Skip to content

Integrating Boost with your CI

Using the BoostSecurity Scanner, you can configure your CI environment to scan your source code and push the list of findings to the BoostSecurity Platform. We have official support for many popular CI systems. The CI plugins run a Docker container with the Boost Scanner.

BoostSecurity supports out-of-box plugins for:

If you're using a different CI system you can use the Boost CLI to setup the workflow.

GitHub Actions

The Boost integration for GitHub is packaged as GitHub Action you can use as step in your workflow jobs.

Github Action Workflow

  • You will need to generate an API Key by visiting the Settings Page, you can give it a label of GitHub Action to document its purpose.
  • Once you have the API key, you will need to create a secret called BOOST_API_TOKEN (as you can see in the sample workflow below) as a GitHub Repository Secret or an Organization Secret.
  • Create a new workflow: .github/workflows/boost.yml:
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}

Buildkite

The Boost integration for Buildkite is packaged as a plugin that runs as a command hook. The plugin executes the Boost Scanner to scan repositories for vulnerabilities and uploads results to the Boost platform.

Buildkite Pipeline Steps

  • You will need to generate an API Key by visiting the Settings Page, you can give it a label of Buildkite to document its purpose.
  • Once you have the API key, you will need the following environment variables defined for your Buildkite Agent:
    BOOST_API_TOKEN="<YOUR_BOOST_API_TOKEN>"
    
  • Add the following to your pipeline.yml:
steps:
- label: Boost Scanner
  plugins:
  - boostsecurityio/boostsec-scanner#v3:
      action: scan

Circle CI

The Boost CI integration for CircleCI provides an orb with both a job running on a machine executor and a command to use within your pipeline configurations. Both invocation methods will execute the Boost Scanner to scan repositories for vulnerabilities and uploads the results to the Boost API.

The CircleCI Orb is published on the registry and may be found here.

CircleCi Job example

  • You will need to generate an API Key by visiting the Settings Page, you can give it a label of CircleCI to document its purpose.
  • Once you have the API key, you will need to create a CircleCI context called boost-security containing a secret named BOOST_API_TOKEN with your organization's API KEY.
  • Add the following to your .circleci/config.yml:
version: '2.1'
orbs:
  boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
  build:
    jobs:
      - boost-security-scanner/scan:
          context: boost-security
  version: 2

Jenkins CI

The Boost integration for Jenkins utilizes the Boost CLI which will attempt to auto-detect Jenkins pipeline variables in order to configure itself. The CLI executes the Boost Scanner to scan repositories for vulnerabilities and uploads results to the Boost API.

The pipeline step will require the following dependencies be available within the runner: docker, wget, git.

The pipeline will require access to the Docker Daemon. To enable this, visit the Configure Cloud menu and set the following properties:

  • Name: docker
  • Docker Host URI: unix:///var/run/docker.sock
  • Enabled: checked

Configuring Docker Daemon

Jenkins git plugins may affect behavior

If the Jenkins pipeline has one of the several git plugins installed, it may change the expected behavior of Boost. By default, Boost expects git credentials to be available in the environment. If a Jenkins plugin changes this behavior, the credentials may need to be explicitly provided to the Boost command.

Jenkins Pipeline

pipeline {
  agent any
  environment {
    // The BOOST_API_TOKEN must be available
    BOOST_API_TOKEN = credentials('BOOST_API_TOKEN')

    // For BitBucket it may be necessary to overwrite autodetection and
    // manually define the project name.
    // ex.: boostsecurity/scanner
    // BOOST_GIT_PROJECT = "GIT_SCM_ORG_NAME/GIT_SCM_REPO_NAME"

    // Location where to download the Boost CLI
    BOOST_TMP_DIR = "${env.WORKSPACE_TMP}/boost"
  }
  stages {
    stage('BoostSecurityScanner') {
      agent any
      steps {
        sh """
          curl -s https://assets.build.boostsecurity.io/boost/get-boost-cli | bash
          "${BOOST_TMP_DIR}/boost/cli/latest/boost.sh" scan run
        """
      }
    }
  }
}