Since 1999

 

3 minutes estimated reading time.

Automate Scheduled Security Scans With CircleCI

Christopher Choi

Continuous integration is a now common way of having constant feedback for teams. Being able to verify new code on whether it is working is important, but what about CVEs? CVEs are reported and patched constantly by open source communities and unless your team is scouring the web for dependency vulnerabilities daily, it can quickly become difficult to keep up. Not only time consuming, but if they are not dealt with swiftly, they will pose as a risk to the well-being of your business and user base. At Rietta, we have automated security scans by utilizing scheduled workflows on CircleCI. This blog post will briefly go over how you can set up an automated security scan that will help boost confidence when dealing with CVEs.

When initially setting up CI, it is common to have all checks like test suites, security scans, and linters to trigger on service hooks like git push. While it may make sense to have everything run on pushes and merges, it could be more beneficial to put security scans for dependencies like Bundler-audit on a scheduled cron job. As our team does not push commits to all of our repos on a daily basis, having the scan on a daily cron job ensures that the vulnerability is dealt with immediately when found. Let’s add in Workflows with CircleCI to our config to see how that looks in practice.

# app/.circleci/config.yml
version: 2
jobs:
  build:
    # your 'build' configurations here
  security:
    docker:
      - image: circleci/ruby:2.5
    steps:
      - checkout
      - bin/setup # setup application
      - run:
          name: Install Bundler-audit
          command: gem install bundler-audit
      - run:
          name: Run Bundle-audit
          command: bundle exec bundle audit check --update

workflows:
  version: 2
  commit:
    jobs:
      - build
  nightly:
    jobs:
      - security
    triggers:
      - schedule:
          cron: "0 0 * * *"
          filters:
            branches:
              only:
                - master

With the addition of workflows, we can have multiple jobs on different schedules or triggered by different events. By having Bundle-audit in the security job, we can have it run exclusively in our nightly scheduled workflow. Lets look at the workflows section more closely to see how this works with the rest of the configuration.

workflows:
  version: 2
  commit:
    jobs:
      - build
  nightly:
    jobs:
      - security
    triggers:
      - schedule:
          cron: "0 0 * * *"
          filters:
            branches:
              only:
                - master
  • We can preserve the original behavior of the service hooks(push and merge) with commit.
    • It is necessary to put the build job under commit as we are overriding the default behavior by configuring workflows.
    • This will execute the build job on the previously stated service hooks allowing us to still run our tests and linters on pushed code.
  • We have also introduced a nightly workflow which is cron scheduled for “0 0 * * *" or at 12 AM every night.
    • The filters constraint will only run our cron job on the master branch as it houses all of our production dependencies.
    • Just like the commit workflow, we need to specify what job to run for the nightly workflow, so instead of build we’ll add the security job to be run on the cron schedule.

In conclusion

Keeping up with CVEs and other security-related vulnerabilities is time consuming and not being attentive enough can leave areas of exploitation. It is especially risky to not have scheduled scans when maintaining multiple applications or micro-services.

With scheduled scans, your team can be notified of security vulnerabilities with integrations like Slack Integration - CircleCI which will help keep your team on top of any potential vulnerabilities.