Written by Zachary Conger and Andrew Way
Modern software development is fast and iterative, with companies releasing significant new features and refinements daily. Doing that safely requires test automation in the build and delivery pipeline to ensure that flaws are identified before new code hits production. Security testing must also be automated to catch vulnerabilities before they are released to production, and ship secure code faster.
In a recent webinar, StackHawk and Armory showed how you can scan pre-production app deployments for security bugs. Tune in below for the full presentation.
Get Started with Spinnaker
Armory provides continuous delivery at enterprise scale. Armory’s platform brings the power of Spinnaker to your organization, along with mission-critical feature extensions, enterprise-grade stability, and 24/7 expert support from one of the leading members of the open source community.
To get started:
Check out Armory’s Spinnaker 101 Docs
Install Spinnaker in minutes using Armory Minnaker
Get Started with StackHawk
StackHawk provides CI/CD-friendly dynamic application security testing (DAST) scanning combined with a platform to help your team discover, manage and triage security bugs from the moment they are introduced.
Sign up for a free Developer account
Check out the StackHawk getting started guide
See the StackHawk Spinnaker integration guide for the full details on running HawkScan in Spinnaker
Add HawkScan to your Spinnaker Pipelines
If you already have Spinnaker deployment pipelines in place, here is how you can add HawkScan.
Preparation
Before getting started, protect your StackHawk API key as a Kubernetes secret, and add a HawkScan configuration file to your application repository.
Protect Your API Key
Use kubectl to store your StackHawk API key as a Kubernetes secret.
kubectl create secret generic stackhawk-secrets \
--from-literal=API_KEY='hawk.xXXxxXxxXXxxxXxxXxXx.xxxxXXxxXXXxxXXXXxXx'
Create a HawkScan Configuration
Add a HawkScan scan configuration to your application’s Git repository. For starters, you can use a minimal configuration like the following and add more detail later.
app:
applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
host: <http://servicename.development>
env: Development
Fill in the app.applicationId value with your StackHawk application ID, which you can find in the Applications section of your StackHawk app.
Add a HawkScan Stage
HawkScan runs as a script, shawk, within the stackhawk/hawkscan Docker container. Normally, it runs automatically and looks for your code repository and configuration file in a volume mounted /hawk directory. In Kubernetes, we will override this behavior and instead clone your repository into the container before running shawk.
Create a RunJob stage within Spinnaker like the following. For this example configuration, our application is named servicename and it is deployed in the development namespace, so it is reachable as http://servicename.development. Note that shawk will look for your code repository and configuration file in the directory specified by the REPO_DIR variable.
apiVersion: batch/v1
kind: Job
metadata:
name: hawkscan
namespace: default
spec:
backoffLimit: 0
template:
spec:
containers:
- command:
- /bin/bash
- '-c'
- |
git clone $REPO_URL $REPO_DIR
shawk
env:
- name: API_KEY
valueFrom:
secretKeyRef:
key: API_KEY
name: stackhawk-secrets
- name: REPO_DIR
value: /home/zap/workdir
- name: REPO_URL
value: <YOUR-PROJECT-GITHUB-URL>
image: 'stackhawk/hawkscan:latest'
name: hawkscan
restartPolicy: Never
ttlSecondsAfterFinished: 600
Set the REPO_URL environment variable in the Job manifest above to the HTTPS URL for the git repository that contains your stackhawk.yml configuration file. For a private repository, you can inject an OAuth token into REPO_URL for authentication. In that case, REPO_URL should be stored as a Kubernetes secret.
When this stage runs, it will start the HawkScan container and clone your application git repository into it. Then it will run a scan based on the stackhawk.yml configuration file found at the base of that repository.
You can add this stage at any point in an existing pipeline to scan your application. We recommend running HawkScan against pre-production environments since it may make changes to a running application’s data in the normal course of a scan.
Where to Go From Here
Have a look at StackHawk’s Spinnaker integration guide for the latest up to date information on using HawkScan in Spinnaker. Then add more information about your application to your HawkScan configuration, such as authentication, GraphQL, and OpenAPI specifications.
You can also create a native stage for HawkScan within Spinnaker so users can easily configure a HawkScan for their pipelines from the Spinnaker UI, and without the need for editing a Job manifest. This also allows you to utilize Spinnaker secrets to store your API key.
