Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Employee
Employee

How to Secure your Code and Docker Container Images in a Jenkins CICD pipeline with CG SourceGuard

SourceGuard was developped by Itamar Lavender and his team and is in Beta. It is one of the SAST scanners under development at Checkpoint that can do both source code scanning with a Repository like Github but container images as well.

Please refer the github page below to learn how to deploy and start performing DevSecOps SAST or Static Application Security Testing. It is available for everyone to test via the infinity portal

https://github.com/chkp-dhouari/SourceGuard

SourceGuard can be integrated with any CICD server like Jenkins, GitLab or AWS CodePipeline to perform SAST at various stages of the application build. 

In the Github page below, I described how to create a jenkins pipeline as code to deploy a node.js application using a docker container and add sourceguard SAST security as part of that CICD pipeline

https://github.com/chkp-dhouari/Jenkins-SourceGuard

                 cicd.png

4 Replies
Contributor

I'm trying to poke SourceGuard with some random code on Windows. As per instruction, I did the portal registration and onboarding.

No matter what -src title I gave, I'm always getting back "Error: repository URL is missing" error. Do you have some test "vulnerable" code to practice against? Is it possible to publish it to your git?

P.S. It the voice-over missing in this video YouTube - SourceGuard Demo?

0 Kudos
Reply
Employee
Employee

it will scan a git dir. you need to install git on your laptop then make a dir. do git init and do git add the files that you want to scan

I am working on updating the github page and creating a new video this week

let me know if this helps

 

0 Kudos
Reply
Contributor

I spend a few more hours trying SourceGuard to accept some piece of code without any luck. It throwing the same error. If it is not to difficult, please provide more details on using the tool.

Obviously I do not have developer background but did Git course some time ago and (hopefully) understand the concept of code control.

0 Kudos
Reply
Employee
Employee

As I've faced the same error and found the answer in this post, I'll keep some details here:

There is an Azure functions project. If I run the sourceguard-cli command  in the folder where the python file (__init__.py) is located I fail (as well as if I specify the file name)

Directory: C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest\arPyTest

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 01.09.2020 21:29 316 function.json
-a---- 01.09.2020 21:29 25 sample.dat
-a---- 02.09.2020 8:44 624 __init__.py

PS C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest\arPyTest> sourceguard-cli.exe -src .
02-09-2020 09:18:15.400 SourceGuard Scan Started!
02-09-2020 09:18:15.845 Error: repository URL is missing

I need to be in the project root directory where the .git folder is located:

Directory: C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest

Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 02.09.2020 8:44 .git
d----- 01.09.2020 21:29 .vscode
d----- 01.09.2020 21:29 arPyTest
-a---- 01.09.2020 21:28 41 .funcignore
-a---- 01.09.2020 21:29 1787 .gitignore
-a---- 01.09.2020 21:49 2458 azure-pipelines.yml
-a---- 01.09.2020 21:28 289 host.json
-a---- 01.09.2020 21:28 118 local.settings.json
-a---- 01.09.2020 21:28 72 proxies.json
-a---- 01.09.2020 21:28 200 requirements.txt

PS C:\Users\arazumov\Documents\Coding\Azure_09\funcPyTest> sourceguard-cli.exe -src .
02-09-2020 09:19:41.023 SourceGuard Scan Started!
02-09-2020 09:19:41.638 Project name: PyTest path: .
02-09-2020 09:19:41.638 Scan ID: 1b9cb9624438a84d314e22f36fc2f01aa1a56612772d2127261173062e6b5933-zXAORM
02-09-2020 09:20:21.515 Scanning ...
02-09-2020 09:20:27.765 Analyzing ...
02-09-2020 09:21:58.856 Action: ALLOW
02-09-2020 09:21:58.857 Please see full analysis: https://portal.checkpoint.com/Dashboard/SourceGuard#/scan/sourcecode/1b9cb9624438a84d314e22f36fc2f01aa1a56612772d2127261173062e6b5933-zXAORM

By the way, your git repository name will be used as a "project name" in the SourceGuard portal.