Skip to content

Integrating with External Scanners

By default, Boost runs the Boost Scanner which contains an opinionated set of high signal, low noise rules.

Additionally, Boost can also integrate with any static-analysis tool that can format its output as
SARIF. This enables Boost to orchestrate and ingest results from static-analysis tools you already use.

Adding an External Scanner

You will need to update your configuration file in order to add results from an External Scanner to Boost. This configuration will run both the Boost Scanner and an External Scanner.

Keep in mind that, as explained in the Integrating Boost with your CI page, you will need to get an API Key before continuing.

Brakeman

steps:
- label: Boost Scanner
  plugins:
  - boostsecurityio/boostsec-scanner-buildkite-plugin#v3:
      action: scan
- wait
- label: External Scanner
  plugins:
    - boostsecurityio/boostsec-scanner-buildkite-plugin#v3:
        action: exec
        additional_args: --require-full-repo
        exec_command: "brakeman --format sarif --force" # replace this with any tool that exports SARIF
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
  brakeman:
    name: Brakeman Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Brakeman
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          step_name: brakeman
          action: exec
          additional_args: --require-full-repo
          exec_command: >
            docker run -v %CWD%:/code
              presidentbeef/brakeman
              --format sarif --force
          api_token: ${{ secrets.BOOST_API_TOKEN }}

Semgrep

Using community rules

steps:
- label: Boost Scanner
  plugins:
  - boostsecurityio/boostsec-scanner-buildkite-plugin#v3:
      action: scan
- wait
- label: External Scanner
  plugins:
    - boostsecurityio/boostsec-scanner-buildkite-plugin#v3:
        action: exec
        exec_command: docker run -v %CWD%:/src returntocorp/semgrep:0.94.0 --disable-version-check --sarif --config auto
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - master
      - main
  pull_request:
    branches:
      - master
      - main
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
  semgrep-community-rules:
    name: Semgrep - Community Rules
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Semgrep - Auto Config
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          step_name: semgrep-auto-config
          action: exec
          exec_command: >
            docker run -v %CWD%:/src
              returntocorp/semgrep:0.94.0
              scan
              --disable-version-check --sarif
              --config auto
          api_token: ${{ secrets.BOOST_API_TOKEN }}

Using custom rules

Including custom rules as part of Diff Scans

The following examples assume that your custom Semgrep rules are in .semgrep/custom-rules.yml. If using a custom-rules.yml file you must also create a .boostinclude file with the .semgrep/custom-rules.yml added as a line to ensure that the Boost scanner can access the rules.

You can find a simple demo of the GitHub Action integration here, on GitHub.

Alternatively, you can provide the semgrep rules directly on the command-line or package them inside a custom Docker image.

steps:
- label: Boost Scanner
  plugins:
  - boostsecurityio/boostsec-scanner-buildkite-plugin#v3:
      action: scan
- wait
- label: External Scanner
  plugins:
    - boostsecurityio/boostsec-scanner-buildkite-plugin#v3:
        action: exec
        exec_command: docker run -v %CWD%:/src returntocorp/semgrep:0.56.0 --disable-version-check --no-rewrite-rule-ids --sarif --config /src/.semgrep/custom-rules.yml
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
  semgrep-custom-rules:
    name: Semgrep - Custom Rules
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Semgrep - Custom Rules
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          step_name: semgrep-custom-rules
          action: exec
          exec_command: >
            docker run -v %CWD%:/src
              returntocorp/semgrep:0.94.0
              scan
              --disable-version-check --no-rewrite-rule-ids --sarif
              --config /src/.semgrep/custom-rules.yml
          api_token: ${{ secrets.BOOST_API_TOKEN }}

Snyk

You can ingest findings generated by the Snyk CLI as SARIF. All findings will be mapped under the following rules: cve-critical, cve-high, cve-moderate, cwe-low. You need to first obtain a Snyk CLI API Key and store it as a secret in your CI environment.

name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
  snyk:
    name: Snyk CLI
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Download Snyk
        run: |
          curl https://static.snyk.io/cli/latest/snyk-linux -o /tmp/snyk
          chmod +x /tmp/snyk
          /tmp/snyk auth ${{ secrets.SNYK_TOKEN }}

          docker pull public.ecr.aws/boostsecurityio/boostsecurityio-convert-snyk:latest

          cat <<EOF > /tmp/snyk-wrapper
          #!/bin/bash
          /tmp/snyk test --json |
          docker run \
            --rm \
            --interactive \
            public.ecr.aws/boostsecurityio/boostsecurityio-convert-snyk:latest \
            process -
          EOF
          chmod +x /tmp/snyk-wrapper
      - name: Snyk CLI
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          step_name: snyk
          action: exec
          additional_args: --require-full-repo
          exec_command: /tmp/snyk-wrapper
          api_token: ${{ secrets.BOOST_API_TOKEN }}