...
Make sure the Jenkins agent that will be running Data Theorme Theorem SAST scans has access to this credential
...
Code Block |
---|
pipeline { agent any environment { DT_SAST_API_KEY = credentials('DT_SAST_API_KEY') } stages { stage('DT SAST') { steps { sh ''' docker run --pull=always \ -e DT_SAST_API_KEY=$DT_SAST_API_KEY \ -e DT_SAST_REPOSITORY_NAME="<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \ -e DT_SAST_REPOSITORY_PLATFORM=BITBUCKET \ -e DT_SAST_REPOSITORY_ID="<YOUR-BITBUCKET-REPOSITORY_ID>" \ -e DT_SAST_REPOSITORY_HTML_URL="https://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \ -e DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME="main"=<YOUR_DEFAULT_BRANCH_NAME> \ -e DT_SAST_SCANNED_BRANCH=$GIT_BRANCH \ -e DT_SAST_SCAN_HEAD_REF=$GIT_COMMIT \ --mount type=bind,source="$(pwd)"/,target=/target \ us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest \ data_theorem_sast_analyzer scan /target ''' } } } } |
...
DT_SAST_REPOSITORY_NAME
: Usually formatted like<YOUR_ORG_NAME>/<YOUR_REPO_NAME>
DT_SAST_REPOSITORY_ID
: The identifier for the repository set by the platform, in Bitbucket, you can go to your Repository →Settings
->Repository Details
->Advanced
->UUID
DT_SAST_REPOSITORY_HTML_URL
: the HTML url to your repository, this will help the Data Theorem Portal to provide links to the code locations in your SCM platform, for examplehttps://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>
DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME
: the default branch of your repository (for examplemain
,release
, …)
Use the host machine’s SSL certificates (optional)
If your Jenkins runner is behind a proxy and you need to propagate the host machine’s SSL certificates with the process running the Data Theorem SAST Scanner so that it can make API calls to Data Theorem
You can use a Jenkinsfile like this:
Code Block |
---|
pipeline { agent any // Get the Data Theorme SAST API Key from Jenkins credentials environment { DT_SAST_API_KEY = credentials('DT_SAST_API_KEY') } stages { stage('DT SAST') { steps { sh ''' docker run --pull=always \ -e DT_SAST_API_KEY=$DT_SAST_API_KEY \ -e DT_SAST_REPOSITORY_NAME="<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \ -e DT_SAST_REPOSITORY_PLATFORM=BITBUCKET \ -e DT_SAST_REPOSITORY_ID="<YOUR-BITBUCKET-REPOSITORY_ID>" \ -e DT_SAST_REPOSITORY_HTML_URL="https://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \ -e DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME=<YOUR_DEFAULT_BRANCH_NAME> \ -e DT_SAST_SCANNED_BRANCH=$GIT_BRANCH \ -e DT_SAST_SCAN_HEAD_REF=$GIT_COMMIT \ -e DT_SAST_PATH_TO_SSL_CERTS_FILE=/etc/ssl/certs/ca-certificates.crt \ --mount type=bind,source="/etc/ssl/certs/"/,target=/etc/ssl/certs \ --mount type=bind,source="$(pwd)"/,target=/target \ us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest \ data_theorem_sast_analyzer scan /target ''' } } } } |
the differences with the Jenkinsfile above are:
Mount the host machine’s SSL certificates directory and make it accessible to the Docker process
The example assumes that SSL certificates are stored at/etc/ssl/certs/ca-certificates.crt
, which is the default on Ubuntu, but you may need to adapt this based on your pipeline runner’s configurationPass an extra input to the Scanner via the
DT_SAST_PATH_TO_SSL_CERTS_FILE
environment variable, this will make the scanner use the SSL certificates from the host machine at the indicated path
Trigger a Scan
You can trigger a scan immediately using the Jenkins UI.
...
After a few minutes, scan results will also appear in the Data theorem Theorem Portal at:
https://www.securetheorem.com/api/v2mobile-secure/security/sast