Set Up Policy Guardrails (CI/CD)
You can use the Tenable Cloud Security CLI to scan code in your CI/CD pipeline and fail the builds if Tenable Cloud Security finds severe vulnerabilities in the code. After installing Tenable Cloud Security CLI on the build machine, you must add the necessary instructions to the pipeline script to run the tool against the files present in the repository.
Following are some examples:
Add the following commands to the YAML file:
trigger:
-master
pool:
vmImage: ‘macOS-latest’
steps
task: [email protected]
inputs:
script: |
brew install terraform
brew install accurics
export ARM_SUBSCRIPTION_ID= subscription id
export ARM_TENANT_ID= tenant id
export ARM_CLIENT_ID= client id
export ARM_CLIENT_SECRET= client secret
accurics init
accurics plan
See Integration with Azure DevOps Pipeline.
Add the following commands to the buildspec.YAML file:
version: 0.2
phases:
install:
commands:
curl -s -qL -o terraform_install.zip https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_amd64.zip
unzip terraform_install.zip -d /usr/bin/
chmod +x /usr/bin/terraform
finally:
terraform --version
build:
commands:
export ARM_SUBSCRIPTION_ID=subscription ID
export ARM_TENANT_ID=tenant ID
export ARM_CLIENT_ID=client ID
export ARM_CLIENT_SECRET=client secret
./accurics init
./accurics plan
Add the following commands in the Script body of a Script Configuration in a Bamboo Task.
cp /home/user/AccuricsCLI/* ./
export ARM_SUBSCRIPTION_ID=<SUBSCRIPTION ID>
export ARM_TENANT_ID=<TENANT ID>
export ARM_CLIENT_ID=<CLIENT ID>
export ARM_CLIENT_SECRET=<CLIENT SECRET>
./accurics init
./accurics plan
if [ $? -eq 0 ]; then exit 0; else exit 1; fi
- SUBSCRIPTION ID
- TENANT ID
- CLIENT ID
- CLIENT SECRET
The following example shows a GitLab pipeline.
variables:
awsAccessKey: 5XXXXXXXXXYYYYYYYYY5
awsSecretAccessKey: 5XXXXXXXXXXXXXXXXXXYYYYYYYYYYYYYYYYY5
tcsCLIVersion: latest
tfVersion: 1.0.11
tfPlanOutFilePrefix: tfplan
tcsURL: https://cloud.tenable.com/cns
tcsProjectID: 6xxxyyy6-4XX4-4XX4-8XX8-0XXXXYYYY0
apiToken: bXXXYYY5-fBB1-4RRe-9ZZ4-aXXXHHHUUUV9
do_plan_or_scan: plan
GIT_BRANCH: $CI_COMMIT_BRANCH
Tcs-iac-assessment:
script: |
if [ $do_plan_or_scan == plan ]; then
export AWS_ACCESS_KEY=$awsAccessKey
export AWS_SECRET_ACCESS_KEY=$awsSecretAccessKey
echo Installing terraform..
apt-get update && apt-get install -y gnupg software-properties-common curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
apt-get update && apt-get install terraform=$tfVersion
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
terraform init
echo ~~~~~GENERATING PLAN OUTPUT..
terraform plan -out $tfPlanOutFilePrefix.out
echo ~~~~~GENERATING PLAN JSON..
terraform show -json $tfPlanOutFilePrefix.out > $tfPlanOutFilePrefix.json
elif [ $do_plan_or_scan == scan ]; then
echo Installing terrascan..
curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
fi
echo ~~~~~Downloading Tenable CS cli..
wget https://downloads.accurics.com/cli/$tcsCLIVersion/accurics_linux -O tcs-iac-scanner
chmod +x tcs-iac-scanner
echo ~~~~~Getting Tenable CS cli verison..
./tcs-iac-scanner version
echo ~~~~~Running IaC assessment..
if [ $do_plan_or_scan == plan ]; then
echo ~~~~~RUNNING Tenable CS assessment with pre-cooked plan..
./tcs-iac-scanner plan -mode=pipeline -project=$tcsProjectID -appurl=$tcsURL -token=$apiToken -planjson=$tfPlanOutFilePrefix.json
elif [ $do_plan_or_scan == scan ]; then
echo ~~~~~RUNNING Tenable CS non plan based assessment..
./tcs-iac-scanner scan -mode=pipeline -project=$tcsProjectID -appurl=$tcsURL -token=$apiToken
fi
export GIT_BRANCH=${CI_COMMIT_BRANCH}
GIT_BRANCH: $CI_COMMIT_BRANCH