topic Re: How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGua in DevSecOps

How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGuard

powerlifter — Mon, 18 May 2020 07:09:45 GMT

SourceGuard was developped by Itamar Lavender and his team and is in Beta. It is one of the SAST scanners under development at Checkpoint that can do both source code scanning with a Repository like Github but container images as well.

Please refer the github page below to learn how to deploy and start performing DevSecOps SAST or Static Application Security Testing. It is available for everyone to test via the infinity portal

https://github.com/chkp-dhouari/SourceGuard

SourceGuard can be integrated with any CICD server like Jenkins, GitLab or AWS CodePipeline to perform SAST at various stages of the application build.

In the Github page below, I described how to create a jenkins pipeline as code to deploy a node.js application using a docker container and add sourceguard SAST security as part of that CICD pipeline

https://github.com/chkp-dhouari/Jenkins-SourceGuard

Re: How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGua

Sergej_Gurenko — Mon, 29 Jun 2020 10:24:25 GMT

I'm trying to poke SourceGuard with some random code on Windows. As per instruction, I did the portal registration and onboarding.

No matter what -src title I gave, I'm always getting back "Error: repository URL is missing" error. Do you have some test "vulnerable" code to practice against? Is it possible to publish it to your git?

P.S. It the voice-over missing in this video YouTube - SourceGuard Demo?

Re: How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGua

powerlifter — Tue, 30 Jun 2020 03:56:28 GMT

it will scan a git dir. you need to install git on your laptop then make a dir. do git init and do git add the files that you want to scan

I am working on updating the github page and creating a new video this week

let me know if this helps

Re: How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGua

Sergej_Gurenko — Thu, 02 Jul 2020 19:05:47 GMT

I spend a few more hours trying SourceGuard to accept some piece of code without any luck. It throwing the same error. If it is not to difficult, please provide more details on using the tool.

Obviously I do not have developer background but did Git course some time ago and (hopefully) understand the concept of code control.

Re: How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGua

Anton_Razumov — Wed, 02 Sep 2020 06:45:58 GMT

As I've faced the same error and found the answer in this post, I'll keep some details here:

There is an Azure functions project. If I run the sourceguard-cli command in the folder where the python file (__init__.py) is located I fail (as well as if I specify the file name)

Directory: C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest\arPyTest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 01.09.2020 21:29 316 function.json -a---- 01.09.2020 21:29 25 sample.dat -a---- 02.09.2020 8:44 624 __init__.py PS C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest\arPyTest> sourceguard-cli.exe -src . 02-09-2020 09:18:15.400 SourceGuard Scan Started! 02-09-2020 09:18:15.845 Error: repository URL is missing

I need to be in the project root directory where the .git folder is located:

Directory: C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest Mode LastWriteTime Length Name ---- ------------- ------ ---- d--h-- 02.09.2020 8:44 .git d----- 01.09.2020 21:29 .vscode d----- 01.09.2020 21:29 arPyTest -a---- 01.09.2020 21:28 41 .funcignore -a---- 01.09.2020 21:29 1787 .gitignore -a---- 01.09.2020 21:49 2458 azure-pipelines.yml -a---- 01.09.2020 21:28 289 host.json -a---- 01.09.2020 21:28 118 local.settings.json -a---- 01.09.2020 21:28 72 proxies.json -a---- 01.09.2020 21:28 200 requirements.txt PS C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest> sourceguard-cli.exe -src . 02-09-2020 09:19:41.023 SourceGuard Scan Started! 02-09-2020 09:19:41.638 Project name: PyTest path: . 02-09-2020 09:19:41.638 Scan ID: 1b9cb9624438a84d314e22f36fc2f01aa1a56612772d2127261173062e6b5933-zXAORM 02-09-2020 09:20:21.515 Scanning ... 02-09-2020 09:20:27.765 Analyzing ... 02-09-2020 09:21:58.856 Action: ALLOW 02-09-2020 09:21:58.857 Please see full analysis: https://portal.checkpoint.com/Dashboard/SourceGuard#/scan/sourcecode/1b9cb9624438a84d314e22f36fc2f01aa1a56612772d2127261173062e6b5933-zXAORM

By the way, your git repository name will be used as a "project name" in the SourceGuard portal.