Skip to content

Scanning Generated Artifacts

Boost CI supports scanning build artifacts that are generated from repository code using a templating engine or script of your choice.

To generate such artifacts, Boost CI provides the --pre-scan-command which accepts the path to an executable and it's relevant CLI arguments. This executable will be then be executed with your Git repository as its current working directory.

Adding generated artifacts output directory to .boostinclude

The following examples assume that you have created a .boostinclude file which specifies the the artifacts necessary for your --pre-scan-command, so that they are not subject to being pruned before the its execution occurs.

Github Actions

Add the following to your .github/workflows/boost.yml:

name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Install pre-scan dependencies
        run: |
          download_verify_and_unpack() {
            (curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3  -") && tar -C  $(dirname "$2") -xzf /tmp/toxic "$4" && if [[ ! -z "$4" ]]; then mv "$(dirname $2)/$4" "$2"; else true; fi && chmod +x "$2") || (rm -f /tmp/toxic && false)
          }
          download_verify_and_unpack https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz /usr/local/bin/helm 6cd6cad4b97e10c33c978ff3ac97bb42b68f79766f1d2284cfd62ec04cd177f4 linux-amd64/helm
      - name: Prepare pre-scan script
        run: |
          cat << EOF > /usr/local/bin/render-k8s.sh
          #!/bin/bash
          helm template charts/hello-world --output-dir ./generated
          EOF
          chmod +x /usr/local/bin/render-k8s.sh
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          additional_args: --pre-scan-command "/usr/local/bin/render-k8s.sh"
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Install pre-scan dependencies
        run: |
          download_and_verify() {
            (curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3  -") && chmod +x "$2") || (rm -f "$2" && false)
          }
          download_verify_and_unpack() {
            (curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3  -") && tar -C  $(dirname "$2") -xzf /tmp/toxic && chmod +x "$2") || (rm -f /tmp/toxic && false)
          }
          download_and_verify https://github.com/bitnami/kubecfg/releases/download/v0.22.0/kubecfg-linux-amd64 /usr/local/bin/kubecfg 198e2f6eb6d86460eea47be4444d986287745b3882026f3f228a1ec0f1453780
          download_verify_and_unpack  https://github.com/mogensen/kubernetes-split-yaml/releases/download/v0.3.0/kubernetes-split-yaml_0.3.0_linux_amd64.tar.gz /usr/local/bin/kubernetes-split-yaml f77587a3eeb602a11affd066512bb8736bb506a22a60640fe2e8a5be4f9b429b
      - name: Prepare pre-scan script
        run: |
          cat << EOF > /usr/local/bin/render-k8s.sh
          #!/bin/bash
          kubecfg show -o yaml examples/guestbook.jsonnet | kubernetes-split-yaml -
          EOF
          chmod +x /usr/local/bin/render-k8s.sh
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          additional_args: --pre-scan-command "/usr/local/bin/render-k8s.sh"
name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
    types:
      - opened
      - synchronize
jobs:
  boost_security_sast:
    name: SAST / Scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Install pre-scan dependencies
        run: |
          download_and_verify() {
            (curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3  -") && chmod +x "$2") || (rm -f "$2" && false)
          }
          download_and_verify https://github.com/grafana/tanka/releases/download/v0.18.2/tk-linux-amd64 /usr/local/bin/tk ab71bd5ce4cdd12af5adfe02d5178dbdae61ed693f74537f3e73ec0801ab95f6
          download_and_verify https://github.com/jsonnet-bundler/jsonnet-bundler/releases/download/v0.4.0/jb-linux-amd64 /usr/local/bin/jb 433edab5554a88a0371e11e93080408b225d41c31decf321c02b50d2e44993ce
      - name: Prepare pre-scan script
        run: |
          cat << EOF > /usr/local/bin/render-k8s.sh
          #!/bin/bash
          set -x
          cd examples/prom-grafana/
          jb install 
          tk export manifests environments/prom-grafana/dev
          EOF
          chmod +x /usr/local/bin/render-k8s.sh
      - name: Scanner
        uses: boostsecurityio/boostsec-scanner-github@v3
        with:
          action: scan
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          additional_args: --pre-scan-command "/usr/local/bin/render-k8s.sh"

Circle CI

Add the following to your .circleci/config.yml:

version: 2.1
orbs:
  boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
  version: 2
  build:
    jobs:
      - boost-security-scan:
          context: boost-security
jobs:
  boost-security-scan:
    machine:
      docker_layer_caching: true
      image: ubuntu-2004:202107-02
    steps:
      - checkout
      - run:
          name: Install pre-scan dependencies
          command: |
            download_verify_and_unpack() {
              (curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3  -") && tar -C  $(dirname "$2") -xzf /tmp/toxic "$4" && if [[ ! -z "$4" ]]; then mv "$(dirname $2)/$4" "$2"; else true; fi && chmod +x "$2") || (rm -f /tmp/toxic && false)
            }
            download_verify_and_unpack https://get.helm.sh/helm-v3.7.1-linux-amd64.tar.gz /home/circleci/bin/helm 6cd6cad4b97e10c33c978ff3ac97bb42b68f79766f1d2284cfd62ec04cd177f4 linux-amd64/helm
      - run:
          name: Prepare pre-scan script
          command: |
            cat \<< EOF > /home/circleci/bin/render-k8s.sh
            #!/bin/bash
            helm template charts/hello-world --output-dir ./generated
            EOF
            chmod +x /home/circleci/bin/render-k8s.sh
      - boost-security-scanner/scan:
          cli_additional_args: --pre-scan-command /home/circleci/bin/render-k8s.sh
version: 2.1
orbs:
  boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
  version: 2
  build:
    jobs:
      - boost-security-scan:
          context: boost-security
jobs:
  boost-security-scan:
    machine:
      docker_layer_caching: true
      image: ubuntu-2004:202107-02
    steps:
      - checkout
      - run:
          name: Install pre-scan dependencies
          command: |
            download_and_verify() {
              (curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3  -") && chmod +x "$2") || (rm -f "$2" && false)
            }
            download_verify_and_unpack() {
              (curl -s -L "$1" | tee /tmp/toxic | shasum -s -a256 -c <(echo "$3  -") && tar -C  $(dirname "$2") -xzf /tmp/toxic && chmod +x "$2") || (rm -f /tmp/toxic && false)
            }
            download_and_verify https://github.com/bitnami/kubecfg/releases/download/v0.22.0/kubecfg-linux-amd64 /home/circleci/bin/kubecfg 198e2f6eb6d86460eea47be4444d986287745b3882026f3f228a1ec0f1453780
            download_verify_and_unpack  https://github.com/mogensen/kubernetes-split-yaml/releases/download/v0.3.0/kubernetes-split-yaml_0.3.0_linux_amd64.tar.gz /home/circleci/bin/kubernetes-split-yaml f77587a3eeb602a11affd066512bb8736bb506a22a60640fe2e8a5be4f9b429b
      - run:
          name: Prepare pre-scan script
          command: |
            cat \<< EOF > /home/circleci/bin/render-k8s.sh
            #!/bin/bash
            kubecfg show -o yaml examples/guestbook.jsonnet | kubernetes-split-yaml -
            EOF
            chmod +x /home/circleci/bin/render-k8s.sh
      - boost-security-scanner/scan:
          cli_additional_args: --pre-scan-command /home/circleci/bin/render-k8s.sh
version: 2.1
orbs:
  boost-security-scanner: boostsecurityio/scanner@3.0.0
workflows:
  version: 2
  build:
    jobs:
      - boost-security-scan:
          context: boost-security
jobs:
  boost-security-scan:
    machine:
      docker_layer_caching: true
      image: ubuntu-2004:202107-02
    steps:
      - checkout
      - run:
          name: Install pre-scan dependencies
          command: |
            download_and_verify() {
              (curl -s -L "$1" | tee "$2" | shasum -s -a256 -c <(echo "$3  -") && chmod +x "$2") || (rm -f "$2" && false)
            }
            download_and_verify https://github.com/grafana/tanka/releases/download/v0.18.2/tk-linux-amd64 /home/circleci/bin/tk ab71bd5ce4cdd12af5adfe02d5178dbdae61ed693f74537f3e73ec0801ab95f6
            download_and_verify https://github.com/jsonnet-bundler/jsonnet-bundler/releases/download/v0.4.0/jb-linux-amd64 /home/circleci/bin/jb 433edab5554a88a0371e11e93080408b225d41c31decf321c02b50d2e44993ce
      - run:
          name: Prepare pre-scan script
          command: |
            cat \<< EOF > /home/circleci/bin/render-k8s.sh
            #!/bin/bash
            cd examples/prom-grafana/
            jb install 
            tk export manifests environments/prom-grafana/dev
            EOF
            chmod +x /home/circleci/bin/render-k8s.sh
      - boost-security-scanner/scan:
          cli_additional_args: --pre-scan-command /home/circleci/bin/render-k8s.sh