Close

Bitbucket Pipelines 및 Snyk Pipe로 DevSecOps 달성

Simon Maple 얼굴 사진
Simon Maple

Snyk의 현장 CTO

Bitbucket Pipelines 및 Jira에 Snyk를 통합하여 DevSecOps를 달성하세요.

Time

5-minute read.

Audience

Developers, security/application teams, and DevOps/DevSecOps engineers.

Prerequisites

You have a Snyk account. Get started here.

You have an Atlassian Bitbucket account. Log in here, or get started here.

This tutorial outlines how to secure your build workflow on Bitbucket Pipelines with Snyk. An important step in securing your environment is to scan and analyze both your application and Linux-based container project for known vulnerabilities, which helps you identify and mitigate security vulnerabilities. The exercises in this tutorial will help secure your application and container by leveraging the Snyk Pipe for Bitbucket Pipelines to scan the application manifest file and the container base image for its dependencies.

The tutorial, How Snyk and Bitbucket Cloud enable DevSecOps, focused on application dependencies. However, by also scanning your container base image you can detect:

  • The operating system (OS) packages installed and managed by the package manager
  • Key binaries —layers that were not installed through the package manager

Based on these results, Snyk provides advice and guidance, including:

  • Origins of the vulnerabilities in OS packages and key binaries
  • Base image upgrade details or a recommendation to rebuild the image
  • Dockerfile layer where the affected package was introduced
  • Fixed-in version of the operating system and key binary packages

Application scanning in your Bitbucket Pipeline

The bitbucket-pipelines.yml file defines your Bitbucket Pipelines builds configuration. If you're new to Bitbucket Pipelines you can learn more about how to get started here.

This tutorial provides a sample bitbucket-pipelines.yml file that contains distinct steps mapped to the workflow. We’ll start by scanning the application, building the Docker image, and then scanning the container image. The following is a closer look at the application scanning step:

scan-app: &scan-app
 - step:
     name: "Scan open source dependencies"
     caches:
       - node
     script:
       - pipe: snyk/snyk-scan:0.4.3
         variables:
           SNYK_TOKEN: $SNYK_TOKEN
           LANGUAGE: "npm"
           PROJECT_FOLDER: "app/goof"
           TARGET_FILE: "package.json"
           CODE_INSIGHTS_RESULTS: "true"
           SEVERITY_THRESHOLD: "high"
           DONT_BREAK_BUILD: "true"
           MONITOR: "false"


This example leverages the Snyk Scan pipe in the pipeline to perform a scan of the application. The source contains a complete, YAML definition of all supported variables, but only those included in this snippet are necessary for this purpose.

Here’s a closer look at a few of these:

1. SNYK_TOKEN is passed into the pipe as a repository variable previously defined in the [Bitbucket Configuration] module.

2. PROJECT_FOLDER is the folder where the project resides and normally defaults to. However, in this example, we set this to app/goof and pass this as an artifact to other steps in ther pipeline.

3. CODE_INSIGHTS_RESULTS defaults to false. However, since we want to create a Code Insight report with Snyk test results, set this to true.

4. SEVERITY_THRESHOLD reports on issues equal or higher to the provided level. The default is low. But in this case, we are interested only in high, so we defined this variable accordingly.

5. The DONT_BREAK_BUILD default is false, which is expected. Under normal circumstances, you would want to break the build if issues are found. However, for the purpose of this learning exercise, set this to true.

Exclamation point

You can run Snyk security scans on your pull requests and view results in Code Insights with the help of the new Snyk Security Connect App on the Atlassian Marketplace. It's easy to get started and you can install the app with just a few clicks.

컨테이너 이미지 검사

Bitbucket 프로세스 다이어그램

2022년까지 글로벌 조직의 75% 이상이 컨테이너화된 애플리케이션을 프로덕션 환경에서 실행할 것입니다(Gartner). 광범위한 채택과 함께 컨테이너 취약성이 급증했으며, 2018년에는 보고된 운영 체제 취약성이 4배 증가했습니다. 그러나 개발자의 80%는 개발 중에 컨테이너 이미지를 테스트하지 않는다고 말합니다. 자신의 책임이 아니라고 말하거나 다른 팀원이 이슈를 발견하는 데 익숙해져 있기 때문에, 빠르게 성장하는 비즈니스에서 컨테이너 보안을 확장하기 쉽지 않습니다.

파이프라인에서 컨테이너 이미지 검사

애플리케이션 검사에 대한 이전 섹션과 마찬가지로, 이 섹션에서는 bitbucket-pipelines.yml 파일을 구성하여 애플리케이션의 Docker 이미지를 빌드하고 이미지를 검사한 다음 해당 이미지를 레지스트리에 푸시하는 데 중점을 둡니다. 다음은 컨테이너 이미지 검사 단계를 자세히 살펴보는 내용입니다.

scan-push-image: &scan-push-image
 - step:
     name: "Scan and push container image"
     services:
       - docker
     script:
       - docker build -t $IMAGE ./app/goof/
       - docker tag $IMAGE $IMAGE:${BITBUCKET_COMMIT}
       - pipe: snyk/snyk-scan:0.4.3
         variables:
           SNYK_TOKEN: $SNYK_TOKEN
           LANGUAGE: "docker"
           IMAGE_NAME: $IMAGE
           PROJECT_FOLDER: "app/goof"
           TARGET_FILE: "Dockerfile"
           CODE_INSIGHTS_RESULTS: "true"
           SEVERITY_THRESHOLD: "high"
           DONT_BREAK_BUILD: "true"
           MONITOR: "false"


컨테이너 이미지를 빌드하고 태그를 지정한 다음 파이프라인 Snyk 검사 파이프를 활용하여 컨테이너 이미지를 검사합니다. CODE_INSIGHTS_RESULTS, SEVERITY_THRESHOLDDONT_BREAK_BUILD의 값을 같게 유지합니다. 또한 이 작업은 애플리케이션 검사 대신 컨테이너 이미지 검사에 대한 요청을 이해하기 위해 Snyk Pipe와 관련된 몇 가지 추가 지원 변수를 전달합니다. 즉, LANGUAGEdocker로 설정하고, IMAGE_NAME을 선언하고, 적절한 리포지토리 변수를 전달하고, TARGET_FILEDockerfile로 설정합니다.

이제 파이프라인이 컨테이너 이미지에서 알려진 취약점과 애플리케이션 코드를 검사합니다.

Atlassian Open DevOps에 대한 통합을 자세히 알아보세요

Simon Maple
Simon Maple

Simon Maple is the Field CTO at Snyk, a Java Champion since 2014, Virtual JUG founder, and London Java Community co-leader. He is an experienced speaker, with a passion for community. When not traveling, Simon enjoys spending quality time with his family, cooking and eating great food.


이 기사 공유

여러분께 도움을 드릴 자료를 추천합니다.

이러한 리소스에 책갈피를 지정하여 DevOps 팀의 유형에 대해 알아보거나 Atlassian에서 DevOps에 대한 지속적인 업데이트를 확인하세요.

DevOps 일러스트레이션

DevOps 커뮤니티

DevOps 일러스트레이션

시뮬레이션 워크숍

맵 일러스트레이션

무료로 사용해보기

DevOps 뉴스레터 신청

Thank you for signing up