Continuous integration is a now common way of having constant feedback for teams. Being able to verify new code on whether it is working is important, but what about CVEs? CVEs are reported and patched constantly by open source communities and unless your team is scouring the web for dependency vulnerabilities daily, it can quickly become difficult to keep up. Not only time consuming, but if they are not dealt with swiftly, they will pose as a risk to the well-being of your business and user base. At Rietta, we have automated security scans by utilizing scheduled workflows on CircleCI. This blog post will briefly go over how you can set up an automated security scan that will help boost confidence when dealing with CVEs.
When initially setting up CI, it is common to have all checks like test suites, security scans, and linters to trigger on service hooks like
git push. While it may make sense to have everything run on pushes and merges, it could be more beneficial to put security scans for dependencies like Bundler-audit on a scheduled cron job. As our team does not push commits to all of our repos on a daily basis, having the scan on a daily cron job ensures that the vulnerability is dealt with immediately when found. Let’s add in Workflows with CircleCI to our config to see how that looks in practice.
# app/.circleci/config.yml version: 2 jobs: build: # your 'build' configurations here security: docker: - image: circleci/ruby:2.5 steps: - checkout - bin/setup # setup application - run: name: Install Bundler-audit command: gem install bundler-audit - run: name: Run Bundle-audit command: bundle exec bundle audit check --update workflows: version: 2 commit: jobs: - build nightly: jobs: - security triggers: - schedule: cron: "0 0 * * *" filters: branches: only: - master
With the addition of
workflows, we can have multiple jobs on different schedules or triggered by different events. By having Bundle-audit in the
security job, we can have it run exclusively in our nightly scheduled workflow. Lets look at the workflows section more closely to see how this works with the rest of the configuration.
workflows: version: 2 commit: jobs: - build nightly: jobs: - security triggers: - schedule: cron: "0 0 * * *" filters: branches: only: - master
- We can preserve the original behavior of the service hooks(
push and merge) with
- It is necessary to put the
commitas we are overriding the default behavior by configuring workflows.
- This will execute the
buildjob on the previously stated service hooks allowing us to still run our tests and linters on pushed code.
- It is necessary to put the
- We have also introduced a
nightlyworkflow which is cron scheduled for “0 0 * * *” or at 12 AM every night.
filtersconstraint will only run our cron job on the master branch as it houses all of our production dependencies.
- Just like the
commitworkflow, we need to specify what job to run for the
nightlyworkflow, so instead of
buildwe’ll add the
securityjob to be run on the cron schedule.
Keeping up with CVEs and other security-related vulnerabilities is time consuming and not being attentive enough can leave areas of exploitation. It is especially risky to not have scheduled scans when maintaining multiple applications or micro-services.
With scheduled scans, your team can be notified of security vulnerabilities with integrations like Slack Integration - CircleCI which will help keep your team on top of any potential vulnerabilities.