![Symbol-Deep Green.png]](https://support.ethiack.com/hs-fs/hubfs/Symbol-Deep%20Green.png?height=40&name=Symbol-Deep%20Green.png){kind=small}
CI/CD Integration in CI/CD Pipelines (DevSecOps)
The platform provides an API and specialized tools to perform quick, one-off security tests during the development cycle. The objective is to allow engineering teams to validate code security in staging or production environments immediately after deployment, automating security quality control.
Key Features
Regardless of the CI/CD tool used, the solution offers a set of essential features for automation:
- Target Validation (Check): Before starting the test, the system validates whether the URL is accessible and if the organization has the necessary permissions and ”run minutes” to test it, preventing errors in pipeline execution.
- Endpoint: POST /v1/jobs/check
- Test Launch (Launch): Initiates a security test on a specific URL. Allows the test to be associated with specific contexts for traceability. Note: the requested asset should be in the scope of a running machine event.
- Endpoint: POST /v1/jobs/launch
- Blocking Criteria ("Break the Build"): Allows checking the success of the test based on the severity of vulnerabilities found. The pipeline can be configured to fail automatically (blocking the deploy) if vulnerabilities above a certain risk level (e.g., Critical or High) are detected.
- Endpoint: GET /v1/jobs/{job_uuid}/success?severity=high&fail=true
- Returns 200 OK if safe, 202 Accepted if the scan is still running, or 424 Failed Dependency if vulnerabilities exceeding the threshold are found.
- Execution Flexibility: Our integration libraries support synchronous execution (the pipeline waits for the test result) or asynchronous ("fire and forget"), where the test is launched without immediately blocking the workflow's progress.
- Cancellation: Ability to interrupt running tests if the deploy process is aborted to save run minutes.
- Endpoint: POST /v1/jobs/{job_uuid}/cancel
Integration Methods and Technical Details
Customers can integrate these functionalities through three main methods:
GitHub Actions (Reusable Action)
For projects hosted on GitHub, there is a Reusable Action (ethiack/github-action) that simplifies configuration via a declarative YAML, with the following capabilities:
- CLI Wrapper: This Action acts as a wrapper for the command-line tool (ethiack-job-manager). Upon execution, the Action automatically configures a Python environment, installs the tool via pipx, and dynamically builds the command based on user inputs.
- Secret Management: Authentication is securely managed by injecting credentials (API Keys) as environment variables into the execution context.
- Flow Control: The Action captures the tool's exit code. If the test fails (for example, due to a critical vulnerability found with the --fail option active), the Action propagates that error, causing the workflow step to fail and preventing the deploy process from advancing.
2. GitLab CI/CD (Component)
For the GitLab ecosystem, integration is done through a CI/CD Component (gitlab-cicd-component), leveraging GitLab's modular architecture, with the following capabilities:
- Isolated Container Execution: Unlike the GitHub Action which configures the environment on the virtual machine, this component executes within a Python "slim" Docker image. This ensures a lightweight, isolated, and consistent environment for test execution, without polluting the pipeline environment.
- Parameterization: The component accepts inputs defined in the .gitlab-ci.yml (such as the pipeline stage, command, and URL). Based on these parameters, the component installs the necessary tools within the container and executes the test.
- Modular Integration: Inclusion is done via the include: component directive, allowing the security test to be treated as just another standardized stage in the pipeline, simplifying maintenance.
3. Jenkins
- Jenkins: A Shared Library written in Groovy is available. This solution communicates directly with the API via native HTTP requests, eliminating the need to install external dependencies (like Python) on Jenkins agents, which simplifies configuration in restricted corporate environments.
4. Other Tools
- CLI and API: For customized scenarios or other CI/CD tools, customers can directly use the command-line tool (Python CLI) or directly the REST API, which exposes endpoints for full lifecycle management of tests (launching, status query, cancellation).
- The API documentation is available at https://api.ethiack.com/docs/#/ and you can also download the openapi specification at https://api.ethiack.com/openapi.yaml