the analysis, e.g. 0,1,2,3.
type: string
ignore-suppressed:
default: false
description: Indicating if ThunderScan® should ignore previously suppressed vulnerabilities in result output.
type: boolean
image:
default: cimg/base:stable
description: Enter a custom docker image for this job. By default CircleCI's optimized `cimg/base` image will be used.
type: string
parent:
default: ""
description: Specifies the ID of the parent application for the scan. If set to a wildcard (*), ThunderScan will automatically assign the parent application based on the target source or create a new one.
type: string
post-run:
default: []
description: A list of steps to run after running the tests/application
type: steps
pre-run:
default: []
description: A list of steps that are run before running the tests/application
type: steps
purge:
default: false
description: Indicates if the uploaded archive should be deleted from the ThunderScan server following a finished scan.
type: boolean
report:
default: false
description: Indicates if the reports should be generated.
type: boolean
report-filename:
default: thunderscan-report
description: Specifies the filename of generated report. The input should be without a file extension as the chosen format extensions will be automatically appended to the name.
type: string
report-format:
default: html
description: Accepts a comma separated list of report formats to be generated at the end of the scan, e.g. html,json,xml
type: string
scan-name:
default: CircleCI CLI Scan
description: Specifies the name of the scan.
type: string
slack-trigger:
default: ""
description: Slack trigger ID to be used with the scan
type: string
threshold:
default: high:1
description: Enables the client to break the build or pipeline process by returning an exit code 2 if the results match a defined vulnerability threshold. For example, with the threshold set to "high:5" the build will be interruped only if the scan results contain 5 or more high risk vulnerabilities. Usage - risk:count,risk:count,risk:count
type: string
steps:
- steps: <<parameters.pre-run>>
- checkout:
path: ./repository
- run:
command: |
wget https://download.defensecode.com/latest/clients/tscli.tar.gz -O tscli.tar.gz
tar xvzf tscli.tar.gz
name: Download/Extract ThunderScan API CLI
- run:
command: |
./tscli --upload ./repository --name <<parameters.scan-name>> --engines <<parameters.engines>> --threshold <<parameters.threshold>> --diff=<<parameters.diff>> --report=<<parameters.report>> --formats <<parameters.report-format>> --filename <<parameters.report-filename>> --purge=<<parameters.purge>>
environment:
THUNDERSCAN_ALM_TRIGGER_ID: <<parameters.alm-trigger>>
THUNDERSCAN_EMAIL_TRIGGER_ID: <<parameters.email-trigger>>
THUNDERSCAN_EXLUDED_VULN_TYPES: <<parameters.excluded-vt>>
THUNDERSCAN_IGNORE_SUPPRESSIONS: <<parameters.ignore-suppressed>>
THUNDERSCAN_SCAN_PARENT_ID: <<parameters.parent>>
THUNDERSCAN_SLACK_TRIGGER_ID: <<parameters.slack-trigger>>
name: ThunderScan SAST Scan
- steps: <<parameters.post-run>>
examples:
thunderscan-scan:
description: |
This example shows how to scan a repository project in the build pipeline with ThunderScan. Note that THUNDERSCAN_API_URL and THUNDERSCAN_API_TOKEN environment variables need to be set in context or project variables.
usage:
version: "2.1"
orbs:
thunderscan: defensecode/thunderscan@1.0
workflows:
build:
jobs:
- thunderscan/scan:
post-run:
- store_artifacts:
path: ./thunderscan-report.json
- store_artifacts:
path: ./thunderscan-report.html
report: true
report-filename: thunderscan-report
report-format: html,json
scan-name: $CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM