Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
sca: soos-io/sca@2.2.2
Use sca
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Sample example description.
1
2
3
4
5
6
7
version: '2.1'
orbs:
<orb-name>: <namespace>/<orb-name>@1.2.3
workflows:
use-my-orb:
jobs:
- <orb-name>/<job-name>
Run the SOOS security analysis
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_base_url | URL of the api to be used, internal use only.
| No | https://api.soos.io/api/ | string |
api_key | SOOS API Key | No | SOOS_API_KEY | env_var_name |
branch_name | Branch Name to create scan under | No | '' | string |
build_version | Version of application build artifacts. | No | '' | string |
client_id | SOOS Client Id | No | SOOS_CLIENT_ID | env_var_name |
directories_to_exclude | List of directories (comma separated) that you want to exclude from the scan, eg: node_modules.
| No | '' | string |
files_to_exclude | List of files (comma separated) that you want to exclude from the scan, eg: package.json.
| No | '' | string |
log_level | Log level to show: DEBUG, INFO, WARN, FAIL, ERROR.
| No | INFO | string |
on_failure | - | No | continue_on_failure | enum |
output_format | Output format for vulnerabilities: only the value SARIF is available at the moment
| No | '' | string |
package_managers | List (comma separated) of Package Managers to filter manifest search. (Dart, Erlang, Homebrew, PHP, Java, Nuget, NPM, Python, Ruby, Rust.)
| No | '' | string |
project_name | The project name that will be displayed on the dashboard. If the value is empty or not indicated it will default to the repository name.
| No | '' | string |
sca_version | The SOOS SCA version to use - Internal Use Only | No | latest | string |
This command executes the SOOS SCA Analysis.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
api_base_url | URL of the api to be used, internal use only.
| No | https://api.soos.io/api/ | string |
api_key | SOOS API Key | No | SOOS_API_KEY | env_var_name |
branch_name | Branch Name to create scan under | No | '' | string |
build_version | Version of application build artifacts. | No | '' | string |
client_id | SOOS Client Id | No | SOOS_CLIENT_ID | env_var_name |
directories_to_exclude | List of directories (comma separated) that you want to exclude from the scan, eg: node_modules.
| No | '' | string |
files_to_exclude | List of files (comma separated) that you want to exclude from the scan, eg: package.json.
| No | '' | string |
log_level | Log level to show: DEBUG, INFO, WARN, FAIL, ERROR.
| No | INFO | string |
on_failure | Flag indicating whether or not to return an error code if errors are found in the SOOS script or SOOS analysis.
| No | continue_on_failure | enum |
output_format | Output format for vulnerabilities: only the value SARIF is available at the moment
| No | '' | string |
package_managers | List (comma separated) of Package Managers to filter manifest search. (Dart, Erlang, Homebrew, PHP, Java, Nuget, NPM, Python, Ruby, Rust.)
| No | '' | string |
project_name | The project name that will be displayed on the dashboard. If the value is empty or not indicated it will default to the repository name. | No | '' | string |
sca_version | The SOOS SCA version to use - Internal Use Only | No | latest | string |
This is the Node executor used to run the script.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
tag | Pick a specific circleci/node image variant: https://hub.docker.com/r/cimg/node/tags
| No | 20.16.0 | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
SOOS SCA Orb helps you scan your web manifests dependencies to find and fix vulnerabilities.
display:
home_url: https://soos.io/
source_url: https://github.com/soos-io/soos-ci-analysis-circleci-orb
commands:
run-sca-analysis:
description: |
This command executes the SOOS SCA Analysis.
parameters:
api_base_url:
default: https://api.soos.io/api/
description: |
URL of the api to be used, internal use only.
type: string
api_key:
default: SOOS_API_KEY
description: SOOS API Key
type: env_var_name
branch_name:
default: ""
description: Branch Name to create scan under
type: string
build_version:
default: ""
description: Version of application build artifacts.
type: string
client_id:
default: SOOS_CLIENT_ID
description: SOOS Client Id
type: env_var_name
directories_to_exclude:
default: ""
description: |
List of directories (comma separated) that you want to exclude from the scan, eg: node_modules.
type: string
files_to_exclude:
default: ""
description: |
List of files (comma separated) that you want to exclude from the scan, eg: package.json.
type: string
log_level:
default: INFO
description: |
Log level to show: DEBUG, INFO, WARN, FAIL, ERROR.
type: string
on_failure:
default: continue_on_failure
description: |
Flag indicating whether or not to return an error code if errors are found in the SOOS script or SOOS analysis.
enum:
- fail_the_build
- continue_on_failure
type: enum
output_format:
default: ""
description: |
Output format for vulnerabilities: only the value SARIF is available at the moment
type: string
package_managers:
default: ""
description: |
List (comma separated) of Package Managers to filter manifest search. (Dart, Erlang, Homebrew, PHP, Java, Nuget, NPM, Python, Ruby, Rust.)
type: string
project_name:
default: ""
description: The project name that will be displayed on the dashboard. If the value is empty or not indicated it will default to the repository name.
type: string
sca_version:
default: latest
description: The SOOS SCA version to use - Internal Use Only
type: string
steps:
- checkout
- run:
command: "#!/bin/bash\nSOOS_INTEGRATION_NAME=\"CircleCI\"\nSOOS_INTEGRATION_TYPE=\"Plugin\"\nCIRCLE_WORKING_DIRECTORY=\"${CIRCLE_WORKING_DIRECTORY/#\\~/$HOME}\"\n\nif [ -z \"$SOOS_PROJECT_NAME\" ]; then\n SOOS_PROJECT_NAME=\"${CIRCLE_PROJECT_USERNAME}/${CIRCLE_PROJECT_REPONAME}\"\nfi\n\nSOOS_BRANCH_NAME=${SOOS_BRANCH_NAME:-${CIRCLE_BRANCH}}\n\nPARAMS=(\n \"--apiKey\" \"${!SOOS_API_KEY_VAR_NAME}\"\n \"--apiURL\" \"${SOOS_API_URL}\"\n \"--branchName\" \"${SOOS_BRANCH_NAME}\"\n ${CIRCLE_BUILD_URL:+--buildURI \"'${CIRCLE_BUILD_URL}'\"}\n ${SOOS_BUILD_VERSION:+--buildVersion ${SOOS_BUILD_VERSION}}\n \"--clientId\" \"${!SOOS_CLIENT_ID_VAR_NAME}\"\n \"--commitHash\" \"${CIRCLE_SHA1}\"\n \"--directoriesToExclude\" \"${SOOS_DIRS_TO_EXCLUDE}\"\n \"--filesToExclude\" \"${SOOS_FILES_TO_EXCLUDE}\"\n \"--integrationName\" \"${SOOS_INTEGRATION_NAME}\"\n \"--integrationType\" \"${SOOS_INTEGRATION_TYPE}\"\n ${SOOS_LOG_LEVEL:+--logLevel ${SOOS_LOG_LEVEL}}\n \"--onFailure\" \"${SOOS_ON_FAILURE}\"\n ${SOOS_OUTPUT_FORMAT:+--outputFormat ${SOOS_OUTPUT_FORMAT}}\n ${SOOS_PACKAGE_MANAGERS:+--packageManagers \"${SOOS_PACKAGE_MANAGERS}\"} \n \"--projectName\" \"${SOOS_PROJECT_NAME}\"\n \"--sourceCodePath\" \"${CIRCLE_WORKING_DIRECTORY}\"\n \"--workingDirectory\" \"${CIRCLE_WORKING_DIRECTORY}\"\n)\n\necho \"SOOS SCA Version: ${SOOS_SCA_VERSION}\"\n[ -d \"./soos\" ] && rm -rf \"./soos\" && echo \"Cleaned ./soos directory\"\nnpm install --prefix ./soos @soos-io/soos-sca@${SOOS_SCA_VERSION}\nnode ./soos/node_modules/@soos-io/soos-sca/bin/index.js \"${PARAMS[@]}\"\n"
environment:
SOOS_API_KEY_VAR_NAME: <<parameters.api_key>>
SOOS_API_URL: <<parameters.api_base_url>>
SOOS_BRANCH_NAME: <<parameters.branch_name>>
SOOS_BUILD_VERSION: <<parameters.build_version>>
SOOS_CLIENT_ID_VAR_NAME: <<parameters.client_id>>
SOOS_DIRS_TO_EXCLUDE: <<parameters.directories_to_exclude>>
SOOS_FILES_TO_EXCLUDE: <<parameters.files_to_exclude>>
SOOS_LOG_LEVEL: <<parameters.log_level>>
SOOS_ON_FAILURE: <<parameters.on_failure>>
SOOS_OUTPUT_FORMAT: <<parameters.output_format>>
SOOS_PACKAGE_MANAGERS: <<parameters.package_managers>>
SOOS_PROJECT_NAME: <<parameters.project_name>>
SOOS_SCA_VERSION: <<parameters.sca_version>>
name: Run Analysis
executors:
default:
description: |
This is the Node executor used to run the script.
docker:
- image: cimg/node:<<parameters.tag>>
parameters:
tag:
default: 20.16.0
description: |
Pick a specific circleci/node image variant: https://hub.docker.com/r/cimg/node/tags
type: string
jobs:
sca-analysis:
description: |
Run the SOOS security analysis
executor: default
parameters:
api_base_url:
default: https://api.soos.io/api/
description: |
URL of the api to be used, internal use only.
type: string
api_key:
default: SOOS_API_KEY
description: SOOS API Key
type: env_var_name
branch_name:
default: ""
description: Branch Name to create scan under
type: string
build_version:
default: ""
description: Version of application build artifacts.
type: string
client_id:
default: SOOS_CLIENT_ID
description: SOOS Client Id
type: env_var_name
directories_to_exclude:
default: ""
description: |
List of directories (comma separated) that you want to exclude from the scan, eg: node_modules.
type: string
files_to_exclude:
default: ""
description: |
List of files (comma separated) that you want to exclude from the scan, eg: package.json.
type: string
log_level:
default: INFO
description: |
Log level to show: DEBUG, INFO, WARN, FAIL, ERROR.
type: string
on_failure:
default: continue_on_failure
enum:
- fail_the_build
- continue_on_failure
type: enum
output_format:
default: ""
description: |
Output format for vulnerabilities: only the value SARIF is available at the moment
type: string
package_managers:
default: ""
description: |
List (comma separated) of Package Managers to filter manifest search. (Dart, Erlang, Homebrew, PHP, Java, Nuget, NPM, Python, Ruby, Rust.)
type: string
project_name:
default: ""
description: |
The project name that will be displayed on the dashboard. If the value is empty or not indicated it will default to the repository name.
type: string
sca_version:
default: latest
description: The SOOS SCA version to use - Internal Use Only
type: string
steps:
- run-sca-analysis:
api_base_url: <<parameters.api_base_url>>
api_key: <<parameters.api_key>>
branch_name: <<parameters.branch_name>>
build_version: <<parameters.build_version>>
client_id: <<parameters.client_id>>
directories_to_exclude: <<parameters.directories_to_exclude>>
files_to_exclude: <<parameters.files_to_exclude>>
log_level: <<parameters.log_level>>
on_failure: <<parameters.on_failure>>
output_format: <<parameters.output_format>>
package_managers: <<parameters.package_managers>>
project_name: <<parameters.project_name>>
sca_version: <<parameters.sca_version>>
examples:
example:
description: |
Sample example description.
usage:
version: "2.1"
orbs:
<orb-name>: <namespace>/<orb-name>@1.2.3
workflows:
use-my-orb:
jobs:
- <orb-name>/<job-name>