Close

使用 Bitbucket Pipelines 和 Snyk Pipe 实现 DevSecOps

Simon Maple 头像
Simon Maple

Snyk 的现场首席技术官

通过将 Snyk 与 Bitbucket Pipelines 和 Jira 集成来实现 DevSecOps。

Time

5-minute read.

Audience

Developers, security/application teams, and DevOps/DevSecOps engineers.

Prerequisites

You have a Snyk account. Get started here.

You have an Atlassian Bitbucket account. Log in here, or get started here.

This tutorial outlines how to secure your build workflow on Bitbucket Pipelines with Snyk. An important step in securing your environment is to scan and analyze both your application and Linux-based container project for known vulnerabilities, which helps you identify and mitigate security vulnerabilities. The exercises in this tutorial will help secure your application and container by leveraging the Snyk Pipe for Bitbucket Pipelines to scan the application manifest file and the container base image for its dependencies.

The tutorial, How Snyk and Bitbucket Cloud enable DevSecOps, focused on application dependencies. However, by also scanning your container base image you can detect:

  • The operating system (OS) packages installed and managed by the package manager
  • Key binaries —layers that were not installed through the package manager

Based on these results, Snyk provides advice and guidance, including:

  • Origins of the vulnerabilities in OS packages and key binaries
  • Base image upgrade details or a recommendation to rebuild the image
  • Dockerfile layer where the affected package was introduced
  • Fixed-in version of the operating system and key binary packages

Application scanning in your Bitbucket Pipeline

The bitbucket-pipelines.yml file defines your Bitbucket Pipelines builds configuration. If you're new to Bitbucket Pipelines you can learn more about how to get started here.

This tutorial provides a sample bitbucket-pipelines.yml file that contains distinct steps mapped to the workflow. We’ll start by scanning the application, building the Docker image, and then scanning the container image. The following is a closer look at the application scanning step:

scan-app: &scan-app
 - step:
     name: "Scan open source dependencies"
     caches:
       - node
     script:
       - pipe: snyk/snyk-scan:0.4.3
         variables:
           SNYK_TOKEN: $SNYK_TOKEN
           LANGUAGE: "npm"
           PROJECT_FOLDER: "app/goof"
           TARGET_FILE: "package.json"
           CODE_INSIGHTS_RESULTS: "true"
           SEVERITY_THRESHOLD: "high"
           DONT_BREAK_BUILD: "true"
           MONITOR: "false"


This example leverages the Snyk Scan pipe in the pipeline to perform a scan of the application. The source contains a complete, YAML definition of all supported variables, but only those included in this snippet are necessary for this purpose.

Here’s a closer look at a few of these:

1. SNYK_TOKEN is passed into the pipe as a repository variable previously defined in the [Bitbucket Configuration] module.

2. PROJECT_FOLDER is the folder where the project resides and normally defaults to. However, in this example, we set this to app/goof and pass this as an artifact to other steps in ther pipeline.

3. CODE_INSIGHTS_RESULTS defaults to false. However, since we want to create a Code Insight report with Snyk test results, set this to true.

4. SEVERITY_THRESHOLD reports on issues equal or higher to the provided level. The default is low. But in this case, we are interested only in high, so we defined this variable accordingly.

5. The DONT_BREAK_BUILD default is false, which is expected. Under normal circumstances, you would want to break the build if issues are found. However, for the purpose of this learning exercise, set this to true.

Exclamation point

You can run Snyk security scans on your pull requests and view results in Code Insights with the help of the new Snyk Security Connect App on the Atlassian Marketplace. It's easy to get started and you can install the app with just a few clicks.

扫描容器镜像

Bitbucket 进程示意图

到 2022 年,超过 75% 的全球组织将在生产环境中运行容器化应用 (Gartner)。除被广泛采用外,容器漏洞也会激增,2018 年报告的操作系统漏洞就增加了 4 倍。但是,80% 的开发人员表示,他们在开发过程中不会测试容器镜像。他们要么说这不是他们的责任,要么习惯于有人在后续发现问题,从而使得扩展容器安全性成为快速增长的企业所面临的一大挑战。

管道中的容器镜像扫描

与上一节有关“应用扫描”的内容类似,本节重点介绍如何配置 bitbucket-pipelines.yml 文件以构建应用的 Docker 镜像、扫描此镜像,然后将该镜像推送到注册表。容器镜像扫描步骤的详细说明如下:

scan-push-image: &scan-push-image
 - step:
     name: "Scan and push container image"
     services:
       - docker
     script:
       - docker build -t $IMAGE ./app/goof/
       - docker tag $IMAGE $IMAGE:${BITBUCKET_COMMIT}
       - pipe: snyk/snyk-scan:0.4.3
         variables:
           SNYK_TOKEN: $SNYK_TOKEN
           LANGUAGE: "docker"
           IMAGE_NAME: $IMAGE
           PROJECT_FOLDER: "app/goof"
           TARGET_FILE: "Dockerfile"
           CODE_INSIGHTS_RESULTS: "true"
           SEVERITY_THRESHOLD: "high"
           DONT_BREAK_BUILD: "true"
           MONITOR: "false"


此步骤是构建容器镜像并进行标记,然后利用管道中的 Snyk Scan 管道对容器镜像执行扫描。对于 CODE_INSIGHTS_RESULTS, SEVERITY_THRESHOLDDONT_BREAK_BUILD,请保持相同的值。此操作还会传递一些与 Snyk Pipe 相关的其他受支持变量,以便了解针对容器镜像扫描而非应用扫描的请求。具体而言,便是将 LANGUAGE 设为 docker,声明 IMAGE_NAME,传递相应的存储库变量,并将 TARGET_FILE 设为 Dockerfile

现在,您的管道会扫描容器镜像以查找已知漏洞和应用代码。

查看 Atlassian Open DevOps 的更多集成

Simon Maple
Simon Maple

Simon Maple is the Field CTO at Snyk, a Java Champion since 2014, Virtual JUG founder, and London Java Community co-leader. He is an experienced speaker, with a passion for community. When not traveling, Simon enjoys spending quality time with his family, cooking and eating great food.


分享这篇文章
下一个主题

推荐阅读

将这些资源加入书签,以了解 DevOps 团队的类型,或获取 Atlassian 关于 DevOps 的持续更新。

Devops 示意图

DevOps 社区

Devops 示意图

模拟研讨会

地图插图

免费试用

注册以获取我们的 DevOps 新闻资讯

Thank you for signing up