Versions Compared

Old Version 1

changes.mady.by.user Victor Wang

Saved on

compared with

New Version Current

changes.mady.by.user Victor Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This is a guide on how to setup Data Theorem SAST scanning in your Jenkins builds.

Requirements

  • The Jenkins node must have internet access

  • The Jenkins node must be able to execute docker commands

  • The Jenkins node must have access to the source code you wish to scan

Set Data Theorem SAST API Key as a Jenkins Credential

Retrieve or create a Data Theorem SAST API key following the instructions here.

...

You may need to be a Jenkins admin to perform this operation.

...

Make sure the Jenkins agent that will be running Data Theorem SAST scans has access to this credential

Create a Jenkins pipeline

Go to Jenkins -> New Item -> Pipeline

...

The example below uses a Bitbucket Access Token

...

Add a Jenkinsfile

The example below relies on the Pipeline: Declarative Jenkins plugin that allows using a Jenkinsfile directly committed into your source code.

...

Code Block
pipeline {
    agent any
    
    environment {
        DT_SAST_API_KEY = credentials('DT_SAST_API_KEY')
    }

    stages {
        stage('DT SAST') {
            steps {
                sh '''
                    docker run --pull=always \
                     -e DT_SAST_API_KEY=$DT_SAST_API_KEY \
                     -e DT_SAST_REPOSITORY_NAME="<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \
                     -e DT_SAST_REPOSITORY_PLATFORM=BITBUCKET \
                     -e DT_SAST_REPOSITORY_ID="<YOUR-BITBUCKET-REPOSITORY_ID>" \
                     -e DT_SAST_REPOSITORY_HTML_URL="https://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \
                     -e DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME="main"=<YOUR_DEFAULT_BRANCH_NAME> \
                     -e DT_SAST_SCANNED_BRANCH=$GIT_BRANCH \
                     -e DT_SAST_SCAN_HEAD_REF=$GIT_COMMIT \
                     --mount type=bind,source="$(pwd)"/,target=/target \
                     us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest \
                     data_theorem_sast_analyzer scan /target
                '''
            }
        }
    }
}

...

  • DT_SAST_REPOSITORY_NAME: Usually formatted like <YOUR_ORG_NAME>/<YOUR_REPO_NAME>

  • DT_SAST_REPOSITORY_ID: The identifier for the repository set by the platform, in Bitbucket, you can go to your Repository → Settings -> Repository Details -> Advanced -> UUID

  • DT_SAST_REPOSITORY_HTML_URL: the HTML url to your repository, this will help the Data Theorem Portal to provide links to the code locations in your SCM platform, for example https://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>

  • DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME: the default branch of your repository (for example main, release, …)

Use the host machine’s SSL certificates (optional)

If your Jenkins runner is behind a proxy and you need to propagate the host machine’s SSL certificates with the process running the Data Theorem SAST Scanner so that it can make API calls to Data Theorem
You can use a Jenkinsfile like this:

Code Block
pipeline {
    agent any

    // Get the Data Theorme SAST API Key from Jenkins credentials
    environment {
        DT_SAST_API_KEY = credentials('DT_SAST_API_KEY')
    }

    stages {
        stage('DT SAST') {
            steps {
                sh '''
                    docker run --pull=always \
                     -e DT_SAST_API_KEY=$DT_SAST_API_KEY \
                     -e DT_SAST_REPOSITORY_NAME="<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \
                     -e DT_SAST_REPOSITORY_PLATFORM=BITBUCKET \
                     -e DT_SAST_REPOSITORY_ID="<YOUR-BITBUCKET-REPOSITORY_ID>" \
                     -e DT_SAST_REPOSITORY_HTML_URL="https://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \
                     -e DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME=<YOUR_DEFAULT_BRANCH_NAME> \
                     -e DT_SAST_SCANNED_BRANCH=$GIT_BRANCH \
                     -e DT_SAST_SCAN_HEAD_REF=$GIT_COMMIT \
                     -e DT_SAST_PATH_TO_SSL_CERTS_FILE=/etc/ssl/certs/ca-certificates.crt \
                     --mount type=bind,source="/etc/ssl/certs/"/,target=/etc/ssl/certs \
                     --mount type=bind,source="$(pwd)"/,target=/target \
                     us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest \
                     data_theorem_sast_analyzer scan /target
                '''
            }
        }
    }
}
 

the differences with the Jenkinsfile above are:

  • Mount the host machine’s SSL certificates directory and make it accessible to the Docker process
    The example assumes that SSL certificates are stored at /etc/ssl/certs/ca-certificates.crt, which is the default on Ubuntu, but you may need to adapt this based on your pipeline runner’s configuration

  • Pass an extra input to the Scanner via the DT_SAST_PATH_TO_SSL_CERTS_FILE environment variable, this will make the scanner use the SSL certificates from the host machine at the indicated path

Trigger a Scan

You can trigger a scan immediately using the Jenkins UI.

...

View Scan Results

In your build logs, you can see the scan results like in the sample below:

...

After a few minutes, scan results will also appear in the Data theorem Theorem Portal at:
https://www.securetheorem.com/api/v2mobile-secure/security/sast