This is a guide on how to setup Data Theorem SAST scanning in your Jenkins builds.
Requirements
The Jenkins node must have internet access
The Jenkins node must be able to execute
docker
commandsThe Jenkins node must have access to the source code you wish to scan
Set Data Theorem SAST API Key as a Jenkins Credential
Retrieve or create a Data Theorem SAST API key following the instructions here.
In Jenkins
-> Manage Jenkins
-> Security
-> Credentials
, create a new credential called DT_SAST_API_KEY
with the value from the previous step.
You may need to be a Jenkins admin to perform this operation.
Make sure the Jenkins agent that will be running Data Theorem SAST scans has access to this credential
Create a Jenkins pipeline
Go to Jenkins
-> New Item
-> Pipeline
Configure access to your repository, the example below connects to a Bitbucket repository using a token.
There are multiple ways you can setup your Jenkins agent to access your repository, for example:
via Access Token (Bitbucket Access Token Documentation)
via SSH (Bitbucket SSH Documentation)
The example below uses a Bitbucket Access Token
Add a Jenkinsfile
The example below relies on the Pipeline: Declarative Jenkins plugin that allows using a Jenkinsfile
directly committed into your source code.
In your source code, create a file named Jenkinsfile
, here is an example that has a stage that performs a Data Theorem SAST scan.
pipeline { agent any environment { DT_SAST_API_KEY = credentials('DT_SAST_API_KEY') } stages { stage('DT SAST') { steps { sh ''' docker run \ -e DT_SAST_API_KEY=$DT_SAST_API_KEY \ -e DT_SAST_REPOSITORY_NAME="<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \ -e DT_SAST_REPOSITORY_PLATFORM=BITBUCKET \ -e DT_SAST_REPOSITORY_ID="<YOUR-BITBUCKET-REPOSITORY_ID>" \ -e DT_SAST_REPOSITORY_HTML_URL="https://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>" \ -e DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME="main" \ -e DT_SAST_SCANNED_BRANCH=$GIT_BRANCH \ -e DT_SAST_SCAN_HEAD_REF=$GIT_COMMIT \ --mount type=bind,source="$(pwd)"/,target=/target \ us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest \ data_theorem_sast_analyzer scan /target ''' } } } }
Note: Please adapt the inputs given to the scanner to your own repository:
DT_SAST_REPOSITORY_NAME
: Usually formatted like<YOUR_ORG_NAME>/<YOUR_REPO_NAME>
DT_SAST_REPOSITORY_ID
: The identifier for the repository set by the platform, in Bitbucket, you can go to your Repository →Settings
->Repository Details
->Advanced
->UUID
DT_SAST_REPOSITORY_HTML_URL
: the HTML url to your repository, this will help the Data Theorem Portal to provide links to the code locations in your SCM platform, for examplehttps://bitbucket.org/<YOUR_ORG_NAME>/<YOUR_REPO_NAME>
DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME
: the default branch of your repository (for examplemain
,release
, …)
Trigger a Scan
You can trigger a scan immediately using the Jenkins UI.
Or you can setup Jenkins to listen to webhook events from your SCM, for example using plugins build for your SCM platform.
View Scan Results
In your build logs, you can see the scan results like in the sample below:
After a few minutes, scan results will also appear in the Data theorem Portal at:
https://www.securetheorem.com/api/v2/security/sast