Set Up Policy Guardrails (CI/CD)

You can use the Tenable Cloud Security CLI to scan code in your CI/CD pipeline and fail the builds if Tenable Cloud Security finds severe vulnerabilities in the code. After installing Tenable Cloud Security CLI on the build machine, you must add the necessary instructions to the pipeline script to run the tool against the files present in the repository.

Following are some examples:

Azure DevOps (on MAC)
AWS Code Pipeline (on Linux)
Bamboo (on Linux)
GitLab

Azure DevOps (on MAC)

Add the following commands to the YAML file:

Copy

trigger:
-master 

pool:
vmImage: ‘macOS-latest’

steps

task: CmdLine@2
 inputs:
   script: |
     brew install terraform
     brew install accurics
     export ARM_SUBSCRIPTION_ID= subscription id
     export ARM_TENANT_ID= tenant id
     export ARM_CLIENT_ID= client id
     export ARM_CLIENT_SECRET= client secret
     accurics init
     accurics plan

See Integration with Azure DevOps Pipeline.

AWS Code Pipeline (On Linux)

Add the following commands to the buildspec.YAML file:

Copy

version: 0.2

phases:
 install:
   commands:
curl -s -qL -o terraform_install.zip https://releases.hashicorp.com/terraform/0.13.5/terraform_0.13.5_linux_amd64.zip
unzip terraform_install.zip -d /usr/bin/

chmod +x /usr/bin/terraform

   finally:
terraform --version

 build:
   commands:
export ARM_SUBSCRIPTION_ID=subscription ID
export ARM_TENANT_ID=tenant ID
export ARM_CLIENT_ID=client ID
export ARM_CLIENT_SECRET=client secret
./accurics init
./accurics plan

Bamboo (on Linux)

Add the following commands in the Script body of a Script Configuration in a Bamboo Task.

Copy

cp /home/user/AccuricsCLI/* ./
export ARM_SUBSCRIPTION_ID=<SUBSCRIPTION ID>
export ARM_TENANT_ID=<TENANT ID>
export ARM_CLIENT_ID=<CLIENT ID>
export ARM_CLIENT_SECRET=<CLIENT SECRET>
./accurics init
./accurics plan
if [ $? -eq 0 ]; then exit 0; else exit 1; fi

Note: Make sure to replace the Azure credential placeholder values with valid Azure credentials (required for Terraform):

SUBSCRIPTION ID
TENANT ID
CLIENT ID
CLIENT SECRET

GitLab

The following example shows a GitLab pipeline.

Copy

variables:
  awsAccessKey: 5XXXXXXXXXYYYYYYYYY5
  awsSecretAccessKey: 5XXXXXXXXXXXXXXXXXXYYYYYYYYYYYYYYYYY5
  tcsCLIVersion: latest
  tfVersion: 1.0.11
  tfPlanOutFilePrefix: tfplan
  tcsURL: https://cloud.tenable.com/cns 
  tcsProjectID: 6xxxyyy6-4XX4-4XX4-8XX8-0XXXXYYYY0
  apiToken: bXXXYYY5-fBB1-4RRe-9ZZ4-aXXXHHHUUUV9
  do_plan_or_scan: plan
  GIT_BRANCH: $CI_COMMIT_BRANCH

Tcs-iac-assessment:
  script: |
    if [ $do_plan_or_scan == plan ]; then
        export AWS_ACCESS_KEY=$awsAccessKey
        export AWS_SECRET_ACCESS_KEY=$awsSecretAccessKey
        echo Installing terraform..
        apt-get update && apt-get install -y gnupg software-properties-common curl
        curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
        apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
        apt-get update && apt-get install terraform=$tfVersion
        curl -sL https://aka.ms/InstallAzureCLIDeb | bash
        terraform init
        echo ~~~~~GENERATING PLAN OUTPUT..
        terraform plan -out $tfPlanOutFilePrefix.out
        echo ~~~~~GENERATING PLAN JSON..
        terraform show -json $tfPlanOutFilePrefix.out > $tfPlanOutFilePrefix.json
    elif [ $do_plan_or_scan == scan ]; then
        echo Installing terrascan..
        curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
        tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
        install terrascan /usr/local/bin && rm terrascan
    fi
    
    echo ~~~~~Downloading Tenable CS cli..
    wget https://www.tenable.com/downloads/api/v2/pages/cloud-security/files/accurics-cli_latest_linux_x86_64.tar.gz/$tcsCLIVersion/accurics -O tcs-iac-scanner
    chmod +x tcs-iac-scanner
    
    echo ~~~~~Getting Tenable CS cli verison..
    ./tcs-iac-scanner version

    echo ~~~~~Running IaC assessment..
    if [ $do_plan_or_scan == plan ]; then
      echo ~~~~~RUNNING Tenable CS assessment with pre-cooked plan..
      ./tcs-iac-scanner plan -mode=pipeline -project=$tcsProjectID -appurl=$tcsURL -token=$apiToken -planjson=$tfPlanOutFilePrefix.json
    elif [ $do_plan_or_scan == scan ]; then
      echo ~~~~~RUNNING Tenable CS non plan based assessment..
      ./tcs-iac-scanner scan -mode=pipeline -project=$tcsProjectID -appurl=$tcsURL -token=$apiToken
    fi

Note: Add the following command in your pipeline before running the accurics init command to specify the commit branch:
export GIT_BRANCH=${CI_COMMIT_BRANCH}

Caution: If the IaC scan fails with the "panic: runtime error: invalid memory address or nil pointer dereference" error, add the following command to the variables section of the pipeline:
GIT_BRANCH: $CI_COMMIT_BRANCH